Detailed introduction to data storage security of DSMM

Definition

Data storage security is a part of data center security and organizational security, which is important for data security This stage is also a process involving data integrity, confidentiality and availability, so the importance of this stage is self-evident. This process includes three process areas, namely: storage media security, logical storage security, and data backup and recovery.

Storage media security

The official description is to provide effective technology for scenarios in which organizations need to access and use data storage media. and management methods to prevent the risk of data leakage that may be caused by improper use of media.

Data is stored on media, such as physical media (disks, hard disks), virtual storage media (containers, virtual disks), etc. Improper use of media can easily lead to data leakage risks. This security domain is more Pay attention to data protection at the physical security level.

The DSMM standard requires the following at the fully defined level:

Organizational construction:

The organization establishes positions and personnel who are uniformly responsible for the use and management of storage media.

The requirements of DSMM are almost the same. Each process area needs to designate a person and a special post to be responsible for the work and be competent for this work. In actual work, all process areas may have the same one or more people in this dimension, who can be appointed individually or explained in the corresponding system chapter.

System process:

Develop security policies and management specifications for storage media access and use, and establish an approval and recording process for media use.

Establish a standardized process for purchasing or storing media, requiring purchasing or obtaining storage media through trusted channels, and establishing standard storage media purification procedures for all types of storage media.

Mark the storage media to clarify the data objects stored in the media.

Conduct routine and random inspection procedures on storage media to ensure that storage media is used in compliance with agency-published specifications for media use.

Technical tools:

Organizations adopt effective media purification tools to purify storage media.

Record and audit media access and usage behaviors.

Personnel capabilities:

The personnel responsible for this work are familiar with the relevant compliance requirements for the use of media, are familiar with the differences in access and use of different storage media, and can take the initiative to Policy changes update management requirements.

#The following are the specific contents that should be paid attention to during the storage media security process.

1. Clarify the scenarios in which organizations access and use data storage media, establish storage media security management regulations/standards, and clearly define storage media and classifications. Common storage media are tapes, disks, optical disks, and memory. etc., determine the requirements for data storage media based on data classification and grading content.

2. Clarify the procurement and approval requirements for storage media, establish trustworthy channels, and ensure the reliability of storage media.

3. Mark the storage media, such as classification (can be classified according to type, material, etc.), label (label the storage media to clarify the content, ownership, size, storage period, and confidentiality of the stored data) degree, etc.).

4. Clarify the storage environment management requirements for media, which mainly include storage area location, dust-proof, moisture-proof, anti-static, anti-theft, classification marking, entry and exit registration, etc.

5. Clarify the specifications for the use of storage media, including a series of access control requirements such as application forms and registration forms, as well as data cleaning (permanent deletion, temporary deletion, etc.) and destruction and scrapping (destruction methods, destruction records) requirements.

6. Clarify storage media testing and maintenance specifications, including testing the performance, reliability and capacity of storage hardware, as well as how to return to the factory, operator, time and location, etc.

7. Clarify routine and random review requirements, and regularly check storage media to prevent information loss.

A simple summary is that there is a dedicated person responsible for media security and is familiar with the relevant compliance requirements for media use. Establishing system specifications includes the approval and recording process for the use of media, trusted channels for purchase and related procedures for initialization (purification), classification and marking of storage media, regular inspections of storage media, etc. Provide related tools that can purify media and record audit tools for accessing and using media.

Logical storage security

The official description is based on the internal business characteristics and data storage security requirements of the organization, establishing logical storage and storage containers for data and effective security controls for the architecture.

Security requirements for storage containers and storage architecture, such as authentication, access control, log management, communication evidence, file anti-virus and other security configurations, as well as security configuration policies, to ensure data storage security.

The DSMM standard requires the following at the fully defined level:

Organizational construction:

At the organizational structure level, establish a unified position responsible for data logical storage security management and Personnel is responsible for clarifying the overall data logic storage system security management requirements and promoting the implementation of relevant requirements.

Clear the security administrator of each data logical storage system, who is responsible for the security management and operation and maintenance of data logical storage systems and storage devices.

