1、March 2017 English price group 34No part of this translation may be reproduced without prior permission ofDIN Deutsches Institut fr Normung e. V., Berlin. Beuth Verlag GmbH, 10772 Berlin, Germany,has the exclusive right of sale for German Standards (DIN-Normen).ICS 35.030!%bVc“2635164www.din.deDIN E
2、N ISO/IEC 27040Information technology Security techniques Storage security (ISO/IEC 27040:2015);English version EN ISO/IEC 27040:2016,English translation of DIN EN ISO/IEC 27040:2017-03Informationstechnik ITSicherheitsverfahren Speichersicherheit (ISO/IEC 27040:2015);Englische Fassung EN ISO/IEC 270
3、40:2016,Englische bersetzung von DIN EN ISO/IEC 27040:2017-03Technologie de linformation Techniques de scurit Scurit de stockage (ISO/IEC 27040:2015);Version anglaise EN ISO/IEC 27040:2016,Traduction anglaise de DIN EN ISO/IEC 27040:2017-03www.beuth.deDocument comprises 118 pagesDTranslation by DIN-
4、Sprachendienst.In case of doubt, the German-language original shall be considered authoritative.03.17 DIN EN ISO/IEC 27040:2017-03 2 A comma is used as the decimal marker. National foreword This document (EN ISO/IEC 27040:2016) has been prepared by Technical Committee ISO/IEC JTC 1, Subcommittee SC
5、27 “IT Security techniques” (Secretariat: DIN, Germany). Based on a decision of CEN/BT, ISO/IEC 27040:2015 has been submitted to the Unique Acceptance Procedure (UAP) and taken over as EN ISO/IEC 27040:2016 without any modification. The responsible German body involved in its preparation was DIN-Nor
6、menausschuss Informationstechnik und Anwendungen (DIN Standards Committee Information Technology and selected IT Applications), Working Committee NA 043-01-27-04 AK IT-Sicherheitsmanahmen und Dienste. The DIN Standards corresponding to the International Standards referred to in this document are as
7、follows: ISO/IEC 17788:2014 DIN ISO/IEC 17788:2016-04 ISO/IEC 27000 DIN ISO/IEC 27000*)ISO/IEC 27001:2013 DIN ISO/IEC 27001:2015-03 National Annex NA (informative) Bibliography DIN ISO/IEC 17788, Information technology Cloud computing Overview and vocabulary E DIN ISO/IEC 27000, Information technolo
8、gy Security techniques Information security management systems Overview and vocabulary DIN ISO/IEC 27001, Information technology Security techniques Information security management systems Requirements (ISO/IEC 27001:2013 + Cor. 1:2014) *)In preparation. EUROPEAN STANDARD NORME EUROPENNE EUROPISCHE
9、NORM EN ISO/IEC 27040 August 2016 ICS 35.040 English Version Information technology - Security techniques - Storage security (ISO/IEC 27040:2015) Technologie de linformation - Techniques de scurit - Scurit de stockage (ISO/IEC 27040:2015) Informationstechnik - IT-Sicherheitsverfahren - Speichersiche
10、rheit (ISO/IEC 27040:2015) This European Standard was approved by CEN on 19 June 2016. CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-t
11、o-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN and CENELEC member. This European Standard exists in three official versions (English, French, German). A version in any other language mad
12、e by translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions. CEN and CENELEC members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech
13、Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EURO
14、PEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2016 CEN and CENELEC All rights of exploitation in any form and by any means reserved worldwide for CEN and CENELEC national Members. Ref.
15、 No. EN ISO/IEC 27040:2016 E Contents PageEuropean foreword .4Introduction 61 Scope . 72 Normative references 73 Terms and definitions . 74 Symbols and abbreviated terms . 135 Overview and concepts .175.1 General 175.2 Storage concepts . 185.3 Introduction to storage security . 185.4 Storage securit
16、y risks . 205.4.1 Background205.4.2 Data breaches 215.4.3 Data corruption or destruction 225.4.4 Temporary or permanent loss of access/availability 225.4.5 Failure to meet statutory, regulatory, or legal requirements 236 Supporting controls 236.1 General 236.2 Direct Attached Storage (DAS) . 236.3 S
17、torage networking 246.3.1 Background246.3.2 Storage Area Networks (SAN) . 246.3.3 Network Attached Storage (NAS) .296.4 Storage management 306.4.1 Background306.4.2 Authentication and authorization 326.4.3 Secure the management interfaces .336.4.4 Security auditing, accounting, and monitoring 346.4.
