NIST SP 800-209 Security Guidelines for Storage (2)
Introduction
Due to concerns about the length of the previous article NIST SP 800-209 Security Guidelines for Storage (1) Threats and Risks, a new post has been created to organize the content.
The previous article primarily addressed threats, risks, and attack surfaces related to inventorying storage infrastructure. This article focuses on summarizing security recommendations for storage deployments. The contribution of this thesis lies in emphasizing measures that align with zero trust requirements and security standards such as SP800-209 related to data storage.
4. Security Guidelines for Storage Deployments
Sections 4.1 to 4.12 provide security recommendations and guidelines for storage infrastructure security. Each guideline is uniquely identified through a naming and numbering scheme, with the primary identifier taking the form of âxx-SS-Ry.â
However, because this thesis focuses on security measures related to connections between AP (clients) and storage devices and the security measures of the hosts themselves, this chapter will not list all security recommendations but will only highlight those related to AP (clients) and storage devices or the âstorage infrastructure itself.â
- âxxâ represents two letter combinations related to the section title. For example, in section 4.1 âPhysical Storage Security,â the primary identifier is marked as PS-SS-R1, PS-SS-R2, etc.
- âSSâ stands for âStorage Security.â
- âyâ is a consecutive numeric identifier, with further details denoted by âa,â âb,â such as âPS-SS-R1.aâ (following NIST SP 800-53, section 3.10), âPS-SS-R1.bâ (Supply Chain Protection), and so on.
My insight: This chapter can be used to compile a checklist for inspecting security measures related to AP, AP Hosts themselves, storage device Hosts themselves, and the connection between them. This checklist can be used as part of the authorization and access control process to mitigate potential security threats.
4.1 (PS) Physical Storage Security
Physical security is a fundamental element of ensuring the security of any information technology infrastructure. Often, requirements for the âphysical security of storage infrastructureâ align with those of other infrastructure elements, such as computers and network devices, including facility security, monitoring, and transportation.
- Relevant standards for infrastructure elements include NIST SP 800-53, Rev5, and NIST SP 800-171.
- Further discussions on media disposal and destruction can be found in ISO 27040 and NIST SP 800-88.
Therefore, this chapter mainly provides regulations for âphysical security unique to storage infrastructureâ or aspects less emphasized in other publications.
Requirement: PS-SS-R1 Ensure media security measures
PS-SS-R1 |
Ensure media security |
---|---|
PS-SS-R1.a |
Recommend following specific guidance from NIST SP 800-53, Rev5, including policy development, access restrictions, sensitive information labeling, secure storage, secure transmission, data clearing, and the use of encryption. |
PS-SS-R1.b |
Recommend purchasing media with adequate supply chain protection. |
PS-SS-R1.c |
For sensitive data, the distance between âbackup physicalâ media storage and âprimary data storageâ locations should be sufficient. |
PS-SS-R1.d |
Maintain a list of sensitive data and record details, including sensitivity level, classification (related to which applications and services), encryption level, potential impact on the system in case of data compromise or loss, emergency measures and procedures, and data dependencies with other applications. |
PS-SS-R1.e |
Sensitive removable media should use advanced tracking control measures, such as RFID tags, GPS tracking devices, and tamper-evident protection. |
PS-SS-R1.f |
Consider using self-destruct mechanisms for extremely sensitive information, with careful consideration of how to protect these features from being targeted by attackers to trigger device destruction mechanisms. |
Requirement: PS-SS-R2 Protect all sensitive administrative equipment
Measures for âmanagement workstationsâ that can access storage facilities should include:
Organization-approved security controls
: Management access to storage infrastructure, including access, monitoring, and auditing, should be managed using organization-approved security controls.Security at least as stringent as data protection
: Security measures for âmanagement workstationsâ (including home-based workstation environments) accessing storage facilities should be at least as strict as those for âdata protectionâ or âsystems using data.â
Requirement: PS-SS-R3 Data sanitization approach should cover storage infrastructure in detail
- Data sanitization approaches should cover various components within the storage infrastructure, which may contain sensitive information. Ensure that components within the storage infrastructure are included in the organizationâs data sanitization policy. These components include:
- Non-volatile memory
- Cache objects (storage arrays, SAN switches, routers, etc.)
- Firmware/BIOS settings and HBA-level configurations
4.2 (DP) Data Protection
This section primarily discusses various measures, perspectives, and levels of separation for data protection. Relevant requirements should consider the following aspects:
Different Aspects of Data Protection
In this section, we mainly discuss the objectives and related activities of data protection, controlling them from various perspectives, including:
- Data Backup and Recovery: This is a crucial control measure to ensure data recovery after unexpected failures or catastrophic events.
- Archiving: This is a control measure to retain data in long-term storage, typically used for preserving historical data or data required by regulations.
- Replication Technologies: This involves creating data copies between different locations or systems as a control measure to ensure availability in case of primary system failures.
- Continuous Data Protection: This is a control measure that involves continuous monitoring of data changes and real-time backups, allowing for rapid recovery to specific points in time.
- Point-in-Time Copies and Snapshots: This control measure involves copying data at specific points in time for restoration or querying when needed.
Identification of Data Planes
When discussing storage management and data protection, distinguishing between different data planes is crucial for a better understanding and management of storage systems. This is because data planes provide a way to organize and differentiate access methods, protocols, operations, and permissions related to data, ensuring that the system operates effectively on different levels. The main types of data planes include:
- Data Consumption Plane: This plane involves access methods and protocols for performing I/O operations, as well as related network connections. It is the plane where users and applications read and write data.
- Data Management Plane: This plane involves the management of metadata and configuration information related to data, such as creating, configuring, and mapping devices. It focuses on managing dataâs metadata and configuration information within storage systems.
- Data Protection Plane: This plane is concerned with data protection and backup operations, including copying, snapshots, backups, archiving, etc., to ensure data persistence and disaster recovery capabilities.
Level of Separation for Data Planes
In general, increasing the granularity and separation of data planes can positively impact the security of data assets, and the designs and implementations that can have a significant impact include:
- Two-layer separation at the network layer: For example, using different VLANs to increase separation.
- Logical network separation: Using separate IP subnets to increase separation.
- Filtering and Access Control Lists (ACLs): Adding ACLs to the data consumption plane to prevent management operations, increasing the separation between âconsumptionâ and âmanagementâ planes.
- Authorization Separation: Restricting permissions for each role, using different roles for different planes.
In this section, rigorous recommendations for the implementation of each of the above control measures are also provided. Additionally, other related requirements are included in sections 4.7 âIsolationâ and 4.8 âRecovery Assurance,â as these requirements are closely related to data protection.
4.2.1 Data Backup, Recovery, and Archiving
Requirement: DP-SS-R1 Document Data Protection Plan or Policy
This document aims to ensure that the organization has a comprehensive and secure data protection plan in place before deploying systems or data storage solutions to address potential data corruption, failures, or security issues. These measures will help to ensure data integrity and availability while ensuring compliance with relevant regulatory requirements.
DS-SS-R1 |
Document Data Protection Plan or Policy |
---|---|
DP-SS-R1.a |
Specifications for levels, frequencies, and backup quantities to meet the organizationâs recovery objectives should be included. This should encompass: - Frequencies and retention periods, e.g., snapshots every 48 hours, daily backups. - Types, e.g., full backups, incremental backups, continuous backups (such as file version control, logs, or log shipping and archiving), replication, point-to-point backups, etc. |
DP-SS-R1.b |
Types of media to be used. |
DP-SS-R1.c |
Encryption requirements applied to âbackup dataâ should be at least as strong as the encryption level for âprotected data.â |
DP-SS-R1.d |
Other protection requirements, such as digital signatures, archiving, location, facility security (including fire, explosion, and magnetic interference protection), immutability and locking, minimum number of backups per backup set, and geographic distribution of these backups. |
DP-SS-R1.e |
Reference applicable regulatory frameworks and associated controls. |
DP-SS-R1.f |
Comprehensive lifecycle management and disposal policies for backup media should be included. |
DP-SS-R1.g |
Data recovery testing and verification should be planned, including a minimum number of yearly recovery tests, which should include data recovery and system recovery. |
DP-SS-R1.h |
A reference to other security-related documents and policies. |
Requirement: DP-SS-R2 Backups and Replication
Backups and replication are fundamental components of data protection, ensuring data availability in the event of data loss or system failures. Organizations must establish comprehensive policies and procedures for backups and replication to meet their data recovery objectives.
DS-SS-R2 |
Backups and Replication |
---|---|
DP-SS-R2.a |
Regular and automated backups of critical data should be performed according to the organizationâs data protection plan. These backups must include all data necessary for the recovery of systems and data assets. |
DP-SS-R2.b |
Data backups should be securely stored and protected from unauthorized access or tampering. Off-site or remote backups should be considered to protect against physical disasters or site failures. |
DP-SS-R2.c |
Data replication should be considered to ensure data availability and minimize downtime in the event of primary system failures. |
DP-SS-R2.d |
Backup and replication processes should be monitored and audited regularly to ensure their effectiveness and adherence to the organizationâs data protection plan. |
DP-SS-R2.e |
Regularly test the restoration process for backups and validate the integrity of replicated data to ensure successful recovery in case of failures. |
DP-SS-R2.f |
Implement a process for automated detection and alerting of backup or replication failures. |
Requirement: DP-SS-R3 Archiving of Data
Archiving is essential for preserving historical data, complying with regulatory requirements, and ensuring data availability when needed. Organizations should have policies and procedures for data archiving.
