QuantaStor SDS Security Standard Compliance with NIST 800-171

Improving data storage security has become an important aspect of IT strategy for nearly every organization, and with tightening federal security standards and increasing data breaches, there is now more of a push than ever to safeguard data. With the latest release, QuantaStor SDS is now NIST 800-171 compliant. In addition, OSNEXUS complies with government security standards including FIPS, HIPAA, CJIS, and GDPR to keep data as secure as possible, especially when vulnerable industries such as healthcare, finance, and government organizations are involved.

Industries of all types leverage IT standards developed by government agencies that keep data safe and standardize processes involving data management. One of these organizations is the National Institute of Standards and Technology (NIST) that is a non-regulatory agency of the US Department of Commerce and a measurement standards laboratory. Part of NIST’s mission is to develop information security standards and guidelines. Recently, a new data standard was developed called NIST 800-171.

NIST 800-171 outlines the protection of Controlled Unclassified Information (CUI) residing in nonfederal information systems and organizations by providing federal agencies with recommended requirements for protecting the confidentiality of CUI in three categories. The requirements apply to all components of nonfederal information systems that process, store, or transmit CUI or provide security protection for such components.

Below is an in-depth look at how QuantaStor complies with the newest NIST requirements.

NIST 800-171 Requirement Highlights

Access Control: QuantaStor’s advanced Role-Based Access Control (RBAC) system ensures that only authorized users and processes have access to operations based on the rule of least privilege. Each operation has an associated permission so there is a high level of granularity in the controls to system access. Resource Groups scope the set of resources for specific groups or departments to make enforcement of the principle of least privilege easy. QuantaStor defaults to logging users out after 15 minutes of inactivity to prevent unauthorized access. (Figures 1 and 2)


Authorization diagram

Figure 1: The authorization default in QuantaStor SDS starts out as none and expands out to User, Group, and then the entire System or Grid.


Create Role

Figure 2: When creating a Role in QuantaStor, you have the ability to choose permission scope for every operation in the platform.


Audit and Accountability: All operations from all users are audit logged in CEE compliant format to ensure the logs have not been tampered with. Logs are only accessible from the root user account and can be easily configured to be processed externally by an audit log processing system. All audit logged operations include the user account ID, timestamps, client IP from where the operation was requested, and include all operations even if they are denied or do not succeed.

Identification and Authentication: Sessions are only usable for up to an hour of activity and expire after 15 minutes of inactivity. QuantaStor supports temporary and emergency account types. Multi-factor authentication will soon be supported in an upcoming release of QuantaStor. (Figures 3 and 4)


Password & Security Manager

Figure 3: QuantaStor’s default password policy rules (shown in Figure 3) are NIST compliant.


Authentication diagram

Figure 4: Authentication based on Role leads to Authorization in QuantaStor. Multi-factor authentication will soon be supported with QuantaStor’s next product release.


Maintenance: Ensure equipment removed for off-site maintenance is cleared of CUI by performing a DoD scrub or other data scrub types supported in QuantaStor SDS. (Figure 5)


DoD Shredding Delete Storage Pool

Figure 5: QuantaStor supports data scrubbing standards DoD, NNSA, and US Army.


Media Protection: TPM module support in QuantaStor ensures boxes cannot be physically modified by connecting USB media and other changes to the physical system after deployment. QuantaStor supports all major storage protocols and each has a different mechanism for ensuring limited access to system media by authorized users, including Active Directory integration, CHAP authentication, and more. QuantaStor’s end-to-end encryption ensures that media in transport cannot be accessed (IBM’s MDM/Mass Data Migration appliances are based on OSNEXUS QuantaStor). Encryption support is available for all device types as QuantaStor employs software encryption which is hardware accelerated with AES-NI technology. Devices can be securely scrubbed of all information before disposal or reuse with DoD scrubbing.

System and Communications Protection: QuantaStor blocks access to resources until explicitly granted, applying to all storage types including file, block, and object. It’s recommended to provide public access to the storage system with physical separation from front-end networks used for public traffic. QuantaStor uses OpenSSL and is going through FIPS 140-2 compliance certification and will have additional FIPS options available later in 2018. FIPS mode OpenSSL options available today.

System and Information Integrity: Identify unauthorized use of the system through QuantaStor’s logging of unauthorized access attempts by both authenticated and unauthenticated users.

For more information on QuantaStor SDS and its security features and encryption, visit osnexus.com.



Categories: Storage Appliance Hardware

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: