From NIST: Security Guidelines for Storage Infrastructure SP 800-209 Draft Document

From Ramaswamy Chandramouli, NIST, and Doron Pinhas, Continuity Software.

Storage infrastructure-along with compute (encompassing OS and host hardware) and network infrastructures-is one of the 3 fundamental pillars of IT. However, compared to its counterparts, it has received relatively limited attention when it comes to security, even though data compromise can have as much negative impact on an enterprise as security breaches in compute and network infrastructures.

In order to address this gap, NIST is releasing Draft Special Publication (SP) 800-209, Security Guidelines for Storage Infrastructure, which includes security recommendations for storage infrastructures. The security focus areas covered in this document span those that are common to the entire IT infrastructure, such as physical security, authentication and authorization, change management, configuration control, and incident response and recovery, and also those that are specific to storage infrastructure, such as data protection, isolation, restoration assurance, and data encryption.

Note: A call for patent claims is included on page iii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy–Inclusion of Patents in ITL Publications.

Abstract: “Storage technology, just like its computing and networking counterparts, has evolved from traditional storage service types, such as block, file, and object. Specifically, the evolution has taken two directions: one along the path of increasing storage media capacity (e.g., tape, HDD, SSD) and the other along the architectural front, starting from DAS to the placement of storage resources in dedicated networks accessed through various interfaces and protocols to cloud-based storage resource access, which provides a software-based abstraction over all forms of background storage technologies. Accompanying the evolution is the increase in management complexity, which subsequently increases the probability of configuration errors and associated security threats. This document provides an overview of the evolution of the storage technology landscape, current security threats, and the resultant risks. The main focus of this document is to provide a comprehensive set of security recommendations that will address the threats. The recommendations span not only security management areas that are common to an information technology (IT) infrastructure (e.g., physical security, authentication and authorization, change management, configuration control, and incident response and recovery) but also those specific to storage infrastructure (e.g., data protection, isolation, restoration assurance, ad encryption). “

Resource:
Draft Special Publication 800-209 – Guidelines for Storage Infrastructure (PDF)