Main Menu
Print PDF

NIST Releases Security Guidelines for Storage Infrastructure

Cyber Law and Data Protection Alert | October 28, 2020
By: Joshua A. Mooney

Storage infrastructure, along with computing and network infrastructures, represents one of the fundamental pillars of Information Technology (IT). Just like computing and networking, the storage infrastructure landscape is comprised of a mixture of legacy and advanced systems. The National Institute of Standards and Technology (NIST) has now released Special Publication (SP) 800-209, Security Guidelines for Storage Infrastructure, which provides comprehensive security recommendations for storage infrastructures. According to NIST, the publication’s security focus covers both those measures that are common to IT infrastructure – such as physical security, authentication and authorization, configuration control, and incident response – and those that are specific to storage infrastructure.

Recognizing that storage technology has evolved in “two directions,” one involving increased storage media capacity (e.g., tape, Hard Disk Drives, solid-state drives (SSD)) and the other involving architectural changes including cloud-based storage resource access, the publication “provides an overview of the evolution of the storage technology landscape, current security threats, and the resultant risks.” The description of the current landscape includes traditional storage services (like block, file, and object storage), storage virtualization, storage architectures designed for virtualized server environments, and storage resources hosted in the cloud. The publication also describes “various threats to the storage resources are also included, as well as an analysis of the risks to storage infrastructure and the impacts of these threats.”

According to NIST, the publication’s “main focus” is “to provide a comprehensive set of security recommendations for the current landscape of the storage infrastructure.” Security controls that are specific to storage technologies, such as network-attached storage (NAS) and storage area networks (SAN), are discussed, as are security recommendations specific to storage technologies in data protection, isolation, restoration assurance, and encryption.

If you have questions or would like further information, please contact Joshua Mooney (; 215.864.6345).

This correspondence should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult a lawyer concerning your own situation and legal questions.
Back to Page