System process:

Establish data logical storage management security specifications and configuration rules, and clarify account permission management, access control, log management, and encryption of various data storage systems Management, version upgrade, etc. requirements.

The internal data storage system should follow the unified configuration requirements for effective security configuration before going online, and the external data storage system used should also be effectively configured for security.

Clear data logical storage isolation authorization and operation specifications to ensure multi-tenant data storage security isolation capabilities.

Technical Tools:

Provides data storage system configuration scanning tools to regularly scan the security configuration of major data storage systems to ensure compliance with security baseline requirements.

Use technical tools to monitor the data usage standardization of the logical storage system to ensure that data storage complies with the relevant security policy requirements of the organization.

Have the ability to encrypt and store sensitive data such as personal information and important data.

Personnel capabilities:

The personnel responsible for this work are familiar with the data storage system architecture and can analyze the security risks faced by data storage, so as to ensure the security of all aspects. Effective security protection for class storage systems.

The following are the specific contents that should be focused on during the logical storage security management stage:

1. Define logical storage systems and devices, and establish logical data storage Manage security specifications/systems and configuration rules, and clarify security requirements for account management, authentication, authority management, log management, encryption management, version upgrades, etc. of various data storage systems

2. Clarify the security requirements of data storage systems Architecture design and security requirements, propose recommended security architecture designs, and avoid common architecture designs with security risks.

3. Clarify the security configuration requirements of the data storage system before going online and carry out unified and effective security configuration. At the same time, use configuration scanning tools and vulnerability scanning systems to regularly scan the data storage system to ensure that it meets the security baseline requirements. .

4. Establish data logical storage isolation authorization and operation specifications to ensure safe isolation of multi-tenant data storage and avoid unauthorized access and modification of data between users.

5. Establish safety management specifications and operating procedures for data storage systems and equipment, including but not limited to standard operating procedures, maintenance operating procedures, emergency operating procedures, etc.

6. Collect and analyze the log records of the data storage system, identify accounts and access rights, monitor the standardization and rationality of data use, and analyze and trace the source of security incidents that occur.

A simple summary is that there is a dedicated person and post responsible for unified logical storage security management, and at the same time, they must be familiar with the logical storage security architecture and related operation and maintenance work. Establish data logical storage security management specifications, including requirements for authentication and authorization, account and permission management, log management, encrypted storage management, version upgrades, unified security configuration before going online, and data isolation. Provide relevant tools for configuration scanning and vulnerability scanning, monitoring of data usage standardization, and tools or technologies for encrypting important data.

Data backup and recovery

The official description is to achieve redundant management and protection of stored data by performing regular data backup and recovery. Data availability.

Backup and recovery are to improve the high availability and disaster recoverability of the information system. When the database system crashes, the data cannot be found without database backup. Ensuring data availability is the basis of data security.

The DSMM standard requires the following at the fully defined level:

Organizational construction:

Clarifies the person responsible for unified data backup and recovery management of the organization Positions and personnel are responsible for establishing corresponding systems and processes and deploying relevant safety measures.

System process:

Establish strategies and management systems for data backup and recovery to meet security objectives such as data service reliability and availability.

Establish an operation process for data backup and recovery, and clearly define the scope, frequency, tools, processes, log recording specifications, data storage duration, etc. of data backup and recovery.

Establish regular inspection and update procedures for data backup and recovery, including the update frequency and retention period of data copies, to ensure the validity of data copies or backup data.

Based on the data life cycle and business specifications, establish operating procedures for data archiving and storage at different stages.

Establish a compression or encryption policy for archived data to ensure effective utilization and safe access of archived data storage space.

Establish security policies and control measures for archived data to ensure that unauthorized users cannot access archived data.

Identify the domestic and foreign legal and regulatory requirements applicable to the organization, and ensure that relevant data is recorded and preserved in accordance with legal provisions and regulatory requirements.

Develop data storage timeliness management strategies and procedures, clarify the validity period of data sharing, storage, use and removal, the data processing process when the validity period expires, and the security management strategy for the security of expired stored data.

