存储安全年度回顾.pdf

1、1|2024 SNIA.All Rights Reserved.Storage Security Year in ReviewEric Hibbard,CISSP,FIP,CISASamsung Semiconductor,Inc.2|2024 SNIA.All Rights Reserved.Threat SummaryRansomware with data exfiltration(hybrid attacks)Supply chain attacks(service providers)Cyber attacks Critical infrastructure(nation state

2、 actors)Healthcare Banking&finance or government(organized crime)Data breaches(new malware,vulnerabilities,etc.)AI is emerging as a new tool for attackers3|2024 SNIA.All Rights Reserved.Standards and Industry Players4|2024 SNIA.All Rights Reserved.ISO/IEC 27040:2024-01(Storage security)Comprehensive

3、 coverage of storage security Includes both requirements and guidance(includes auditor checklists)Covers organizational,people,physical,and technological controls Defers to IEEE Std 2883 for media-specific sanitization(old Annex A removed);verification and cryptographic erase clarified Many new cont

4、rols(e.g.,IPMI,NVMe-oF,storage systems security,data archives and repositories,and cyber-attack recoveries)ISO/IEC 27002:2022 references to ISO/IEC 27040 for backup security and media sanitization,resulting in increased visibility of storage security5|2024 SNIA.All Rights Reserved.IEEE Security in S

5、torage(SISWG)Building upon IEEE 2883-2022(Storage Sanitization)Draft P2883.1 Recommended Practice for Use of Storage Sanitization Methods Draft P2883.2 Recommended Practice for Virtualized and Cloud Storage Sanitization Draft P3406 Standard for a Purge and Destruct Sanitization Framework P1667 Stand

6、ard for Discovery,Authentication,and Authorization in Host Attachments of Storage Devices(Revision)Revision of IEEE 1619(XTS-AES)Draft P1619 Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices Working with NIST for a future update of NIST SP 800-38E6|2024 SNIA.All Rights