And then AI started to change the economics of attack.

AI didn’t invent ransomware or exploitation – but it compressed time, expanded scale, and lowered the cost of finding weak systems. The result is something we’re starting to see play out: attackers no longer look for the most sophisticated target. They look for the most consequential one.

And increasingly, that target is storage and backup systems.

This shift reflects a deeper pattern – what you might call an Anthropic Mythos of AI in cybersecurity. Not the myth of superintelligence, but the reality that AI accelerates whatever incentives already exist.

Attackers want leverage. And guess what; storage and backup systems provide it. AI simply helps them find the cracks faster.

The Blind Spot AI Loves

One of the most uncomfortable truths in modern security programs is how uneven our visibility really is.

Endpoints, networks, applications – these are continuously scanned, prioritized, scored. Storage and backup systems? Often assumed safe. Too complex. Too sensitive. Too “infrastructure‑owned” to fit neatly into exposure management programs.

Attackers have figured this out.

Research shows that the majority of ransomware incidents now explicitly target storage and backup repositories to prevent recovery and force payment. When backups are compromised, incidents turn into crises: longer downtime, regulatory fallout, operational paralysis.

AI doesn’t need to “break” storage and backup systems. It just needs to identify which ones haven’t been treated like first‑class citizens in the security model.

From Feature AI to Risk AI

One of the most important AI trends in cybersecurity isn’t about flashy capabilities – it’s about context.

AI is shifting security away from isolated findings and toward risk understanding:

• Which weaknesses matter most?
• Which systems amplify business impact?
• Which issues collapse recovery options?

This is where storage and backup security finally enters the risk conversation, rather than sitting outside it.

The joint approach from Qualys Enterprise TruRisk™ and Core6’s StorageGuard reflects this shift. Instead of treating storage as an architectural special case, it becomes another – critically important – risk domain that can be assessed, prioritized, and acted on alongside endpoints and applications.

Not more data. More meaning.

Why AI-Driven Attackers Go After Recovery

There’s something almost narratively predictable about modern ransomware campaigns.

If you think in Anthropic terms – systems shaped by incentives – the logic is clear:

• Attackers don’t want denial of service.
• They want negotiation advantage.
• Recovery infrastructure is the leverage point.

AI accelerates reconnaissance and vulnerability clustering. It surfaces misconfigurations, exposed interfaces, and hardening gaps – especially in complex, multi‑vendor storage and backup environments that rarely get consistent scrutiny. That’s why continuous autonomous validation matters more than episodic checks. StorageGuard’s scan of storage and backup systems – aligned to vendor hardening guides and industry standards – feeds directly into Qualys’ risk context, turning “invisible infrastructure” into actionable cyber risk.

One Risk Model, Not Two Worlds

Another quiet AI trend in cybersecurity is consolidation – not of vendors, but of decision models.

Security teams don’t need separate mental frameworks for infrastructure risk and cyber risk. They need one shared language of exposure and impact.

By surfacing storage and backup security advisories, vulnerabilities, security misconfigurations and compliance issues directly inside Qualys workflows, organizations can:

• Prioritize remediation based on business risk, not just technical severity
• Align Infrastructure and SecOps teams around the same risk signals
• Reduce friction caused by siloed tools and disconnected ownership

This matters because AI-driven attacks don’t respect org charts. Defense shouldn’t either.

The End of “Safe by Assumption”

If there’s one myth AI is breaking in cybersecurity, it’s the idea that anything is secure simply because it’s complex, critical, or historically untouched.

Storage and backup systems are no longer passive repositories. They’re active battlegrounds in modern attacks.

The organizations that adapt fastest aren’t chasing AI hype. They’re asking better questions:

• Where do attackers gain leverage?
• Which systems eliminate recovery when they fail?
• Which risks have we normalized for too long?

AI doesn’t answer those questions for us. But it ensures attackers are asking them already.

The only real choice is whether defenders catch up.

