Email this Article Email   

CHIPS Articles: NIST Releases Security Guidelines for Storage Infrastructure – an often overlooked component of IT Security

NIST Releases Security Guidelines for Storage Infrastructure – an often overlooked component of IT Security
By CHIPS Magazine - July 22, 2020
Storage infrastructure—along with compute (encompassing OS and host hardware) and network infrastructures—is one of the three fundamental pillars of information technology. However, compared to its counterparts, it has received relatively limited attention when it comes to security, even though data compromise can have as much negative impact on an enterprise as security breaches in compute and network infrastructures.

Storage technology, just like its computing and networking counterparts, continues to evolve from traditional storage service types, such as block, file, and object. Specifically, the evolution has taken two directions: one along the path of increasing storage media capacity (e.g., tape, hard disk drive (HDD), solid state drive (SDD)). The other follows along the architectural front, starting from direct attached storage (DAS) to the placement of storage resources in dedicated networks accessed through various interfaces and protocols to cloud-based storage resource access, which provides a software-based abstraction over all forms of background storage technologies, the National Institute of Standards and Technology explained.

The evolution adds an increase in management complexity, which subsequently increases the probability of configuration errors and associated security threats. NIST Draft Special Publication (SP) 800-209, Security Guidelines for Storage Infrastructure, provides an overview of the evolution of the storage technology landscape, current security threats, and the resultant risks. The main focus of this document is to provide a comprehensive set of security recommendations that will address the threats.

The security focus areas covered in this document not only span those that are common to the entire IT infrastructure—such as physical security, authentication and authorization, change management, configuration control, and incident response and recovery—but also those that are specific to storage infrastructure, such as data protection, isolation, restoration assurance, and data encryption, NIST wrote.

Comments are due Aug. 31, 2020; please email comments to: sp800-209-comments@nist.gov

Publication:
SP 800-209 (Draft) (DOI)
NIST Download

Related CHIPS Articles
Related DON CIO News
Related DON CIO Policy

CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988
Hyperlink Disclaimer