DS-SS-R3 |
Archiving of Data |
---|---|
DP-SS-R3.a |
Establish archiving policies that define the criteria for data to be archived, including data age, business value, and regulatory requirements. |
DP-SS-R3.b |
Archived data should be stored securely and protected against unauthorized access or tampering, similar to backup data. |
DP-SS-R3.c |
Implement mechanisms to efficiently retrieve and access archived data when needed, including indexing and search capabilities. |
DP-SS-R3.d |
Regularly review and update archiving policies to ensure they remain aligned with business needs and regulatory requirements. |
DP-SS-R3.e |
Archive data in a format that preserves its integrity and usability over time, taking into consideration long-term retention requirements. |
4.2.2 Replication and Mirroring
Requirement: DP-SS-R5 Consistency of Data Protection for Primary and Secondary Storage
- Both synchronous and asynchronous âreplicationâ require data protection at the same level as primary storage.
- This includes encrypting data at rest and configuring access restrictions.
Requirement: AC-SS-R6 Eliminating Unnecessary Replication Trust Between Storage Arrays
- When there are no shared replicated volumes between arrays, the replication trust relationship between them should be disabled.
- When there are shared replicated volumes between arrays, privileges for replication trust between them should be limited to the shared volumes only.
Requirement: DP-SS-R7 Data Protection During Transmission for Replication and Mirroring
- During replication and mirroring, data confidentiality and integrity during âtransmissionâ should be protected using encryption.
- Encryption requirements can be relaxed when appropriate mitigation controls are in place, such as when mirroring occurs within the same cabinet or server room.
Requirement: DP-SS-R8 Automatic I/O Pause for Synchronous Replication
- When the synchronous progress of secondary storage servers lags behind the updates on primary data, the automatic I/O pause feature should be enabled to prevent write operations on the primary storage device. Continuing to allow write operations on the primary storage device may result in
- Data inconsistency and data loss risks.
- However, please note that enabling this feature increases the risk of attacks on the primary storage device, as adversaries may attack the replication network path to trigger denial of service on the primary storage device.
Requirement: DP-SS-R9 Deleting Outdated Replicas to Reduce the Attack Surface
- Regularly delete outdated replicas to reduce the attack surface.
4.2.3 Point-in-Time Copies
Requirement: DP-SS-R10 Meeting Target Requirements for Point-to-Point Copies
- Ensure that the configuration of point-to-point copies (e.g., snapshots) meets the Recovery Point Objective (RPO) requirements of the target dataset.
- If business or compliance standards require that no more than five minutes of committed data can be lost during recovery, then the snapshot interval should be five minutes or shorter.
- Ensure the configuration includes a sufficient number of hourly snapshots to meet retention requirements.
Requirement: DP-SS-R11 Deleting Outdated Snapshots and Clones
Regularly delete outdated snapshots and clones to reduce the attack surface.
4.2.4 Continuous Data Protection
Requirement: DP-SS-R12 Security Considerations for Continuous Data Protection
- Functional Advantages: Improved Recovery Point Objectives (RPO), more granular retention policies.
- Technologies for Continuous Data Protection: Includes Continuous Data Protection (CDP), version control of âsource data or copiesâ in cloud file and object storage, and âtransaction log shipping.â
- Assisting in enhancing the forensics of sensitive data: Backtracking to previous versions can help understand attack characteristics, timing, etc., but may be time-consuming.
4.3 (AC) Authentication and Data Access Control
Managing users and their managed hosts is an attack surface that attackers can exploit, and improper use of privileged users can lead to storage system failures or compromises. Implementing the âleast privilege modelâ and utilizing specific roles for administration is crucial.
According to ISO/IEC 27040 standards, the following roles should be implemented and used in storage technologies: Security Administrator, Storage Administrator, and Security Auditor. These roles are designed to ensure the security of storage technology, restrict privileged access, and reduce the risk of attacks.
Below is a table summarizing the permissions and responsibilities of these roles:
Security Administrator
Permissions Owned | Responsibilities | Not Allowed |
---|---|---|
View and modify permissions | - Create and manage accounts - Set up and manage roles and permissions for users and administrative operations- Formulate policies related to validators, credentials, and keys - Manage encryption and keys - Manage audit and logging |
None |
Storage Administrator
Permissions Owned | Responsibilities | Not Allowed |
---|---|---|
Storage Administrator | View and modify permissions | - Access and manage all aspects of storage systems |
Security Auditor
Permissions Owned | Responsibilities | Not Allowed |
---|---|---|
Security Auditor | View permissions | - Conduct authorization reviews - Validate security parameters and configurations- Check audit logs |
Storage Auditor
Permissions Owned | Responsibilities | Not Allowed |
---|---|---|
Security Auditor | View permissions | - Conduct authorization reviews - Validate security parameters and configurations- Check audit logs |
4.3.1 Authentication Recommendations
Requirement: AC-SS-R1 Unique Identifier for all users
- All users, including administrators, should have a unique identifier for personal use only.
- The identifiers assigned to administrators should meet at least Identity Assurance Level 3 (IAL 3) as specified in NIST document SP800-63A [35] sections 4.2 and 4.5.
- The only exception is emergency use accounts, which are governed by AC-SS-R16.
Requirement: AC-SS-R2 Centralized Authentication Solution
- In large environments, a centralized authentication solution (e.g., Active Directory, Lightweight Directory Access Protocol [LDAP], Single Sign-On [SSO], organization-approved cloud authentication services) should be deployed to closely monitor and control user access to storage resources.
- Ensure consistent enforcement of the organizationâs authentication policies.
- Avoid using built-in authentication and permission management functions and preferably disable them.
Requirement: AC-SS-R3 Configuration of Authentication Servers
DS-SS-R3 |
Requirement Details |
---|---|
AC-SS-R3.a |
Strictly control the assignment of servers performing authentication services: Specify servers that perform authentication service to specific servers and ensure such assignments are rigorously managed and controlled. |
AC-SS-R3.b |
Multiple authentication servers should be in place: To ensure availability and avoid a single point of failure. |
Requirement: AC-SS-R4 Secure Connection to Centralized Authentication Server
- Communication between the centralized authentication server and authentication clients should use the latest security protocols, such as Transport Layer Security (TLS) 1.2 or higher.
Requirement: AC-SS-R5 Use of Multi-Factor Authentication
- Access configurations for infrastructure components storing critical data should employ at least two-factor authentication.
- These authenticators should meet at least the requirements specified in NIST document SP800-63B [36] section 5.1.9. This requirement should be mandatory for users in the roles of Security Administrators and Storage Administrators.
4.3.2 Password Recommendations
Requirement: AC-SS-R6 Secure Password Policies Should Cover Service Accounts
- Secure password policies should apply not only to personal accounts but also to service accounts (e.g., Simple Network Management Protocol (SNMP), Network Data Management Protocol (NDMP), and accounts used by automation tools).
- These passwords should at least meet the requirements for memorized secrets as described in NIST document SP800-63B [36] section 5.1.1.
Requirement: AC-SS-R7 Password Length
- A strong password should have a minimum of 15 characters, preferably 20 characters.
Requirement: AC-SS-R8 Password Complexity
- A strong password should include a combination of uppercase and lowercase letters, numbers, and special characters. It should not resemble the username and should not contain repeated character sequences.
Requirement: AC-SS-R9 Password Expiration
- All passwords should have expiration times set. The expiration time for administrator accounts should be shorter than for regular user accounts.
Requirement: AC-SS-R10 Password Reuse
- Users should not reuse the most recent four (or more) passwords, depending on organizational risk factors.
Requirement: AC-SS-R11 Password Caching
Standard | Requirement Details |
---|---|
AC-SS-R11.a |
Passwords should not be cached on servers, desktops, or any other systems. |
AC-SS-R11.b |
Sufficiently short Time to Live (TTL) or equivalent control mechanisms should be used. |
Requirement: AC-SS-R12 Saving Passwords
- Passwords should not be saved in plaintext anywhere (e.g., documents or scripts).
- Even if passwords are stored in encrypted form, enabling storage management applications to locally remember usernames and passwords for automatic login should be strictly prohibited unless managed through authorized central authentication services (such as LDAP SSO).
Requirement: AC-SS-R13 Eliminate or Change Default Passwords
- Default passwords that come with system installations or deployments should be changed immediately.
4.3.3 Account Management Recommendations
Requirement: AC-SS-R14 Use of accounts not associated with system users
- Disable accounts not associated with any users, such as those not present in Active Directory, like âguest,â âanonymous,â ânobody.â
- Their default configurations, such as passwords and permissions, should be changed per the organizationâs policy scope.
Requirement: AC-SS-R15 Account lockout
- After a certain number of failed login attempts, the user should be locked out.
- Some implementations of account lockout include automatic resets (account unlocking) after a certain time or power cycle.
- Automatic reset should not be allowed on sensitive storage systems.
Requirement: AC-SS-R16 A local user account for emergency purposes
- A separate local user account should be reserved for providing emergency-only access to storage resources in case the âcentral authentication systemâ is unavailable.
- This account should comply with:
- All organizational policies (e.g., password length).
- Its usage should be restricted to specific, secure locations.
- Follow well-documented procedures, including appropriate approvals and notifications to relevant stakeholders.
Requirement: AC-SS-R17 Eliminate or disable default user accounts
- Default user accounts that come with system installations should be eliminated or disabled if associated functionalities exist.
- If the elimination or deactivation of default user accountsâ functionality is not possible or there is a legitimate reason to retain any account, AC-SS-R18 requirements should be met.