Visit the Core6 profile on the Qualys Partner Portal: https://technologypartners.qualys.com/partners/core6

Frequently Asked Questions (FAQs)

1. How does Qualys address storage and backup security risk?

Qualys integrates storage and backup risks into its Enterprise TruRisk™ model, allowing organizations to assess, prioritize, and remediate recovery‑related exposures using the same workflows applied to endpoints, networks, and applications.

2. What role does Core6 StorageGuard play in cyber risk management?

Core6 StorageGuard continuously evaluates storage and backup systems against vendor hardening guidelines and security standards, surfacing misconfigurations and vulnerabilities that feed directly into enterprise risk workflows.

3. What does “one risk model” mean in cybersecurity?

A single risk model unifies infrastructure and cybersecurity risk, helping security, infrastructure, and operations teams prioritize remediation based on business impact instead of working in disconnected silos.

4. How is AI shifting cybersecurity toward risk‑based decision making?

AI is moving cybersecurity from isolated vulnerability findings to risk understanding—helping teams assess which weaknesses create the greatest operational, financial, and recovery impact rather than prioritizing issues based only on technical severity.

The post How Qualys and Core6 Are Redefining Risk Visibility in the Age of AI appeared first on Core6.

While many storage and backup platforms are rightly classified as critical, criticality is not a single tier but a spectrum.

Differences in failure modes, recoverability impact, exposure, maturity, and regulatory scope mean that some systems demand earlier attention, deeper validation, or stronger controls than others.

A structured, multi‑dimensional approach enables security teams to make deliberate, risk‑based prioritization decisions – even within the critical asset set – across both steady‑state operations and worst‑case recovery scenarios.

Below we outline practical criteria to assess and compare criticality across the enterprise storage and backup estate.

Storage & Backup Asset Criticality Criteria

The criterions are divided into four categories: Operational, Technological, Physical Characteristics and finally Governance Compliance and regulatory considerations.

Category 1: Operational context

Category 2: Technology context

Category 3: Physical Characteristics

Category 4: Governance Compliance and regulatory considerations

Final Thought

Storage and backup systems are no longer passive infrastructure components. They are primary security assets, with risk profiles that change dramatically under failure or attack. In a world where the control plane is the new perimeter, these systems have become prime targets.

By applying a structured criticality model – one that balances operational importance, recoverability impact, and security maturity – organizations can:

• Prioritize hardening and validation efforts
• Reduce blind spots attackers increasingly exploit
• Make defensible, risk‑based decisions aligned with business impact

Frequently Asked Questions (FAQ)

1. Why do storage and backup systems need their own criticality model?

Storage and backup platforms (from the likes of Dell, NetApp, Hitachi Vantara, HPE, IBM, Everpure (formerly Pure), VAST Data, Rubrik, Commvault, Cohesity, Broadcom, Cisco, etc.) differ fundamentally from traditional applications or servers. They often protect hundreds or thousands of workloads, store highly sensitive data, and become the last line of defense during ransomware or destructive attacks. Applying a generic asset classification model usually underestimates their blast radius, recovery impact, and attacker value.

2. Aren’t all storage and backup systems already “critical”?

They are – but not equally so. Criticality is a spectrum, not a single tier. Differences in data sensitivity, dependency density, recoverability role, exposure, and governance maturity mean some systems demand earlier hardening, deeper validation, or stricter controls than others—especially under worst‑case recovery scenarios.

3. Why does “access density” matter so much?

High fan‑in systems – those connected to many servers, applications, and management tools—have an amplified blast radius. A single misconfiguration or compromise can cascade across large portions of the environment, making access density one of the strongest predictors of risk.

4. How do AI and ML workloads change storage and backup criticality?

AI/ML systems often store high‑value datasets, model artifacts, and training pipelines that are reused across teams and products. Compromise can affect model integrity, business decisions, and downstream systems, elevating both the security and operational impact of the supporting storage platforms.

The post Determining Asset Criticality in Enterprise Storage and Backup Environments appeared first on Core6.

In fact, Gartner reports a 187% year‑over‑year increase in client inquiries related to data resiliency in 2025 compared with 2024, underscoring how urgently organizations are rethinking their ability to protect and recover business‑critical data.

