What is ISO 27040
Published in January 2015, ISO / IEC 27040:2015 offers comprehensive technical guidance on how organisations should identify an acceptable level of risk reduction through a well-proven, consistent approach to data storage security preparation, design, documentation and implementation.
It aims to illustrate common risks related to the security, honesty, and availability of data on different information storage technologies. ISO 27040 also urges organisations to reinforce their protection of sensitive information with adequate information security controls. The norm also helps enhance assurance by encouraging, for example, assessments or audits of information security measures protecting stored information.
What is storage security?
Storage security refers to the protection of data where it is stored. Storage security also relates to the defence of the transmission of information through communication links connected with the storage. Security storage includes:
- Device and media security
- Protection of devices and media management practises
- Application and service security
- Security related to end-users during the lifespan of devices and media and after use
Data protection is a collection of parameters and settings that make data resources accessible and inaccessible to other entities to approved users and trusted networks. These can refer to hardware, programming, communications protocols, and organisational policy.
There are a few issues that are critical when considering a storage area network (SAN) security process. Stored data must be readily available to authorised individuals, entities and organisations. It must also be challenging for possible hackers to exploit the system. The infrastructure must be reliable and stable across different environments and usage volumes. Online threats like viruses, worms, trojans, and other malicious code should always be safeguarded. Sensitive information must be secured. Unnecessary systems should be removed to eliminate possible security gaps. The application provider should routinely install updates to the operating system. Duplication in the form of equivalent (or mirrored) storage media can help avoid catastrophic loss of data if an unforeseen failure occurs. All users must be aware of the guidelines and policies related to the use of a control network.
Two components may help assess storage security methodology’s performance. First, system implementation expense should be a small fraction of the secured data value. Secondly, it should cost more in terms of money and/or time to breach the system than secured data is worth.
The history of ISO/IEC 27040:2015
ISO / IEC 27040:2015 is the first international specification addressing a wide range of storage security issues. Research started on ISO/IEC 27040 in the autumn of 2010, preceding the SC27 conference that year. The project was put on an extended deadline, providing 48 months to establish the standard. The ISO/IEC 27040 standard was released on 5th January 2015.
ISO/IEC WD 27040
A revision project for ISO 27040 was started in 2020. The project had the following objectives:
- Draw attention to the risks for information in this area
- Help organisations enhance the security of stored data by improving and extending the ISO 27002 guidance
- Assist those responsible for planning, evaluating and auditing information storage security
ISO/IEC 27040:2015 will finally be replaced by ISO/IEC WD 27040. The updated standard would adhere to ISO’s Sustainable Development Goals 9 and 12.
Goal 9 Industry, innovation and infrastructure strives to build a robust infrastructure, fostering inclusive and sustainable growth and promoting innovation. Whereas Goal 12, responsible consumption and production, seeks to create sustainable consumption and patterns of production.
Key concepts of ISO 27040
A significant component of ISO/IEC 27040 standard is focused on defining security controls for various storage systems and architectures. This contains the following:
- Direct Attached Storage (DAS) guidelines.
- Comprehensive coverage of storage network technologies and topologies focusing on Storage Area Networks (SAN) and Network Attached Storage (NAS)
- Identifying the critical security issues and storage recommendations
Block-based storage system protection with Fibre Channel and IP interfaces that go beyond storage network materials
- File-based storage device protection with NFS, SMB/CIFS and pNFS interfaces
- Cloud Storage Protection, OSD and Content Addressable Storage (CAS)
System management guidelines including sanitisation, data confidentiality and data reduction
The bibliography is among the most extensive collections of data security references. Below are the definitions of some core terms for ISO 27040.
In information security, authentication is the act of confirming whether someone or something is actually who or what they claim to be. Authentication verifies a person, process, or device’s identity, sometimes as a prerequisite for accessing resources in an information system.
There are three authentication types:
- Single Factor authentication
- Two Factor authentication
- Multi Factor authentication
Single factor authentication, often called primary authentication, is the simplest method of authentication.
Single factor authentication requires only one authentication mechanism (such as password, security pin, etc.) to obtain access to a system or service. Although these approaches are more accessible, they are often connected to lesser security practices. This is because they can easily be identified or stolen in data breaches, phishing, or keylogging attacks. Two Factor Authentication (2FA) adds additional complexity. 2FA needs a second component to confirm identity. Typical uses include registered computer tokens, One Time Passwords, or PINs.
The mere existence of two user authentication methods dramatically enhances your overall security as 2FA will mitigate 80% of data breaches. Although 2FA’s security benefits are well known, usage is a widespread issue. Since Google first implemented the option to add 2FA to user accounts, less than 10 percent of users have adopted 2FA in 7 years. One of the causes of why they didn’t use 2FA was due to the annoyance it created for users, stating that less than 10% of users that attempted to use 2FA didn’t enter the SMS confirmation code correctly.
Multi-Factor Authentication (MFA) is, by far the most advanced authentication mechanism. It utilises two or more independent variables to allow user access to a system. In standard cases, MFA approaches to use at least 2 or 3 categories:
- Something you know (password or pin)
- Something you have (mobile phone or security token)
- Something you are (fingerprint or facial identification)
- Something you do (typing pace, location, etc.)
Access control and authorisation
Access control is the deliberate limitation of access to a location, website or other resources and assets. Access could involve processing, visiting, or using an asset. Permission to access an asset is referred to as authorisation.
Authorisation is a protection method used to define user/client rights or access levels related to resources, including computer programmes, directories, services, information and program features. Authorisation is usually followed by authentication of user identity.