Requirement: AC-SS-R18 Limit local and default user accounts
Requirement | Requirement Details |
---|---|
AC-SS-R18.a |
Limit the use of such accounts and their assigned privileges. |
AC-SS-R18.b |
Password policies should apply to all users, local and default accounts, including accounts with administrative privileges. |
4.3.4 Privilege and Session Management Recommendations
Requirement: AC-SS-R19 Role and Responsibility Configuration
- At least four roles specified in the ISO standard ISO/IEC 27040 [10] (i.e., Security Administrator, Storage Administrator, Security Auditor, and Storage Auditor) should be implemented for access to all storage resources.
- Ensure that storage products have sufficiently granular role control mechanisms for handling sensitive information, and if the storage product does not have such functionality, it can achieve similar effects through compensatory controls.
Requirement: AC-SS-R20 Follow the Principle of Least Privilege
Follow the âPrinciple of Least Privilegeâ to assign privileges to roles and assign roles to users. It should include at least the following:
Standard | Requirement Details |
---|---|
AC-SS-R20.a |
Assign privileges for âData Managementâ and privileges for âData Protectionâ to different roles, and these two roles should not be assigned to the same user. |
AC-SS-R20.b |
Assign privileges for âData Managementâ and privileges for âHost Managementâ to different roles, and these two roles should not be assigned to the same user. |
Additionally:
- Data Management: Permissions related to tasks such as creating new storage volumes or sharing resources for the normal operation of storage resources.
- Data Protection: Permissions related to configuring, stopping, or deleting backups, ensuring the security of stored data, and preventing data loss.
- Host Management: Tasks such as creating/deleting objects in storage controllers, permissions related to managing the hardware and infrastructure of storage systems.
Requirement: AC-SS-R21 Principle of Least Privilege
- Any privileges assigned to roles should follow the âPrinciple of Least Privilege.â
- The permissions allocated to roles should not exceed what is required for the functions they perform, such as accessing specific storage resources like block devices, files, objects, etc.
Requirement: AC-SS-R22 Secure Session Management
- All sessions between clients and storage infrastructure systems should be managed according to the required levels of authentication assurance, as per the requirements of [63B] Section 7, including termination and automatic logout.
Requirement: AC-SS-R23 Implement Daily Message and Login Banner Notifications
- âDaily Messageâ or âLogin Bannerâ notifications should be displayed before logging into any storage infrastructure component or system through the user interface (UI), command-line interface (CLI), or application programming interface (API), if applicable. The message should include legal statements:
- âWarning users are accessing restricted systems with sensitive data.â
- And provide any other warnings and meaningful messages per the organizationâs security and privacy policies.
4.3.5 SAN-Specific Recommendations
- SAN stands for Storage Area Network, which is used for data transmission between storage devices and servers.
- It typically consists of specialized hardware and software and uses high-speed connectivity technologies such as Fibre Channel or Ethernet for efficient, low-latency data transfer.
- SANâs storage resources are seen as local disks on servers, allowing servers to access and manage these storage devices through SAN.
Access control topics related to SAN involve multiple aspects. Some aspects overlap with network configuration and access management, which have already been covered in other sections. To gain a comprehensive understanding of all aspects of access control, please refer to the content in these three sections:
- Access control recommendations related to âNetwork Infrastructureâ (e.g., switches, ports, host bus adapters, and network interface cards) and âProtocolsâ can be found in Section 4.6 with detailed discussions.
- Encryption of data during transmission (one of the mechanisms of access control) is discussed in detail in Section 4.9.
- Access management is discussed in detail in Section 4.10.
This section primarily discusses âdata-relatedâ access control in SAN, covering access control for block devices, implementing zoning, and access control specifications for Fibre Channel.
Note: AC-SS-R24 - Access Control for Block Devices (HDD
Access to a set of Storage Area Network (SAN) devices by a set of hosts should be restricted through zoning (software or hardware) and masking to achieve the minimum required access permissions.
Note: AC-SS-R25 - Access Control for Block Device Copies and Replicas
- Access to a set of SAN-copied block devices, snapshots, and other types of point-in-time replicas by a set of hosts should be restricted through partition zoning and masking to achieve the minimum required access permissions.
- In many cases, hosts granted access should not be allowed to access replicas.
Note: AC-SS-R26 - Permissions for Default Zones
- The permissions for default zoning (possibly product-specific) should always be configured as âdeny all.â
Note: AC-SS-R27 - Implementation of Zoning
Zoning should be implemented based on reasonable logic in a switched SAN architecture, especially with relevance to âenvironmentsâ and âtrafficâ types, which should be separated as much as possible:
Requirement | Requirement Details |
---|---|
AC-SS-R27.a |
Environments: Development, testing, production, etc. |
AC-SS-R27.b |
Traffic Types: Data access, management, copying, backup, etc. |
AC-SS-R27.c |
Host Types: Virtualized, physical hosts. |
AC-SS-R27.d |
Storage Device Types: Tape, disk. |
Note: AC-SS-R28 - Implementation of Software Zoning
When implementing software zoning, only allow hosts to connect to storage devices through Simple Name Servers (SNS) by consulting the software zoning table rather than directly using device discovery.
Note: AC-SS-R29 - Control Over Devices That Can Join the SAN
- In SAN, there is a policy-defined feature that can âcreate a whitelistâ listing the switches, data storage devices, and hosts that can join the storage area network. It is recommended to fully utilize this feature where applicable.
4.3.6 File and Object Access Recommendations
Note: AC-SS-R30 - Limit Access to All Types of Object Storage Data to a Minimum
Limit access to all types of object storage data (e.g., files, objects) following the âPrinciple of Least Privilege,â including:
Requirement | Requirement Details |
---|---|
AC-SS-R30.a |
Restrict access to object storage data via any protocol based on client IP and/or relevant subnets while requiring specified ports/protocols. |
AC-SS-R30.b |
Use more granular access control mechanisms (e.g., by roles, IDs, tags, accounts, Virtual Private Clouds (VPCs), VPC endpoints, etc.). |
AC-SS-R30.c |
Access permissions should be granted only to centrally managed users and roles, such as users in the enterprise directory or approved business services, and not to specific system-local users. |
AC-SS-R30.d |
For any shares, set default access permissions to âdeny allâ or equivalent settings. |
AC-SS-R30.e |
Default shares should be disabled or deleted. If they are needed for specific purposes, access permissions should be restricted to the minimum required. |
AC-SS-R30.f |
Access permissions (e.g., read, write, execute, modify, delete, view ACLs, change ACLs) should be individually assigned based on the âNeed to Knowâ principle. |
AC-SS-R30.g |
If available, use features that define object storage ACLs and use the user, group, or administrator permission model of the local operating system. |
AC-SS-R30.h |
If policy definition features for file-level access patterns are available, utilize them and implement the ability to detect policy violations and send notifications. |
Note: âNeed to knowâ is an information security principle that emphasizes that individuals should only have access to sensitive information or resources if they have a legitimate requirement to know or are authorized to perform specific tasks. This principle applies to various situations, including data access permissions, network access permissions, access to confidential documents, and more.
Note: AC-SS-R31 - Disable Unauthenticated Users
- Unauthenticated users should be disabled (e.g., anonymous, empty, guest, or âpublic accessâ users).
- Exceptions may be provided to allow critical organizational functions, such as network discovery, but in such cases, these users should be mapped to the ânobodyâ user group rather than âID 0.â
Note: AC-SS-R32 - Regularly Review Security Settings
- Regularly review the security settings of all stored data mentioned above, including various types of data (e.g., files, objects), to ensure no deviations.
- Record the results of the reviews.
Note: AC-SS-R33 - Use Anti-Malware Scanning Tools
- Use anti-malware tools to scan sensitive information files.
- Whenever âaccessâ involves âsensitive informationâ in âfiles,â first scan with organization-approved anti-malware tools to ensure the files are not compromised.
Note: AC-SS-R34 - Implement Fine-Grained Permission Assignments
- Implement fine-grained permission assignments:
- For file and object sharing systems (e.g., NFS, CIFS, cloud object storage), use more granular permission granting.
- Do not use coarser-grained methods (e.g., controlling files or objects instead of controlling entire folders, or controlling shares or storage buckets).
Note: AC-SS-R35 - Restrict Root Access to Protect NFS
- Restrict root access to protect NFS, including using the ânosuidâ option.
- Avoid using âno_root_squashâ to prevent programs on clients from running as the root user.
- And avoid remote root users from modifying shared files. In general, NFS clients should not be allowed to run âsuidâ and âsgidâ programs on exported file systems.
Note: AC-SS-R36 - Set noexec Option to Prevent Execution of Executable Files
- Require that NFS shares that are set to âread onlyâ mode have the ânoexecâ option added to their mount configurations to prevent the execution of executable files on the share.
Note: AC-SS-R37 - Do Not Export Administrative File Systems
- Do not export administrative file systems, including the â/â file system and restricted operating system or storage array system folders.
Note: AC-SS-R38 - Do Not Grant Full Control Permissions to Any Users
- When using CIFS, do not grant âfull controlâ permissions to any users, as recipients may use this permission to modify permissions, leading to privilege leakage.
CIFS stands for Common Internet File System. It is a protocol used for sharing files and resources over computer networks. CIFS was originally developed by Microsoft for file sharing in Windows operating systems.
The CIFS protocol allows different computers to share files over a network, enabling users to access and manipulate files on other computers over the network, similar to accessing local files. This facilitates resource sharing among users, including documents, images, audio, video, and more.
Note: AC-SS-R39 - Use Object Locking to Prevent Unauthorized Deletion
- For sensitive information, if supported, use advanced controls to prevent unauthorized object deletion.
- (For example, requiring multi-factor authentication when deleting objects or locking objects to prevent deletion).
4.4 (AL) Audit Log
Storage infrastructure components generate event log records for a large number of transactions or events. These event log records must be logged in some way for auditing purposes.
