Data storage professionals may not be accustomed to dealing with data security and privacy issues like due diligence, but with the European Union's General Data Protection Regulation about to take effect, many will need to learn some new concepts.
That's what makes a new white paper from the Storage Networking Industry Association especially timely, Eric Hibbard, chair of SNIA's Security Technical Work Group, told me in an interview. SNIA, a nonprofit focused on developing storage standards and best practices, put together a document that provides guidance on data protection, specifically as it relates to storage.
"The storage industry has for many years has been insulated from having to worry about traditional security and to a less degree, the privacy issues," Hibbard said. "With GDPR, the definition of a data breach moved from unauthorized access to include things like unauthorized data destruction or corruption. Why is that important to storage professionals? If you make an update to a storage system that causes corruption of data, and if that's only copy of that data, it could constitute a data breach under GDPR. That's the kind of thing we want to make sure the storage industry and consumers are aware of."
The GDPR, which sets mandatory requirements for businesses, becomes enforceable May 25. It applies to any business storing data of EU citizens.
The white paper builds on the ISO/IEC 27040 storage security standard, which doesn't directly address data protection, by providing specific guidance on topics such as data classification, retention and preservation, data authenticity and integrity, monitoring and auditing, and data disposition/sanitization.
For example, the issue of data preservation, retention, and archiving is barely touched on in the standard, so the paper expands on that and explains what the potential security issues are from a storage perspective, said Hibbard, who holds several certifications, including CISSP-ISSAP, and serves roles in other industry groups such as the Cloud Security Alliance.
The paper explains the importance of due diligence and due care – concepts that storage mangers aren't used to dealing with, Hibbard said.
"In many instances, the regulations associated with data protection of personal data or PII (privacy) do not include details on the specific security controls that must be used," SNIA wrote in its paper. "Instead, organizations are required to implement appropriate technical and organizational measures that meet their obligations to mitigate risks based on the context of their operations. Put another way, organizations must exercise sufficient due care and due diligence to avoid running afoul of the regulations."
Failure to take steps to understand and address data exposure risks can demonstrate lack of due care and due diligence, the paper warns, adding: "Storage systems and ecosystems are such integral parts of ICT infrastructure that these concepts frequently apply, but this situation may not be understood by storage managers and administrators who are responsible and accountable."
One of the components of due diligence is data disposition and sanitization. "When you're done with data, how do you make sure it actually goes away so that it doesn't become a source of a data breach?" Hibbard said.
The SNIA paper spends some time defining data protection, noting that the term means different things depending on whether someone works in storage, privacy, or information security. SNIA defines data protection as "assurance that data is not corrupted, is accessible for authorized purposes only, and is in compliance with applicable requirements."
The association's Storage Security: Data Protection white paper is one of many it produces, which are freely available. Others papers cover topics such as cloud storage, Ethernet storage, hyperscaler storage, and software-defined storage.