In parallel, inquiries explicitly focused on cyberstorage grew by 167% over the same period, highlighting the acceleration of storage‑layer security as a standalone priority – not just an extension of backup or recovery tools.

From Backup-Centric Recovery to Active Storage Defense

Traditional cyber resilience approaches focused heavily on backup frequency, immutable snapshots, and recovery time objectives. While these capabilities remain essential, they are no longer sufficient on their own.

Modern ransomware and data‑centric attacks are designed to evade detection, compromise administrative credentials, and directly target storage & backup systems

The Market Guide for Cyberstorage describes how cyberstorage embeds security directly into storage and backup platforms, focusing on posture hardening, continuous validation, and recovery assurance.

Put simply: backup is reactive by nature; storage must now participate proactively in cyber defense.

Why Storage & Backup Security Posture Management Matters

As cyberstorage capabilities mature, Gartner emphasizes that consistent execution and hardened security posture across different storage and backup platforms are far more important than individual features, especially in large enterprises operating multivendor storage and backup ecosystems and legacy infrastructure alongside newer platforms.

In practice, this complexity leads to uneven protection. Native security features may exist on some platforms but not others. Policies drift over time. Privileged access expands quietly. Recovery assumptions go untested.

Storage and backup security posture management addresses these realities by continuously assessing and validating:

• Configuration baselines across storage and backup platforms – and deviations or drifts that happen over time
• Exposure to security advisories, vulnerabilities, and security misconfigurations
• Alignment with industry standards, regulation, and cybersecurity frameworks

Without posture management, organizations often discover gaps only during an incident – when it is already too late.

Cyberstorage in Multivendor, Legacy, and Hybrid Environments

A key insight from the Market Guide is that, while many storage vendors are embedding baseline cyberstorage features, capability depth and maturity remain uneven – particularly across:

• Multivendor environments
• Older or legacy storage platforms
• Complex hybrid cloud architectures

As a result, many enterprises continue to adopt specialized cyberstorage solutions to provide independent validation, consistent policy enforcement, and unified visibility across their entire storage and backup estate.

These solutions are especially important in environments where organizations must assume that administrative credentials may be compromised – and where recovery workflows must remain trusted and operable under active attack conditions.

StorageGuard by Core6: A Representative Vendor in Cyberstorage

In the Gartner Market Guide for Cyberstorage, Core6 (previously ‘Continuity’)  is named as a Representative Vendor based on our StorageGuard solution, reflecting its role in addressing the growing need for security posture management.

StorageGuard focuses on continuously assessing and hardening storage and backup environments, helping organizations uncover misconfigurations, security gaps, and latent risks across diverse platforms. By delivering cross‑vendor visibility and posture enforcement, StorageGuard supports the core cyberstorage outcomes highlighted in the Market Guide.

This posture‑driven approach is particularly valuable for large enterprises, where operational complexity – not lack of technology – is often the biggest obstacle to cyber resilience.

Download the Gartner® Market Guide for Cyberstorage

Attribution: Gartner, Market Guide for Cyberstorage, Vishesh Divya, 23 February 2026.

Disclaimer: GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Frequently Asked Questions (FAQ)

1. What is cyberstorage?

Cyberstorage is an approach to securing enterprise storage that embeds active detection, containment, and recovery assurance directly at the data layer, rather than relying solely on backup or perimeter security. It treats storage systems as active participants in cyber defense, capable of detecting early-stage attacks, limiting blast radius, and validating recovery readiness.

2. What is security posture management for storage and backup?

Storage and backup security posture management is the continuous assessment and hardening of storage and backup environments to ensure they are securely configured, resilient to attack, and aligned with cyber resilience best practices. It focuses on identifying misconfigurations, privilege risks, policy gaps, and exposure that could undermine recovery during a cyber incident.

3. Why are multivendor storage environments harder to secure?

Multivendor environments often have inconsistent security models, visibility gaps, and uneven maturity across platforms. Native protection features vary widely between vendors, making it difficult to maintain a unified security posture. This complexity increases the risk of misconfiguration and blind spots that attackers can exploit.