- From a
security
orcompliance
perspective, it is important to capture those necessary event log records to provide evidence of operations. - It enforces accountability and traceability, meets evidence requirements, and provides adequate monitoring of the system.
The following are security-related audit log events:
Administrative Events
- Related to the administration of system permissions.- For example, resetting user passwords, account creation/deletion, permission modifications, role changes, group membership changes, privilege operations, and configuration creation/changes.
Security-Related Events
- Events that can result in security incidents, such as changes to system security configurations and authorization error messages.- For example, changes to user configurations and security configurations, failed/block attempts to access storage, and blocked login attempts. These events are often of interest, although some may overlap with administrative events.
Data Access Events
- Events related to data access, and monitoring access to sensitive information (e.g., determining what an adversary may have accessed) is helpful.
The following are consequences of not properly documenting audit logs:
- Insufficient security logs and analysis allow attackers to hide their location, malware, and activities on victim machines.
- Lack of reliable audit logs means that attacks can go undetected for an extended period, and the actual damage caused may be irreversible.
- Due to poor or nonexistent log analysis processes, attackers can sometimes control victimsâ machines within the target organization for months or years without anyone in the target organization knowing, even though evidence of the attack could be in unreviewed log files.
Given the criticality of event log data for attack detection and forensic investigations, here are security recommendations for implementing audit log functionality:
Requirement: AL-SS-R1 - Enable Audit Logging for Storage Infrastructure Components
- This is an information security requirement that states that
all storage infrastructure components should enable audit logging
and use reliable transmission methods and secure communication protocols.
Requirement: AL-SS-R2 - Requirement for Reliable External Time Synchronization
- Network Time Protocol (NTP) service is crucial for time synchronization.
- If NTP service is disabled:
- Dependent systems may receive inaccurate timestamps for messages, events, and alerts.
- Time inconsistencies among different devices, making it impossible for log analysis, correlation analysis, anomaly detection, or forensics.
- Establish and
use a common and accurate time source
throughout the environment to ensure that event records from different sources can be correlated. - The following are recommendations for deploying and integrating NTP with storage-related devices:
|Requirement| Requirement Content |
|---------|----------|
|AL-SS-R2.a
| All devices (including log servers and storage infrastructure) should enable the NTP service. |
|AL-SS-R2.b
| Have devices configured to synchronize time with time source servers (e.g., NTP servers). |
|AL-SS-R2.c
| Access should only be granted to centrally managed users and roles, such as users in the enterprise directory or approved business services, andnot to specific system local users
. |
|AL-SS-R2.d
| Establish at least three independently located time servers to ensure that even if one server fails or becomes unavailable, the other servers can still provide accurate time information. |
|AL-SS-R2.e
| Use certificates to verify the identity of time source servers to ensure the security of the time synchronization service. |
|AL-SS-R2.f
| - Access restrictions options like ântpdâ access restrictions can be utilized to limit access to time source servers.
- You can configure an access control list listing devices allowed or denied access to the time server. (e.g., configurerestrict 192.168.2.10
to allow only this IP to access). |
Requirement: AL-SS-R3 - Centralized Logging and Ensuring Reliability
- By writing logs to a central log server (e.g., syslog server, cloud log service), the risk of log loss or tampering is reduced because they are more secure within the internal network. Here are recommendations for deploying and integrating centralized log logging with storage-related devices:
|Requirement| Requirement Content |
|---------|----------|
|AL-SS-R3.a
| The organization should âdefineâ the organizational log record âstandardâ for storage devices and specify the required log record levels. (For more specific recommendations, see AL-SS-R4). |
|AL-SS-R3.b
| âAll devicesâ should be configured to transmit log event data to the organizationâs approved âcentral log serverâ based on the applicable âorganizational log record standard.â |
|AL-SS-R3.c
| The effectiveness of the central log configuration should be monitored on all devices (e.g., log service stays active, log record levels are configured per organizational standard, each device is configured with an approved log server), and anomalies detected should be given high priority for resolution. |
|AL-SS-R3.d
| Multiple syslog servers should be deployed to achieve continuous logging and prevent a single point of failure. |
|AL-SS-R3.e
| At least one offline copy of each log should be retained. |
|AL-SS-R3.f
| To prevent the loss of entries before stopping and restarting all log entries, log records should be configured to write to disk in real-time, without using buffering, and using reliable protocols. |
Requirement: AL-SS-R4 - Log Record Levels
Storage audit logs should include (but are not limited to) the following events related to the protection of all storage-related objects, sites, and accounts:
Requirement |
Requirement Content |
---|---|
AL-SS-R4.a |
In sensitive environments, Read-only API Calls. |
AL-SS-R4.b |
All âdenied access attemptsâ to services, ports, files, objects, or devices should be logged. |
AL-SS-R4.c |
Log âencryption key management operationsâ covering the entire âkey lifecycle operationâ (especially encryption keys), such as key generation, key deletion, certificate management, etc., especially events related to key destruction should be recorded. |
Requirement: AL-SS-R5 - Audit Log Retention and Protection
The following measures should be taken for audit log retention and protection:
Requirement |
Requirement Content |
---|---|
AL-SS-R5.a |
There should be a âsufficiently long log data retentionâ period because it often takes time to detect ongoing or already occurred intrusion events. |
AL-SS-R5.b |
âAdequate storage spaceâ should be allocated, and remaining space and abnormal growth rate of log data should be actively monitored to âprevent log destinations from filling up.â (Known attack patterns include âfilling logs to hinder evidence collection,â and proper monitoring helps identify such attacks in real-time.) |
AL-SS-R5.c |
Archived log data should be âprotected against tamperingâ (e.g., using WORM or immutable storage, object locking, multi-factor authentication (MFA) for deletion approval). If supported, central log servers should also use these storage options. |
AL-SS-R5.d |
Limit access to log data and servers by âspecifying roles and accounts.â |
AL-SS-R5.e |
âEnable encryptionâ because access to log data may provide valuable insights to attackers about assets and potential attack vectors. |
Requirement: AL-SS-R6 - SIEM Integration
- If supported, âintegrate storage infrastructure logsâ with Security Information and Event Management (SIEM) for potential threat detection.
4.5 (IR) Preparation for Data Incident Response and Cyber Recovery
For information on incident response roles and establishment, you can refer to the NIST framework for improving the security of critical infrastructure [40]. Events related to storage should be handled as part of the organizationâs incident response process, which includes isolation, root cause analysis, definition and management of response plans, testing, and regular process review and updates. The following recommendations cover specific aspects to consider regarding storage infrastructure and data assets.
[40] National Institute of Standards and Technology (2018) Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1. (National Institute of Standards and Technology, Gaithersburg, MD). https://doi.org/10.6028/NIST.CSWP.04162018
Requirement: IR-SS-R1 â Develop Response Plans for Intrusions into Storage Components
The following elements should be considered in the organizationâs risk analysis, isolation, remediation, recovery, and testing procedures:
Requirement |
Requirement Content |
---|---|
IR-SS-R1.a |
Intrusion response plans for the entire storage array or entire cloud-based storage assets (e.g., SAN, NAS, object storage, elastic file systems). |
IR-SS-R1.b |
Intrusion response plans for backup systems. |
IR-SS-R1.c |
Intrusion response plans for individual storage elements (e.g., shares, block devices). |
IR-SS-R1.d |
Intrusions into FC SAN networks (including individual switches and SAN services). |
Requirement: IR-SS-R2 â Ensure the Immutability of Recovered Assets During Incident Management
- Combine the recommendations provided in section 4.7 regarding the protection of network recovery copies to ensure they remain isolated during incident management.
Requirement: IR-SS-R3 â Verify the Health of Recovered Compute Components During Recovery
- Ensure that recovered executable files, applications, containers, and operating system images are free from infection before deploying them into the production environment.
4.6 (NC) Guidelines for Network Configuration
Network topics related to storage involve multiple aspects, some of which overlap with data access control, access management, and encryption, which are covered in other sections. To get a comprehensive understanding of all network configuration aspects, please refer to the content of all sections:
- In section 4.3, there are certain network recommendations closely related to data access control.
- In section 4.9, there are encryption recommendations related to networks and protocols.
- In section 4.10, there are certain network recommendations closely related to access management.
This section primarily covers network infrastructure (e.g., switch, port, HBA, and NIC configurations, partitioning guidelines, etc.) and protocols.
4.6.1 FC SAN and NVMEoF
- FC SAN: FC SAN is a storage area network technology that uses Fibre Channel protocol to connect hosts and storage devices. It is a high-performance, reliable, and scalable solution typically used to connect enterprise-grade storage systems and hosts.
- NVMEoF (NVME over Fabric): NVMEoF aims to use the NVMe protocol to access remote storage devices over a network without the need for a direct local connection.
- NVMe (Non-Volatile Memory Express) is an efficient storage access protocol designed specifically for non-volatile storage devices such as SSDs.
- NVMeoF extends the NVMe protocol to Fabrics (such as Ethernet or InfiniBand) in existing network architectures.
- This technology allows hosts to access remote storage devices over the network using the NVMe protocol without a direct local connection.
- This approach enables efficient, low-latency storage access in data centers and cloud environments while providing better scalability and flexibility.
Note: NC-SS-R1 - Host and Switch Authentication
- Each
host
andstorage switch
should have unique identities and should undergo authentication before joining the network (e.g., FC-SP-2 AUTH-A).
Note: NC-SS-R2 - Use Approved PKI Mechanisms
- Use organization-approved and certified centralized PKI systems to manage switch certificates (e.g., Fibre-Channel Certificate Authentication Protocol or FCAP) instead of using self-signed certificates from devices.