Establish a security protection mechanism for expired stored data, and have the ability to obtain authorization from the data controller again for stored data that has exceeded its validity period.

Technical tools:

Establish unified technical tools for data backup and recovery, and solidify specific backup strategies into the tools to ensure the automated execution of related work.

Establish technical means for backup and archive data security, including but not limited to access control, compression or encryption management, integrity and availability management of backup and archive data, to ensure the security of backup and archive data, Efficient utilization of storage space and secure access.

Regularly take necessary technical measures to check the integrity and availability of backup and archive data.

Establish methods and mechanisms for complete deletion or anonymization of expired stored data and its backup data, which can verify that the data has been completely eliminated, irrecoverable or cannot be identified as an individual, and inform data controllers and data users.

Use risk reminders and technical means to avoid accidental deletion of non-expired data and ensure that accidentally deleted data within a certain time window can be manually restored.

Ensure that the storage architecture has the capability of fault-tolerant deployment of data storage across cabinets or across computer rooms.

Personnel capabilities:

The personnel responsible for this work understand the performance of data backup media and the business characteristics of related data, and can determine effective data backup and recovery mechanisms.

The personnel responsible for this work fully understand the compliance requirements related to data storage timeliness, and have the ability to interpret retention compliance requirements based on business scenarios and formulate implementation plans.

The following are the specific contents that should be paid attention to during the data backup and recovery stage:

1. Establish a data backup and recovery strategy and management system, To ensure the reliability and availability of data services.

2. Establish operating procedures for data backup and recovery, and clearly define the scope, frequency, tools, processes, log recording specifications, data storage duration, etc. of data backup and recovery.

3. Clarify the regular inspection and update requirements for data backup and recovery, such as the update frequency and retention period of data copies, etc., to ensure the validity of data copies or backup data, etc.

4. Establish compression, integrity verification and encryption policy requirements for backup data to ensure effective utilization and safe access of backup data storage space.

5. Identify the domestic and foreign legal and regulatory requirements applicable to the organization, and combine it with its own business needs to ensure that relevant data is recorded and saved in accordance with legal regulations and regulatory department requirements and meets the backup and storage cycle requirements.

6. Establish a unified, automated backup and recovery tool.

7. Adopt secure data management methods for backup data, including but not limited to access control, compression or encryption management, integrity and availability management of backup data.

A simple summary is that there is a dedicated person responsible for data backup and recovery, who also has the ability to understand the data backup operation business process and meet relevant compliance requirements. Develop a security management system and operating specifications for data backup and recovery, including backup scope, frequency, tools, processes, log records, storage duration, recovery testing process, access permission settings, validity period protection, off-site disaster recovery, etc. Provide automated tools for data backup and recovery, as well as tools and technical means for data encryption and integrity verification.

Summary:

The data storage security of DSMM is actually to ensure the storage security of data at the physical level and logical level. The main goal is to achieve data encryption and integrity. and high availability to achieve data storage security from dynamic to static.

Although many systems and technical tools are described separately in the article, they may be mixed together in actual work. At the same time, many specific implementation parts are not only applied in one process area or one life cycle stage. It can even be applied throughout the entire life cycle. For example, it requires encrypted storage and integrity verification of important or sensitive data, which is applicable at all stages of the life cycle. For most units, this work is generally the responsibility of operation and maintenance personnel.

As a security personnel, I think that in terms of data storage security, it is more about cooperating with operation and maintenance colleagues, and we can improve and improve on the existing basis. Whether it is in terms of system specifications, tool technology, or personnel, it must not only meet the relevant requirements of DSMM, but also be integrated with the work of operation and maintenance personnel, otherwise it will not be implemented well. At this stage, the role of security personnel is to put forward requirements and provide security capability support, so that relevant operation and maintenance colleagues can cooperate to complete the tasks.

Recommended related articles and tutorials: Web server security tutorial

The above is the detailed content of Detailed introduction to data storage security of DSMM. For more information, please follow other related articles on the PHP Chinese website!