Πέμπτη 15 Ιανουαρίου 2015

0 comments
ISL Admin

Storage Security

Many organizations face the challenge of implementing data protection and security measures to meet a wide range of requirements, including statutory and regulatory compliance. Too often the security associated with storage systems and infrastructure has been missed because of misconceptions and limited familiarity with the storage technology, or in the case of storage managers and administrators, a limited understanding of the inherent risks or basic security concepts. The net result of this situation is that digital assets are needlessly placed at risk of compromise due to data breaches, intentional corruption, being held hostage, or other malicious events.

Data storage has matured in an environment where security has been a secondary concern due to its historical reliance on isolated connectivity, specialized technologies, and the physical security of data centers. Even as storage connectivity evolved to use technologies such as storage protocols over Transmission Control Protocol/Internet Protocol (TCP/IP), few users took advantage of either the inherent security mechanisms or the recommended security measures.

ISO/IEC 27040:2015 provides detailed technical guidance on how organizations can define an appropriate level of risk mitigation by employing a well-proven and consistent approach to the planning, design, documentation, and implementation of data storage security. Storage security applies to the protection (security) of information where it is stored and to the security of the information being transferred across the communication links associated with storage. Storage security includes the security of devices and media, the security of management activities related to the devices and media, the security of applications and services, and security relevant to end-users during the lifetime of devices and media and after end of use.

Storage security is relevant to anyone involved in owning, operating, or using data storage devices, media, and networks. This includes senior managers, acquirers of storage product and service, and other non-technical managers or users, in addition to managers and administrators who have specific responsibilities for information security or storage security, storage operation, or who are responsible for an organization's overall security program and security policy development. It is also relevant to anyone involved in the planning, design, and implementation of the architectural aspects of storage network security.

ISO/IEC 27040:2015 provides an overview of storage security concepts and related definitions. It includes guidance on the threat, design, and control aspects associated with typical storage scenarios and storage technology areas. In addition, it provides references to other International Standards and technical reports that address existing practices and techniques that can be applied to storage security.

Δευτέρα 3 Νοεμβρίου 2014

0 comments
ISL Admin,

New standards for cloud computing

The International Organisation for Standardisation (ISO) has released two new standards for cloud computing, in order to bring order to chaos.
There are two standards which have been released by ISO on October 15th; the ISO/IEC 17788, a 16 page overview,Cloud computing – Overview and vocabulary, provides definitions of common cloud computing terms, including those for cloud service categories such as Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). It also specifies the terminology for cloud deployment models such as “public” and “private” cloud. More technical in nature,, and the ISO/IEC 17789, Cloud computig – Reference architecture, contains diagrams and descriptions of how the various aspects of cloud computing relate to one another..

National Institute of Standards and Technology (NIST), defines cloud computing as "a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources...that can be rapidly provisioned and released with minimal management effort or service provider interaction."

As opposed to the NIST ruling which only proffers platform as a service, software as a service and infrastructure as a service, the ISO ruling has seven distinct cloud service categories, including network as a service (NaaS) and data storage as a service (DSaaS). Similarly, ISO expands on NIST’s 2011 definition on cloud deployment models, adding community cloud to public, private and hybrid.

We are expecting at the end of 2015 some complimentary guidelines, for the hot issue of cloud security, as described on ISO/IEC CD 27017 Code of practice for information security controls based on ISO/IEC 27002 for cloud computing services. Until then, drop a comment as to what you consider a security challenge for cloud services.