Note: NC-SS-R3 - Use a Hybrid Approach for Zoning
Implement an approach that combines different types of zoning mechanisms rather than using a single type of zoning (i.e., host, switch, and storage device):
Requirement |
Requirement Content |
---|---|
NC-SS-R3.a |
Zoning based on the host , where applications on the host can access and see which accessible devices or storage resources are available. |
NC-SS-R3.b |
Zoning based on the switch , which involves using the switch to control communication between devices, allowing only specific devices to interact with other specific devices. |
NC-SS-R3.c |
Zoning based on the storage device , where in the storage system, the storage array determines which hosts (or more specifically, which hostâs HBA ports) can access which block devices, while other hosts not listed are denied access. |
NC-SS-R3.d |
Zoning based on functionality , where zoning creates several dedicated zones within the storage network, each with a specific purpose, improving the management and control of storage resource access. |
Requirement: NC-SS-R4 - Considerations for Zoning
- Zoning refers to making block devices visible or invisible to hosts.
- It is preferred to place the zoning as close to the data as possible, as far away from data users or clients as possible (e.g., prioritize array zoning over switch zoning, core switches over edge switches, and switches over HBAs).
Requirement: NC-SS-R5 - Backup Switch Configuration Data
- Create a backup of switch configuration data, including zone configuration profiles.
- This backup should be kept outside of SAN switches to enable redeployment in case of errors, malicious damage, or deletion.
Requirement: NC-SS-R6 - Restrict Switch Management Functions to the Minimum Necessary
Requirement |
Requirement Content |
---|---|
NC-SS-R6.a |
When implementing a Storage Area Network (SAN) structure, establish clear policies specifying and minimizing authorized switches for distributing configuration data (while providing acceptable redundancy). |
NC-SS-R6.b |
Do not enable unnecessary configuration management permissions and services, such as password distribution processes that send passwords to the respective users or devices. |
Requirement: NC-SS-R7 - Considerations for Soft and Hard Zoning
- Soft Zoning relies on host identity to restrict access to storage areas, is relatively less secure but may be more suitable for scenarios involving cross-facility and physical security risks.
- Hard Zoning, on the other hand, uses physical port numbers and does not depend on host identity, is more secure, and is especially suitable for situations where physical access is strictly controlled.
Requirement: NC-SS-R8 - Restrict Specific Fibre Channel Ports for Performing Management Tasks
- Restrict which Fibre Channel physical and logical ports of Storage Area Networks (SANs) can be used for management.
- Only specific Fibre Channel ports should be able to perform management tasks, such as setting up, configuring, or monitoring SANs. Other Fibre Channel ports should be disabled or have their functions restricted to ensure they cannot be used for management tasks.
Requirement: NC-SS-R9 - Limit Communication Between Switches
- Limit communication between switches.
- Ensure that only necessary switches can communicate with each other, reducing the risk of unauthorized devices entering the Storage Area Network.
Requirement: NC-SS-R10 - Disable Unused Storage Area Network (SAN) Ports
- Disable unused Storage Area Network (SAN) ports to prevent accidental or intentional connections by unauthorized devices.
4.6.2 IP Storage Networking
Requirement: NC-SS-R11 â IP Storage Network Segmentation
This section primarily discusses the principles of segmentation in IP storage networks aimed at securing storage-related communication over IP networks. Hereâs a summary of the key points in this paragraph:
- In storage-related communication, segmentation of environments and traffic should occur at the Network Layer Layers 2 and 3 based on different types of traffic to ensure security.
- For sensitive environments, maximum segmentation should be implemented, and the basis for segmentation includes:
|Requirement| Requirement Content |
|---------|----------|
|NC-SS-R11.a
| Types of traffic: Data access protocols, management, replication, backup, host, and application networks, etc. |
|NC-SS-R11.b
| Further differentiate management traffic for different solutions, vendors, and technologies. If two or more storage solutions are in use (e.g., different array technologies, server-based SAN products, switch technologies, storage virtualization, etc.), management traffic for each environment should be segmented from others. |
|NC-SS-R11.b
| Data access protocols (e.g., iSCSI, NFS, proprietary vendor protocols, etc.). |
|NC-SS-R11.b
| Types of servers or hosts accessing data: Virtualized hosts vs. physical hosts. |
These segmentation principles aim to ensure the security of IP storage networks, allowing different types of traffic and sensitive information to be appropriately isolated in the network, reducing potential security risks.
Requirement: NC-SS-R12 - Subnet Segmentation
- IP or Ethernet management ports on SAN switches should be placed in separate subnets, including data access subnets between hosts and storage, and separate subnets for inter-host communication.
Requirement: NC-SS-R13 - Enable Device IP Access Control
Device IP access control should be enabled, and relevant security features, such as built-in firewall rules, IP filtering, and access control lists, should be configured on storage devices to achieve:
Requirement |
Requirement Content |
---|---|
NC-SS-R13.a |
Control and limit access only to the required hosts or applications for their associated storage objects. |
NC-SS-R13.b |
Independently control IP traffic between management hosts and management interfaces related to storage. |
Requirement: NC-SS-R14 - Apply IP Access Control at the Network Level
Use routing, firewalls, access control lists, Virtual Private Cloud (VPC) security groups, and similar mechanisms to restrict all traffic types (data access and management traffic) between servers or applications and their associated storage objects to allowed IP addresses and TCP/UDP ports and protocols:
Requirement |
Requirement Content |
---|---|
NC-SS-R14.a |
Between hosts or applications and their used storage objects. |
NC-SS-R14.b |
Between management hosts and applications and the storage management interfaces associated with them. |
Requirement: NC-SS-R15 - Block Internet or Public Network Access
Access to non-public storage objects from the internet or other public networks should be blocked.
Requirement: NC-SS-R16 - For Storage Objects Requiring Public Access
(a) Minimize access.
(b) Use physically and logically separated storage subnets, preferably with different storage devices and pools for non-public storage objects.
© Consider protection against denial of service attacks.
(d) Cache copies (e.g., using Content Delivery Networks (CDNs), copies, and proxies) while maintaining at least the same security characteristics as the source data.
(e) Consider regulatory requirements (e.g., confidentiality, storage location restrictions).
(f) Any other applicable security controls (e.g., encryption, authentication).
Requirement: NC-SS-R17 - When Configuring SNMP
When configuring SNMP, all traffic should be directed to valid internal organization IP addresses as destinations, and the effectiveness of the configured settings should be periodically reviewed.
Requirement: NC-SS-R17 - Consider Using Isolated Non-Routable VLANs
For server-based SAN deployments, consider using isolated non-routable VLANs to protect data storage environments and mitigate security concerns.
4.6.3 Protocols
Requirement: NC-SS-R19 - Disable Insecure File Access Protocol Versions
- Deprecated, unsupported, or insecure protocol versions such as SMB v1, NFS 1 and 2 should be blocked.
- It is recommended to disable these protocols on both clients and servers for increased security.
Requirement: NC-SS-R20 - SNMP Security Configuration
(a) If SNMP is not in use, it should be disabled.
(b) Modify the default known community strings, even if SNMP is not enabled. The configured strings should comply with the organizationâs password policy.
© Use different community strings for devices with different sensitivities.
(d) Use at least SNMP version 3.
(e) Enforce SNMP authentication and encryption features.
(f) If not absolutely necessary, do not configure SNMP with read-write access. If required, limit and control the use of read-write SNMP.
(g) Use access control lists to control access to devices via SNMP.
(h) Regularly verify that SNMP traps are sent to authorized managers.
(i) Refer to the U.S. Department of Homeland Security (CISA) TA17-156A guidelines for additional guidance.
Requirement: NC-SS-R21 - Integrity of Directories
Regularly review the configurations of all storage elements (such as devices, switches, management workstations, management software) that provide services to ensure only approved configurations are in use and remediate any inconsistencies.
Requirement: NC-SS-R22 - Consider the Use of Standard and Non-Standard TCP/IP or UDP Ports
Consider using non-standard ports to obscure applications or services, making it harder for hackers to identify the correct port number.
The disadvantage of using non-standard ports is that security scanning tools may not recognize suspicious activity on non-standard ports, as these tools expect specific behavior on standard ports.
Requirement: NC-SS-R23 - Enable FCoE Initialization Protocol (FIP) Listening Filters
FIP listening is a security mechanism to prevent unauthorized access and data transmission to the FC network.
FCoE adapters connect FC initiators (servers) to FCoE forwarders (FCFs) to enable FIP snooping on the relevant VLANs.
Requirement: NC-SS-R24 - Restrict iSCSI Ports
Prevent hosts on the iSCSI network from accessing any TCP ports other than those specified for iSCSI on that network.
Requirement: NC-SS-R25 - Use iSCSI Authentication
Authenticate iSCSI initiators (e.g., CHAP, SRP, Kerberos, SPKM1/2) when establishing sessions. Use bidirectional authentication instead of unidirectional CHAP. Note that authentication does not provide channel encryption or integrity protection.
Requirement: NC-SS-R26 - Use NDMP Security Features
When using NDMP, the following security features should be configured:
(a) Control which hosts can initiate NDMP sessions.
(b) Use challenge-response authentication (do not use plaintext authentication options).
© Log NDMP connection attempts.
(d) NDMP passwords should adhere to the organizationâs password policy (e.g., length, complexity).
(e) Assign only the necessary NDMP-related permissions to users.
(f) Encrypt NDMP control connections.
(g) Rate-limit NDMP sessions or server.
Requirement: NC-SS-R27 - Use TLS in LDAP
When configuring Active Directory options for storage systems, use TLS to secure LDAP connections.