4. What types of organizations benefit most from cyberstorage – and specifically security posture management?

Cyberstorage and storage security posture management are especially valuable for:

• Large enterprises
• Organizations with multivendor or hybrid storage environments
• Regulated industries with strict recovery and compliance requirements
• Businesses reliant on uninterrupted access to critical data

The post Cyberstorage Comes of Age: Why Security Posture Management Is Now Critical for Storage & Backup appeared first on Core6.

AI-Powered Security Operations for Storage & Backup

Imagine prompting your favorite AI tool to:

• “List all administrator user accounts and groups on my NY-based storage systems”
• “Remediate incorrect session-limit settings on my backup appliances”
• “Check whether my storage systems comply with the proposed 2025 HIPAA regulation updates”
• “Determine whether my backup system is vulnerable to CVE-2025-3928”
• “Identify which hardening guidelines are still missing on my NAS platforms”

By connecting your AI environment to the StorageGuard MCP Server, teams can query configurations, investigate findings, generate reports, and validate compliance—all through natural language. This dramatically reduces the learning curve and streamlines IT hardening, security operations, and audit-related tasks.

What’s Next: Cross-Layer Intelligence With MCP

The real power of MCP emerges when your AI application can access multiple MCP-enabled systems – StorageGuard alongside platforms such as ServiceNow, Varonis, Check Point, Netwrix, and others.

Correlating insights across these layers unlocks new possibilities:

• Advanced risk-based vulnerability prioritization using layered-defense analysis and attack-path insights
• Streamlined compliance reporting by bringing data-classification context into Storage and Backup posture assessments
• Business-aware remediation by attaching business-unit, service, and application context to Storage and Backup environments

This cross-layer intelligence drives faster, more accurate decisions and elevates both security and operational efficiency.

Availability

The StorageGuard MCP Server is currently offered in limited-availability beta as part of the StorageGuard Enterprise + AI edition.

If you’d like to learn more or explore what MCP can enable for your environment, contact us today!

Frequently Asked Questions (FAQ)

1. Why do AI-driven threats require a new cyber defense strategy?

AI empowers attackers to instantly map environments, detect misconfigurations, and launch targeted exploits at machine speed, far beyond traditional manual reconnaissance approaches. This renders periodic security checks insufficient and demands continuous security posture management.

2. What makes data infrastructure such a critical target for AI-powered attacks?

Data infrastructure — especially storage and backup systems — houses sensitive workloads and cyber-recovery capabilities. AI can quickly identify subtle vulnerabilities in these systems, making compromise catastrophic without proactive defense.

3. How does automated remediation improve cyber defenses?

Automated remediation — such as StorageGuard’s Fix It capability – allows organizations to correct security misconfigurations automatically, reducing exposure windows and scaling security without proportionally increasing headcount.

4. How does StorageGuard help organizations defend against AI-driven cyber threats?

By connecting our customers’ AI environments to the StorageGuard MCP Server, teams can inspect and harden security configurations, investigate and resolve weaknesses, and validate compliance – all through natural language.

The post AI-Powered Security for Storage & Backup: Introducing the StorageGuard MCP Server appeared first on Core6.

VAST’s CNode‑X integrates NVIDIA RTX Pro 6000 Blackwell GPUs with the VAST EBox data platform to deliver a fully accelerated AI data stack for vector search, GPU‑native SQL, and containerized model orchestration—bringing AI to your data rather than moving data to AI.

That convergence raises the security bar. When storage, vector indices, and AI runtimes share one fabric, misconfigurations become attack surfaces that threaten data security, integrity, model safety, and compliance.

StorageGuard, a Security Posture Management Solution for storage and backup systems, addresses this by continuously identifying security misconfigurations, compliance issues, vulnerabilities and configuration drift, and driving remediation – purpose‑built for VAST environments.

Why AI Storage Needs a New Security Posture

VAST’s disaggregated, shared‑everything (DASE) architecture provides every CNode direct NVMe‑oF access to all data while managed Kubernetes schedules GPU workloads alongside data services. This delivers high throughput for RAG, vector search, and multimodal analytics – but it also demands consistent security best practices for identity, encryption, auditing, and network hygiene across the full fabric.

