2023 has been an interesting and challenging year for storage security. The cyber threat landscape has witnessed large numbers of attacks impacting data and increased nation state activities directed at critical infrastructure. The regulatory landscape is undergoing change as well and potentially imposing requirements that necessitate adjustments to security capabilities, controls, and practices to reflect new realities. By the end of 2023 there will be significant changes to security standards and specifications relevant to storage.

The Key Per IO (KPIO) project was a joint initiative between NVM Express® and the Trusted Computing Group (TCG) Storage Work Group to define a new KPIO Security Subsystem Class (SSC) under TCG Opal SSC for NVMe® class of Storage Devices. Self-Encrypting Drives (SED) perform continuous encryption on user accessible data based on contiguous LBA ranges per namespace. This is done at interface speeds using a small number of keys generated/held in persistent media by the storage device. KPIO allows a large number of encryption keys to be managed and securely downloaded into the NVM subsystem.

The IEEE Security In Storage Work Group (SISWG) produces standards that many storage developers, storage vendors, and storage system operators care about, including: a) A family of standards on sanitization: the IEEE 2883 family b) A family of standards on encryption methods for storage components: the IEEE 1619 family c) A standard on Discovery, Authentication, and Authentication in Host Attachments of Storage Devices: the IEEE 1667 specification IEEE has a different work group (IEEE P3172) focusing on post-quantum cryptography, but when they are done, a family method that recommends new q

Data immutability and retention locking have gained enormous traction over the last many years owing to a severe surge in number of cyber and ransomware attacks. This presentation covers many aspects of data immutability and retention locking/WORM in the backup ecosystem. It talks about regulatory requirements for long term data retention, variants of retention locking, dual authorization model and role of security officer, various attributes of retention locking, integration of backup applications with retention locking, retention locking in replication and cloud storage.

Operators of data storage systems are legally obligated to protect customer data, and can be subject to significant penalties. This presentation will explore existing and upcoming standards to show the best practices for sanitizing customer data. These standards will include IEEE 2883-2022 and ISO/IEC 27040,and will describe current work on new standards.

The audience for this presentation includes developers and users of data storage systems, as well as developers of software utilizing those systems.

Selling to the US Government can require getting FIPS (Federal Information Processing Standards) certification.Many storage products are based on Linux and Open Source code, which by themselves do not promise compliance with any standards. Sometimes the storage protocols themselves are incompatible with the required FIPS-140 standards. Sometimes the Open Source code is old enough that they still hand-craft their own crypto code dating from a time when the US Government tried to restrict some crypto algorithms).

This session will cover an update on DMTF's SPDM (Security Protocol & Data Model), including their strategy to support PQC (Post Quantum Cryptography). DMTF is adding bindings for storage (NVMe, SAS & SATA) as well as TCP and those will be covered as well for encryption of data in flight. Also covered will be updates to SPDM as well as the current roadmap of future releases.

/*-->*/

Conventional security management methods often operate reactively, relying on fragmented vulnerability management processes and manual updates. This approach hinders swift threat responses and diminishes the efficiency of AIOps.

/*-->*/