Requirement: NC-SS-R28 - Considerations for Other Protocols
When using other protocols (such as SymAPI, SMI-S, GNS, etc.), consider adopting the recommendations in sections 4.6.2 and 4.6.3.
Specifically:
(a) Segment traffic for data access and management from other environments.
(b) Limit TCP and UDP ports.
© Enable encryption as appropriate.
4.7 (IS) Isolation
When production data is damaged or lost, organizations should be able to recover the data through copies or backup data copies. If the damage results from malicious attacks, and the attacker can also destroy backup data copies, an attack on the production environment will have catastrophic consequences because the organization wonât be able to recover. To enhance the resilience of backup copies, it should ensure sufficient isolation between data assets and their recovery copies. In this context, organizations should differentiate at least two data protection scenarios:
- Non-malicious Recovery - Requires data copies to address scenarios like
natural disasters, hardware failures, human errors
, etc. These may include local copies (e.g., snapshots taken before maintenance), disaster recovery copies (DR copies), backups, and long-term archives. The closer these copies are to the production environment, the more likely they are mapped to compute systems for testing and disaster recovery. - Recovery from Network Attacks - Requires
hardened, locked down, and isolated data copies
. Design should strive to achieve a state where these copies remain unaffected, even if associated production data volumes or other types of copies have been compromised.
Requirement: IS-SS-R1 â Separation of Storage Systems
(a) In private clouds, backup copies designed to guard against network attacks should be established within specified dedicated storage environments. In public clouds, these backup copies should be created using separate accounts (or equivalent accounts).
(b) Long-term backups and storage systems should be physically separated from the production data storage systems.
Requirement: IS-SS-R2 â Separation of Management Systems
- The management of storage systems storing network attack recovery copies should come from a designated management system that is separated from the production environment and other systems connected to production (including data protection mechanisms).
- Production and regular backup systems should not have access to these management systems. The system should be hosted in a dedicated environment only connected to the isolated network.
Requirement: IS-SS-R3 â Access Restriction to Network Attack Recovery Systems and Long-term Backups
(a) For sensitive information, network attack recovery copies and their systems should not be visible to regular IT personnel. They should only be accessible by a single individual (e.g., CISO) or a very limited group of senior executives or security managers using special credentials. This ensures that if IT administrator credentials are compromised, attackers cannot use them to access network attack recovery copies. This restricted team can access network attack recovery copies, but administrative privileges will be granted to a smaller subset for granting permissions to other users.
(b) Permissions to access long-term backups should be separate from permissions used for other storage management tasks (e.g., SAN management, storage allocation) and should involve different user IDs, accounts, and credentials.
Requirement: IS-SS-R4 â Offline Storage
- Network attack recovery backups should be stored offline, not in the same location as production data. This ensures that even if attackers physically enter the production site or successfully infiltrate the physical location, they cannot access or compromise network attack recovery backups.
Requirement: IS-SS-R5 â Independent Full Backups
- Backup systems typically use incremental backups, capturing changes to data relative to a baseline backup. These incremental backups must be used together with the baseline backup for recovery. For some backup schemes (e.g., snapshots), only incremental backups are used (i.e., the baseline backup is the production data itself).
- To handle recovery scenarios correctly, dependencies between backups should be considered and sufficient isolation between different types of backups should be maintained. Specifically:
- (a) Replicated disaster recovery backups should not depend on production baseline data.
- (b) Network attack recovery backups should not depend on production baseline data. Dependency on disaster recovery baseline data is only allowed if these backups are sufficiently isolated from production baseline data and comply with IS-SS-R1, IS-SS-R2, and IS-SS-R3 recommendations.
- © Archived data for long-term storage should not depend on production and disaster recovery baseline data.
Requirement: IS-SS-R6 â Disable All Unnecessary Services and Protocols
All unnecessary services and protocols should be disabled on the network attack recovery storage system. In environments where management is done solely through application programming interfaces (APIs) or command-line interfaces (CLIs), itâs also recommended to disable any interactive web interfaces.
Requirement: IS-SS-R7 - Isolate Data from Applications During Restoration
(a) During data restoration, data copies should not be mounted, exported, or mapped to hosts or applications. Instead, they should be restored to an isolated temporary environment (e.g., offline environment) rather than directly restoring to the target host or application. Alternatively, a less secure approach may allow the target host or application limited read-only access during the restoration process (e.g., mapping or mounting), but such access should be removed immediately after restoration.
(b) Data copies for long-term backups should not be directly mounted, exported, or mapped to hosts or applications.
Requirement: IS-SS-R8 - Consider Implementing an Air Gap
- Organizations should consider establishing an air gap around sensitive data for data recovery copies.
- Strict air gaps should provide complete physical and network-level separation.
- Some storage technologies introduce less strict isolation techniques also referred to as âair gapsâ that can be turned off for limited periods when synchronizing with production systems. The effectiveness of each technology should be evaluated based on data value and adversary capabilities. When choosing to implement strict air gaps, precautions should be taken to bypass known air gap system vulnerabilities, including:
- (a) Preventing visual, auditory, and thermal signal transmission between air gap systems and other devices (e.g., maintaining sufficient distance or using vibration damping and/or adequate physical separation).
- (b) Preventing any potential wireless transmission functions in air gap devices.
- © Disabling exposed data ports (e.g., USB, network).
- (d) Using power regulation or isolated circuits.
Requirement: IS-SS-R9 - Perform Regular Isolation Audits
Regularly review the isolation recommendations mentioned above at least once a year as part of routine audits to ensure that there are no configuration gaps or deviations that could compromise the isolation of recovery copies. For sensitive and high-value storage systems, audits may need to be conducted at least quarterly and after major changes, depending on which occurs first. Audit results should be documented.
Requirement: IS-SS-R10 - Consider the Use of Immutable Storage Technologies
Consider the use of immutable storage technologies, which can further isolate and protect recovery data (e.g., retention locks, vault locks, immutability policies).
4.8 (RA) Restoration Assurance
- This section focuses on ârestoration assurance,â ensuring successful recovery in the event of business disruptions, disaster recovery incidents, or cyberattacks.
- Having restoration processes alone is insufficient; organizations also need to ensure that these processes are effective. The effectiveness of restoration can be challenged due to various reasons, including but not limited to system complexity, missing documentation, outdated procedures, human error, inadequate testing, or incorrect configurations.
Requirement: RA-PR-R1 - Verify Restoration Procedures
(a) Restoration procedures should be documented, maintained, and periodically reviewed. They should clearly describe how to restore data from different types of recovery copies.
(b) Organizations should periodically test restoration procedures, with a focus on validating that data can be successfully restored and that the restored data is usable and accurate.
© For recovery from network attacks, organizations should validate that the network attack recovery copies can be restored successfully in an isolated environment, and the restoration process itself should not introduce vulnerabilities.
(d) Restoration procedures should specify how to validate the integrity and authenticity of restored data.
(e) Organizations should maintain a record of restoration tests and outcomes, addressing any issues discovered during testing.
(f) In situations where immutable storage technologies are employed (as mentioned in IS-SS-R10), ensure that restoration procedures include how to verify the immutability of the data and its suitability for restoration.
Requirement: RA-PR-R2 - Assess Restoration Timeframes
(a) Organizations should assess the timeframes required for restoration based on different scenarios, including recovery from network attacks. These assessments should consider the volume of data, complexity of the restoration process, and the specific characteristics of the organizationâs environment.
(b) Based on the assessments, organizations should set restoration time objectives (RTOs) for different data types and scenarios. RTOs should be realistic and achievable.
© Periodically review and update RTOs as the organizationâs data environment evolves.
Requirement: RA-SS-R3 - Availability of All Relevant Software and Hardware Components
All relevant software and hardware components used to operate the system (e.g., drivers, firmware) should be backed up, protected, and available for recovery operations.
Requirement: RA-SS-R4 - Selection of Backup and Data Replication Technologies Should Align with Organizational RTO Requirements
- RTO stands for âRecovery Time Objectiveâ and is used to measure the desired recovery speed.
- The ability to meet the RTO comprehensively should consider all relevant components (such as data recovery, configuration files, encryption keys).
- Balancing the actual speed required for recovery and adjusting all relevant components to achieve the desired recovery speed should also consider the associated costs.
Requirement: RA-SS-R5 - Conduct Regular Recovery Testing to Ensure Meeting RTOs
Regularly perform recovery testing operations to ensure successful completion and compliance with the required timeframes.
Requirement: RA-SS-R6 - Set Recovery Point Objectives (RPOs)
- Set a âRecovery Point Objectiveâ for each data asset, which measures the amount of data loss that can be tolerated in terms of time after a failure occurs.
- The design and implementation of backup and data replication technologies should support data recovery under this objective.
Requirement: RA-SS-R7 - Meet Data Retention and Replication Frequency Requirements for Organizational Data Assets
Determine the âdata retention and replication frequency requirements for each data assetâ (see DP-SS-R1 for more details). The design and implementation of backup and data replication technologies should support these requirements.
Requirement: RA-SS-R8 - Ensure the Health of Remote Copy Backups and Data Replication
- âPeriodically verify the status of backup copies.â
- This includes checking for relevant error logs and ensuring that backup and data replication media are in good condition.
- The verification frequency should align with the sensitivity and value of the protected data but should not be less than once a year.
- Maintaining a sample rate within one to one and a half orders of magnitude lower than the backup frequency, such as verifying daily backups weekly or monthly, can serve as a reliable benchmark.
Requirement: RA-SS-R9 - Separate Data from Applications during Restoration
To avoid restoring infected code or software when restoring data, âdata should be separated from applicationsâ during restoration.