18、5 System hardening .366.5 Block-based storage . 376.5.1 Fibre Channel (FC) storage 376.5.2 IP storage . 376.6 File-based storage . 386.6.1 NFS-based NAS .386.6.2 SMB/CIFS-based NAS 396.6.3 Parallel NFS-based NAS . 396.7 Object-based storage 406.7.1 Cloud computing storage . 406.7.2 Object-based Stor
19、age Device (OSD) .416.7.3 Content Addressable Storage (CAS) .426.8 Storage security services . 436.8.1 Data sanitization .436.8.2 Data confidentiality 466.8.3 Data reductions 48DIN EN ISO/IEC 27040:2017-03 EN ISO/IEC 27040:2016 (E) 2Foreword 57 Guidelines for the design and implementation of storage
20、 security .497.1 General 497.2 Storage security design principles 497.2.1 Defence in depth .497.2.2 Security domains 507.2.3 Design resilience .517.2.4 Secure initialization517.3 Data reliability, availability, and resilience 517.3.1 Reliability 517.3.2 Availability527.3.3 Backups and replication .5
21、27.3.4 Disaster Recovery and Business Continuity 537.3.5 Resilience 547.4 Data retention . 547.4.1 Long-term retention 547.4.2 Short to medium-term retention 557.5 Data confidentiality and integrity 567.6 Virtualization . 587.6.1 Storage virtualization .587.6.2 Storage for virtualized systems 597.7
22、Design and implementation considerations 607.7.1 Encryption and key management issues .607.7.2 Align storage and policy .617.7.3 Compliance 617.7.4 Secure multi-tenancy 627.7.5 Secure autonomous data movement .63Annex A (normative) Media sanitization 65Annex B (informative) Selecting appropriate sto
23、rage security controls .81Annex C (informative) Important security concepts .101Bibliography . 114DIN EN ISO/IEC 27040:2017-03 EN ISO/IEC 27040:2016 (E) 3 European foreword The text of ISO/IEC 27040:2015 has been prepared by Technical Committee ISO/IEC JTC 1 “Information technology” of the Internati
24、onal Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) and has been taken over as EN ISO/IEC 27040:2016. This European Standard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest b
25、y February 2017, and conflicting national standards shall be withdrawn at the latest by February 2017. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN and/or CENELEC shall not be held responsible for identifying any or all suc
26、h patent rights. According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Maced
27、onia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. Endorsement notice The text of ISO/IEC 27040:2015 has been approved by
28、 CEN as EN ISO/IEC 27040:2016 without any modification. DIN EN ISO/IEC 27040:2017-03 EN ISO/IEC 27040:2016 (E) 4 ForewordISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. Nationa
29、l bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. O
30、ther international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.The procedures used to develop this document and those intende
31、d for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org
32、/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document
33、will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.For an explanation on the meaning of ISO specific terms and expr
34、essions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the following URL: Foreword - Supplementary informationThe committee responsible for this document is ISO/IEC JTC 1, Information technology, SC 27,
35、 Security techniques.DIN EN ISO/IEC 27040:2017-03 EN ISO/IEC 27040:2016 (E) 5 IntroductionMany organizations face the challenge of implementing data protection and security measures to meet a wide range of requirements, including statutory and regulatory compliance. Too often the security associated
36、 with storage systems and infrastructure has been missed because of misconceptions and limited familiarity with the storage technology, or in the case of storage managers and administrators, a limited understanding of the inherent risks or basic security concepts. The net result of this situation is
37、 that digital assets are needlessly placed at risk of compromise due to data breaches, intentional corruption, being held hostage, or other malicious events.Data storage has matured in an environment where security has been a secondary concern due to its historical reliance on isolated connectivity,
38、 specialized technologies, and the physical security of data centres. Even as storage connectivity evolved to use technologies such as storage protocols over Transmission Control Protocol/Internet Protocol (TCP/IP), few users took advantage of either the inherent security mechanisms or the recommend
39、ed security measures.This International Standard provides guidelines for storage security in an organization, supporting in particular the requirements of an Information Security Management System (ISMS) according to ISO/IEC 27001. This International Standard recommends the information security risk
40、 management approach as defined in ISO/IEC 27005. It is up to the organization to define their approach to risk management, depending for example on the scope of the ISMS, context of risk management, or industry sector. A number of existing methodologies can be used under the framework described in
41、this International Standard to implement the requirements of an ISMS.This International Standard is relevant to managers and staff concerned with information security risk management within an organization and, where appropriate, external parties supporting such activities.The objectives for this In
42、ternational Standard are the following: help draw attention to the risks; assist organizations in better securing their data when stored; provide a basis for auditing, designing, and reviewing storage security controls.It is emphasized that ISO/IEC 27040 provides further detailed implementation guid
43、ance on the storage security controls that are described at a basic standardized level in ISO/IEC 27002.It should be noted that this International Standard is not a reference or normative document for regulatory and legislative security requirements. Although it emphasizes the importance of these in
44、fluences, it cannot state them specifically, since they are dependent on the country, the type of business, etc.DIN EN ISO/IEC 27040:2017-03 EN ISO/IEC 27040:2016 (E) 6 1 ScopeThis International Standard provides detailed technical guidance on how organizations can define an appropriate level of ris
45、k mitigation by employing a well-proven and consistent approach to the planning, design, documentation, and implementation of data storage security. Storage security applies to the protection (security) of information where it is stored and to the security of the information being transferred across
46、 the communication links associated with storage. Storage security includes the security of devices and media, the security of management activities related to the devices and media, the security of applications and services, and security relevant to end-users during the lifetime of devices and medi
47、a and after end of use.Storage security is relevant to anyone involved in owning, operating, or using data storage devices, media, and networks. This includes senior managers, acquirers of storage product and service, and other non-technical managers or users, in addition to managers and administrat
48、ors who have specific responsibilities for information security or storage security, storage operation, or who are responsible for an organizations overall security program and security policy development. It is also relevant to anyone involved in the planning, design, and implementation of the architectural aspects of storage network security.This International Standard provides an overview of storage security concepts and related definitions. It
