Distributed storage systems (DSS) in the presence of a passive eavesdropper are considered in this paper. A typical DSS is characterized by 3 parameters (n, k, d) where, a file is stored in a distributed manner across n nodes and can be recovered entirely from any k out of n nodes. Whenever a node fails, d 2 [k, n) nodes help in repairing the failed node. The focus of this work is on the exact repair capabilities of a DSS, where a failed node is replaced with an identical node. Securing this DSS from passive eavesdropping attacks is studied in this paper. The eavesdropper is capable of wiretapping the repair process of a subset of nodes in the storage system. The main contribution of this paper is the optimal characterization of the secure storage-vs-exact-repair-bandwidth tradeoff region which prior to this work was unknown. We focus on the simplest nontrivial instances of this problem, namely (n, k, d) = (3,2,2) and (4,3,3), and present novel information-theoretic converse proofs that validate these optimal tradeoff regions.