Requirement: RA-SS-R10 - Document Disaster Recovery Plan
A âdisaster recovery plan for storage infrastructureâ must be written, including all resources, mappings to the formal production environment, processes, and testing procedures. Backup of these documents should also be maintained.
Requirement: RA-SS-R11 - Network Security Measures for Data Copies
- For mission-critical information, disaster recovery copies should be âscanned using various anti-malware scanning toolsâ to detect known vulnerabilities and anomalies.
- Ideally, âall copies should be scanned.â If not possible, âat least a subset of copies should be scanned,â and these scanned and secure copies should be documented. Network security tools include antivirus software, anti-malware, vulnerability scanning, and security analysis tools.
Requirement: RA-SS-R12 - Conduct Periodic Audits
- âThe recommendations should be reviewed as part of periodic auditsâ to check the integrity of copies, reassess dependencies, software and hardware requirements, the technical suitability to support recovery speed, Recovery Point Objectives (RPOs), retention periods, health checks, disaster recovery plans, and network security measures.
- Identify and track issues and perform remediation.
- Audit frequency should align with the sensitivity and value of the protected data but should not be less than once a year.
- For sensitive and high-value storage systems, audits may need to be conducted quarterly and after major changes, depending on which occurs first.
- Audit results should be documented.
4.9 Encryption (EN)
Encryption is the process of transforming data from a readable form (plaintext) into an unreadable form that is not easily understood by unauthorized individuals (ciphertext). This ensures that sensitive information remains inaccessible or comprehensible to unauthorized parties.
In storage systems, encryption should be implemented âend-to-end,â including:
- Data at Rest: Data stored in relevant facilities, whether physical or logical (e.g., tapes, disks, optical media), should be encrypted. This includes not only the data itself but also metadata, such as access permissions, labels, paths, and log information.
- Data in Transit: Data transferred between storage elements, whether itâs data read/written by clients, replication between storage devices or pools, or data transmitted over a network, should be encrypted unless the entire communication medium is within a protected environment (e.g., a data center).
- Administrative Access: Connections that allow âconfiguration or controlâ of storage elements, storage networks, and data through standard and proprietary protocols and APIs.
Requirement: EN-SS-R1 - TLS
- To support encrypted communication between storage clients and servers, the âTransport Layer Security (TLS) protocolâ should be used.
- The selection and configuration of the TLS protocol implementation should follow relevant guidelines, including the choice of TLS versions and cryptographic algorithms.
- Guidelines sources include âNIST SP800-52 Rev2â and âSNIA TLS Specification for Storage Systems Version 1.1.â
Requirement: EN-SS-R2 - Avoid Plain Text Protocols such as HTTP
- Plain text protocols are susceptible to eavesdropping, interception, and other attacks because they do not encrypt traffic or login details.
- In sensitive storage environments, âusing HTTP for redirection to HTTPS should not be allowedâ unless itâs only used for handling URLs related to error inputs.
Requirement: EN-SS-R3 - Encryption of Storage Management API Sessions
- Encryption should be applied to all API and CLI client sessions and can be achieved using specific configuration options within âmanagement softwareâ or âAPI/CLI software components.â
Requirement: EN-SS-R4 - Encryption of Administrative Access Sessions
- Administrative sessions using HTTP should be encrypted using âTLS (HTTPS).â
- Command Line Interface (CLI) access should use âSSH for encryptionâ instead of Telnet.
- Authentication during API access should not use plaintext, and the session itself should be encrypted.
Requirement: EN-SS-R5 - Enable FIPS Mode in FIPS Environments
- FIPS 140-3 requires that cryptographic modules should be a combination of hardware, software, firmware, or any combination thereof, used to implement cryptographic functions or processes, including cryptographic algorithms, and optionally key generation, within a defined cryptographic boundary.
- FIPS specifies certain cryptographic algorithms as secure and dictates which algorithms should be used when a cryptographic module is called FIPS-compliant.
- Organizations that comply with FIPS standards should ensure that FIPS mode is enabled in their FIPS-compliant storage infrastructure components.
Requirement: EN-SS-R6 - Static Encryption of Sensitive Data
Static encryption protects data from various data-related risks, including unauthorized access, media loss, or theft. Static encryption should be enabled for sensitive data, considering the following:
- Use Infrastructure Encryption: Utilize built-in encryption features provided by disks, storage arrays, or cloud storage, whether using keys provided by vendors or keys provided by the organization, to protect against threats like device loss, misplacement, or theft. However, this may not protect against:
- Insider Attacks - When an attacker infiltrates a host already associated with storage (or when storage can be mapped to an unauthorized host through legitimate means).
- Privilege Escalation Attacks - Where administrators or attackers with high privileges may turn off encryption or decrypt data.
- Use End-to-End Encryption: Data is encrypted at its source (e.g., applications, databases, volumes), and only ciphertext is presented to storage infrastructure and administrators. This significantly enhances security but may come with considerable costs:
- Data Reduction Mechanisms Are Affected - For instance, compression and deduplication may become inefficient.
- Management Becomes More Complex.
- Use Dual Independent-Layer Encryption Where Possible: Consider using dual independent-layer encryption for stored sensitive data. This configuration enhances resilience if keys are compromised, especially when different encryption services are used.
- Consider Data Retention Requirements: If âencrypted data is backed up or archived,â related keys should be protected, and the protection duration should match that of the data. Alternatively, backup data should regenerate new keys. In either case, âdata and encryption keys should not be kept together.â
Requirement: EN-SS-R7 - Data Encryption in Transit
- (a) Block Transfers on Fibre-Channel: While Fibre-Channel link encryption is defined in ANSI/INCITS 545-2019 standards, most Host Bus Adapters (HBAs) and storage vendors do not currently support it. For sensitive information, âend-to-end encryption (host to storage)â should be used.
- (b) Block Transfers on IP: IP storage traffic faces the same security risks as regular IP networks. By default, IP block transfer protocols do not provide data confidentiality, integrity, or authentication for each data packet. Similar to link encryption, although there are technical specifications for encrypting IP storage traffic, current technologies do not natively support it. When using IP block transfer protocols (e.g., iSCSI, FCIP, proprietary protocols), consider using âIPsec tunnels to protect segments exposed on the network.â Additionally, for sensitive information, âend-to-end encryption (host to storage)â should be used.
- © File and Object Storage Access: Data encryption should be enabled for data transfer during backups and remote replication, where supported. For file access, mechanisms like SMB encryption should be used to encrypt sensitive data, or options for NFS encryption provided by cloud service providers, or NFS over TLS using channel encryption (e.g., âstunnelâ). Ensure that object access is done via HTTPS with TLS.
Requirement: EN-SS-R8 - Communication Between Storage System Components Should Be Encrypted
- âInteractions between storage system componentsâ should be reviewed, and available encryption options should be used.
- Encryption should be used to protect communication between âstorage nodes and managers,â active storage nodes and witness devices, and with policy servers and antivirus servers.
Requirement: EN-SS-R9 - Encryption Key Management Requirements
- Follow general recommendations for key management outlined in âNIST SP 800-57â parts 1-3, especially focusing on:
- Key Lifetimes.
- Maximum Data That Keys Can Protect.
- Key Management Infrastructure.
- Key Regeneration.
- Auditing.
- Key Backup and Recovery.
4.10 (AA) Administrative Access
- This section focuses on
administrative access
to storage elements, including arrays, networks and architectures, management tools, backups, replication, and cloud storage, among others. - Administrative access can be achieved either by
directly connecting to storage components
or throughmanagement software
. Both of these connection methods can use different interfaces, including graphical user interfaces (UIs), command-line interfaces (CLIs), and application programming interfaces (APIs).
Some of the recommendations in this chapter overlap with aspects related to administrative access. To avoid duplication, additional relevant recommendations can be found in the following two sections:
- In the previous section 4.9 Encryption, there are recommendations related to encryption.
- In the previous section 4.3 Authentication and Data Access Control, there are recommendations related to data access control, some of which may also apply to administrative access.
This section provides security guidelines for configuring administrative access, and the key points are summarized below:
Requirement: AA-SS-R1 - Limit Network Access to SAN Switch Management Ports
- Limit network access to
SAN switch management ports
to specifically assigned devices and administrators using mechanisms like access control lists (ACLs).
Requirement: AA-SS-R2 - Control and Minimize Components with Administrative Privileges
This includes CLI servers, management consoles, API gateways, witness hosts, and storage devices with control privileges. Specifically:
(a) Actively identify components with storage management privileges and ensure that only authorized components have these privileges. If unnecessary components are identified, they should be immediately removed and reported.
(b) Remove unnecessary permissions and capabilities from authorized devices.
Requirement: AA-SS-R3 - Implement the Principle of Least Privilege
- Restrict the privileges of users with administrative access to the minimum necessary.
- This includes limiting the minimum actions users can perform and restricting the scope of these privileges to cover only relevant systems or areas.
- Full administrative privileges should only be granted to users who require them.
Requirement: AA-SS-R4 - Restrict Access for Service Accounts
- Service accounts (e.g., accounts used by monitoring tools) should be restricted to read-only and metadata-only access.
Requirement: AA-SS-R5 - Authenticate and Authorize All CLI/API Access
- Authentication and authorization should be applied to CLI/API usage.
- If authentication and authorization are not possible, additional security measures should be in place to protect unauthorized access, such as using privilege management tools to limit control to the minimum necessary commands and objects.
Requirement: AA-SS-R6 â Prefer API Access Control Over CLI/Shell Access
- API access control should be prioritized, as CLI/shell access has the capability to access the operating system and file system, including configuration files.
- If CLI/shell access is the only option, it should be used over secure protocols like SSH.