Self encrypting drives
A SED is a self encrypting hard drive that is a form of hard drive that automatically and continuously encrypts data without user intervention. A self encrypting drive usually has a circuit built into the disc drive controller chip. This chip encodes all data to the magnetic media and automatically decrypts all data again.
Surprisingly, a fair amount of hard drives currently on the market are SEDs. As manufacturers do not consider this to be a significant feature, it’s often lost in other generally more significant aspects. Even when you buy, instal, and begin using a SED drive, the encryption is automatic, so it’s unlikely that the user will realise that the drive is a SED.
This encryption process is achieved by using a unique and random Data Encryption Key (DEK) that the drive requires to encrypt and decrypt the data. When the data is written to the drive, it’s first encrypted by the DEK. Similarly, once information is read on the drive, the DEK decrypts it before it’s sent to the rest of the device.
This process ensures that all the information on the drive’s encrypted throughout all times. One interesting technique that can be accomplished with this is to erase a hard drive almost immediately and entirely. All a user will do is tell the SED to create a new DEK, then all the data on the drive will instantly become gibberish and is virtually unrecoverable. This is due to the key that is required to decrypt the data no longer being available. So if you need to conveniently and securely clear a drive before redeployment or disposal, SEDs provide a fast and reliable means of doing that. This act is called a variety of names based on the manufacturer, but it is most commonly referred to as “Secure Erase.”
Sanitisation is the technical term for ensuring that data left on storage at the end of its use is made unavailable. Sanitisation ensures an organisation does not breach data when reusing, selling, or throwing away storage devices.
Sanitisation can take various forms depending on both information sensitivity and the amount of effort a potential adversary might spend in trying to retrieve data. Methods used in sanitisation vary from simply overwriting, cryptographic key destruction for encrypted files, to physical destruction of the storage device.
Guidance for storage security
The scope of ISO 27040 covers:
- the security of devices and media
- security of management activities related to the tools and the media within it
- and end-users
In addition to this, ISO 27040 covers the security of the information being transferred across the communication links associated with storage.
The standard describes information risks related to data storage, and controls to mitigate the risks.
Design and implementation
Despite the increased capacity of personal computers and departmental workstations, reliance on centralised data centres persists due to data integration needs, data continuity, and data quality. With a significant rise in essential data volumes, many companies have embraced storage-centred frameworks for their ICT infrastructure. Subsequently, storage security plays a vital role in protecting this information and acts as the last line of defence from external and internal threats in many situations.
Storage security solutions design is influenced by critical security concepts when considering data sensitivity, criticality, and cost. Clause 6 of the ISO 27040, Supporting Controls, gives guidance on implementing storage-relevant controls in the built solution.
The advice is further separated into:
- Principles of security storage
- Reliability, availability and resiliency
- Retaining data
The design and implementation concerns also include:
- Encryption and critical management problems
- Align storage policy
- Multi-tenancy security
- Secure autonomous movement of data
Relationship with other standards
As ISO/IEC 27040:2015 provides an overview of storage security concepts, the standard includes guidance on the threat, design, and controls associated with typical storage scenarios and storage technology areas that are complemented by several other ISO standards. Also, it provides references to different standards that address existing practices and techniques that can be applied to storage security.
ISO / IEC 27040 provides security guidelines for storage systems and environments and data protection in these systems. It supports general ISO / IEC 27001 principles. ISO / IEC 27040 also provides clear, comprehensive guidelines on implementation related to storage security for universal security protocols defined in ISO / IEC 27002, to name a few.
Who can implement ISO 27040
ISO 27040 offers guidelines for the implementation of information security technologies within the storage networking industry and advice on the adoption of information assurance to storage systems, as well as on data protection and security concerns.
Although often overlooked, storage protection is important to everyone engaging with data storage devices, media, and networks owning, running, or using. This includes senior managers, storage product and service acquirers, and other non-technical managers or users, as well as managers and administrators who have the individual responsibility for information security or storage security, or who are for the overall information security and security policy implementation. It is also applicable to those involved in planning, designing and implementing storage network security architectural aspects.
This standard’s advocates thought that the information protection dimensions of data storage systems and networks were ignored due to misconceptions and a lack of experience with storage technologies, or a limited knowledge of inherent risks or security principles.
ISO 27040 requirements
ISO 27040 consists of seven short clauses and three annexes. ISO / IEC 27040 developers did not plan for all instructions to be followed, leading to the inclusion of the three Annexes. Relevant sanitisation details are presented in a set of tables in Annex A. Annex B was designed to help organisations select appropriate controls based on data sensitivity (high or low) or security objectives based on the CIA triad.
One of the difficulties of designing ISO / IEC 27040 was that there were two distinct audiences: storage professionals and security professionals. Annex C contains valuable tutorial knowledge for both groups on:
- Authorisation and access controlSelf-encrypting drives (SED)
- N_Port ID Virtualisation (NPIV)
- Fibre Channel Security
- OASIS Key Management Interoperability Protocol (KMIP)
ISO/IEC 27040:2015 controls
- Clause 1: Scope
- Clause 2: Normative references
- Clause 3: Terms and definitions
- Clause 4: Symbols and abbreviated terms
- Clause 5: Overview and concepts
- Clause 6: Supporting controls
- Clause 7: Guidelines for the design and implementation of storage security
ISO/IEC 27040:2015 annex controls
- Annex A: Media sanitisation
- Annex B: Selecting appropriate storage security controls
- Annex C: Important security concepts