Requirement: AA-SS-R7 â Restrict Operating System Privileges for Management Consoles
- Access to management consoles should only be provided through specified storage accounts and not use operating system management accounts (see also AC-SS-R20).
Requirement: AA-SS-R8 â Secure Web-Based User Interfaces for Management Console Access
- Web services providing access to the management console should be hardened to meet or exceed the minimum standards of other web application servers within the organization.
Requirement: AA-SS-R9 â Limit Host Storage Control Privileges
- In certain shared data compute cluster configurations (e.g., clusters, geoclusters, scale sets, or storage virtualization infrastructure), hosts are granted management privileges over storage to control the allocation and behavior of shared cluster data resources.
- When this management access is required, the scope and privileges granted to hosts should be limited to specific elements (e.g., LUNs, shares, files, objects) that the hosts need to control and specific operations they need to perform.
Requirement: AA-SS-R10 â Command Device or Gateway Configuration
Some storage arrays allow hosts to have control over special block devices (referred to as âcommand devicesâ and âgatewaysâ) that provide access to specific block devices. When used, the following security guidelines are recommended:
(a) Limit the use of control devices: If feasible, eliminate the use of these devices entirely (e.g., switch to API access). If elimination is not possible, ensure that they are mapped only to necessary hosts (e.g., management hosts).
(b) Scan control devices: Conduct network scans to discover control devices and ensure they are only mapped to necessary and authorized hosts.
Requirement: AA-SS-R11 â Disable or Restrict Call Home or Remote Access
Call home or remote access is typically used for collecting telemetry and diagnostic data for manufacturer analysis and resolution of technical issues, as well as for automatic software updates. However, these features can also become targets for hacking, so they should be disabled if not needed
and restricted and controlled if required
.
(a) Modify default credentials: Change the default credentials for remote connections.
(b) Limit privileges: Grant only the minimum necessary privileges.
© Enforce encryption: Use secure protocols like TLS/SSH/IPsec and FIPS-approved encryption algorithms.
(d) Use an allow list to restrict access: Use an allow list to restrict access to specific IPs and users.
(e) Maintain complete logs of remote access: For audit purposes, all remote access should be fully logged.
(f) Enable built-in data obfuscation features: For storage devices that allow obfuscation of sensitive data (such as IP addresses, WWNs, device names, and usernames), this feature should be enabled.
(g) Limit the scope of data sent: Limit the scope of data sent to the minimum required.
(h) Regularly review and approve: Regularly review data sent to vendors either periodically or automatically, ensuring that it does not contain sensitive information like IP addresses, usernames, or actual storage device content. Also, review to ensure that connections go to valid vendor IP addresses.
(i) Authorize each connection: If possible, implement a mechanism that requests permission before allowing each connection.
(j) Limit access to gateway systems: Special attention should be paid to protecting and restricting access to gateway systems when vendors access them remotely through devices, servers, or appliances.
(k) Disable software updates over vendor remote access links: In sensitive environments, software components and updates should not be allowed to be downloaded and deployed over vendor remote access links (either manually or automatically).
Requirement: AA-SS-R12 - Limit Network Access for Management
- It is recommended to separate management networks from other traffic (see sections 4.6 and 4.7).
- Further enhance access control for management networks, which can be achieved through the following mechanisms:
(a) Virtual Private Networks (VPNs), IPsec, or one or more âjump serversâ: Use VPNs, IPsec, or one or more âjump serversâ or âlogin proxy servers,â which are dedicated servers located in the management network and can only be accessed from outside the network. These servers can be used for connecting to other servers only after proper authentication and authorization.
(b) Enhance logging and tracking capabilities, such as session logging.
Requirement: AA-SS-R13 - Securely Protect Core Storage Management Files and Executables
- Storage management software typically includes
configuration files
used to control the operation of storage systems, including undocumented options. - These sensitive directories and files should have appropriate
access restrictions
andcorrect owners and group memberships
. - This includes the following:
Configuration files
: Record users and roles, network settings, consistency groups, device groups, and other storage options. Configuration files defining consistency and device groups are typically automatically propagated from central management hosts to other hosts connected to managed storage systems. Therefore, if compromised, it could affect multiple systems.Scripts
: Used to control the startup, monitoring, and stopping of storage management services and daemons, as well as their own executables. These scripts and other critical management-related files should be securely protected.
- Controls for configuration files, scripts, and other critical management-related files should include:
(a)Restrictions on access and permissions
, and control of ownership of key directories and files.
(b) For sensitive environments, considermonitoring changes to the contents of these files
to prevent unauthorized alterations.
Requirement: AA-SS-R14 - Use Approved PKI Mechanisms for Administrative Access
- For storage device management and storage management consoles, it is recommended to use
organization-approved and certified centralized PKI systems
rather than self-signed certificates from devices or software.
4.11 (CM) Configuration Management
The purpose of configuration management is to provide visibility and control over the configuration, behavior, and physical and logical attributes of the entire storage device throughout its lifecycle. In the context of storage security, this includes the following:
- Maintaining a comprehensive and real-time inventory, managing changes, and ensuring that configurations continuously adhere to the organizationâs security baseline and current industry best practices, while also ensuring they are not vulnerable to known risks.
To achieve this goal, appropriate controls, policies, processes, and tools are required. A comprehensive guide to IT configuration management can be referenced in NIST Special Publication (SP) 800-53
[28]. The following paragraphs contain recommendations applicable to storage infrastructure.
Requirement: CM-SS-R1 - Establish a Comprehensive Inventory of Storage Devices
- Arrays
- Storage virtualization systems
- Management consoles
- Hosts monitoring storage remote network connectivity status (e.g., Witness hosts)
- Hosts with storage management software or plugins installed
- Data protection appliances
- Backup clients and servers
- Storage network switches
- Storage adapters or Host Bus Adapters (HBAs)
- I/O multipathing software
- Pairing of primary storage systems and (replica) target storage systems
- Designated host backup servers or off-site backup situations
- Tape libraries and tape drives
- Disk drives and removable media
Requirement: CM-SS-R2 - Establish a Comprehensive Inventory of Data and Configuration Assets
- Storage pools, LUNs, masking, and partitions
- Initiators and initiator groups
- File shares and Access Control Lists (ACLs)
- Object storage pools, buckets, etc.
- Backup replicas and snapshots
- Backup catalogs and access permissions
- Backup sets (local, archive, cloud virtualization, tape, archival devices, etc.)
- Users, groups, roles, and permissions
- Host access configurations to storage assets (e.g., LUNs, file shares, global file systems, object storage)
- Images of storage software, virtual devices, etc.
Requirement: CM-SS-R3 - Create a Comprehensive Storage Security Policy
- A storage security policy can be a standalone policy or part of the organizationâs security policy.
- The policy should be based on the following sources:
- Recommendations from this publication and cited sources.
- Internal organization-specific storage-related security standards.
- Best security practices from relevant vendors.
Requirement: CM-SS-R4 - Maintain Updates to the Storage Security Policy
- The storage security policy should be reviewed and updated regularly (at least annually).
- Security baselines should be updated based on the latest vendor and industry recommendations for available storage systems and/or specific storage devices (preferably quarterly and at least annually).
Requirement: CM-SS-R5 - Regularly Assess the Configuration Compliance of the Storage Security Policy
- (a) Ensure that the actual configuration complies with the storage security baseline and identify gaps.
- (b) Timely address and remediate identified gaps.
- © Consider defining key performance indicators (KPIs) for storage security baseline compliance based on data types, organizational functions, and sensitivity.
Requirement: CM-SS-R6 - Create a Storage Change Management Process
- This can be a dedicated process or part of the organizationâs general change management process.
- Covers:
- (a) Planning, reviewing, and approving storage configuration changes.
- (b) Updating environmental documentation and inventory (e.g., infrastructure, data, configurations).
- © Evaluating compliance after any changes to sensitive storage environments.
Requirement: CM-SS-R7 - Detect Unauthorized Storage Security Changes
- Establish a process to detect unauthorized changes to storage configurations, which can be done using log records, comparing configuration storage assets with past states, or comparing with organization-approved baselines.
Requirement: CM-SS-R8 - Software Updates and Patches
(a) Ensure updates to storage software versions: Establish a process for regularly updating storage software to the latest stable and secure versions. This includes managing software, API and CLI suites, array and HBA firmware versions, and operating system driver software.
(b) Install critical security updates and patches: Establish a proactive and frequent process for installing important and emergency storage security patches.
© Mitigation plans for unobtainable patches - If certain storage components have critical vulnerabilities, and updates or patches are not provided by the vendor, suspend the use of these components unless an appropriate mitigation plan can be defined.
Requirement: CM-SS-R9 - Network Topology Documentation
Keep storage-related network documentation up to date, including drawings of both Fibre Channel (FC) and IP.
Requirement: CM-SS-R10 - Review FC SAN Security Configurations
Over time, certain security changes may not reliably propagate throughout the entire Fibre Channel (FC) fabric.
- Regularly review FC SAN (similar to IP and Ethernet networks) to assess its security, identify and prioritize vulnerabilities, and define improvement plans.
- Security audits should be conducted at least annually and, in sensitive environments, at least quarterly or after any major changes - whichever comes first.
- Audit results should be documented.
4.12 (ST) Storage Security Training
Requirement: ST-SS-R1 - Storage Security Training Plan
A storage security training plan should be developed and incorporated into existing organizational training activities and schedules to meet the following target audiences:
- Information security professionals: Provide them with fundamental knowledge of storage security.
- Storage administrators: Familiarize them with storage security principles, as well as the organizationâs policies and security baselines.
- Managers: Understand the fundamental principles of data protection.