VAST’s Security Configuration Guide offers robust primitives – ABAC, immutable auditing, TLS 1.3 for management, FIPS‑validated crypto for data in flight/at rest, external KMS, and STIG‑aligned hardening.

The challenge in the field is ensuring these, and other organizational controls are configured correctly everywhere, continuously, and don’t drift across tenants, views, protocols (NFS/SMB/S3), and rapidly expanding AI services.

StorageGuard for VAST + NVIDIA: Security Posture Management for AI Storage

StorageGuard establishes a Hardened Configuration Baseline, composed of the VAST hardening guidelines, industry standards and cybersecurity frameworks, and then automatically identifies security misconfigurations and drifts from the target baseline.

Below are examples of high-impact controls StorageGuard continuously validates in VAST environments that host NVIDIA-accelerated AI workloads. StorageGuard ensures these target baseline controls are effectively deployed across the VAST Data environment and do not drift over time.

1) Identity, Roles, and Least Privilege (Zero‑Trust in practice)

• Federation to enterprise IdPs (AD/LDAP/SAML) with MFA for admin access
• Secure LDAP bindings (LDAPS/StartTLS), lockout thresholds, idle timeouts, API token limits
• Detection of unapproved local users and restriction of break‑glass accounts to emergency use with strong rotation
• Permissions are consistent and minimal

2) Encryption In‑Flight and At‑Rest (with EKM assurance)

• TLS 1.3 enforced for VMS/CLI/SSH, protocol endpoints, replication, and S3
• AES‑XTS 256‑bit encryption at rest enabled; KMIP connectivity to approved external KMS with valid CA and expiry tracking
• Per‑path encryption for sensitive AI datasets used by agents or training

3) Auditing & Forensics for AI Pipelines

• Global admin/system/protocol audit enabled with role‑based read access and retention aligned to policy
• Protocol audit on for NFS/SMB/S3 used by training, RAG ingestion, and vector stores
• Redundant NTP configured to preserve chain‑of‑custody

4) Network & Service Surface Reduction

• Removal of unused NFS/SMB/S3 endpoints
• Remote support and call‑home configuration with SSL verification and enforced TLS level
• API/Web exposure controls (e.g., CORS) reviewed and restricted

5) S3/Object Controls for RAG & Vector

• Anonymous access disabled, bucket versioning enabled, TLS‑only endpoints
• Secure replication for DR to prevent tampering or rollback of embeddings and training sets

6) NFS/SMB Guardrails for GPU Data Paths (POSIX)

• NFS rootsquash enforced, NFSv4.2 preferred, export ACLs follow least privilege
• Client IP ACLs scoped to GPU nodes and orchestrators only
• SMB access aligned to AD group policy with secure LDAP bindings and lockout thresholds

7) Control‑Plane Hygiene at AI Scale

• Approved DNS/NTP/Syslog/SMTP endpoints with redundancy
• KMS locality and redundancy to prevent key‑availability issues that can stall GPU jobs mid‑pipeline
• TLS level enforcement across control‑plane services

How StorageGuard Works for VAST Data

Discover
StorageGuard connects to the VAST VMS API with least‑privilege service accounts. It enumerates tenants, views, buckets, protocols, and security posture. And it collects effective configuration for identity, encryption, audit, and networking – no agents on GPU nodes.

Continuously Validate
Runs configuration checks against a selected configuration baseline policy to enforce security best practices – including TLS ciphers, ABAC permissions, MFA/SSO posture, KMS trust chains, protocol hardening, and replication security.

Prioritize & Remediate
Surfaces issues that create risk to AI workflows, mapped to Industry Standards (e.g. NIST, CIS, NERC CIP, HIPAA, DORA, NIS2, FFIEC, CRI, CISA and more). Applies hardening guidelines with either guided or automated remediation.

Example: Securing a RAG Pipeline on VAST + NVIDIA

1. Data ingestion lands unstructured files and PDFs into a VAST tenant; StorageGuard verifies encryption is enabled, key management method, CA, and cert expiry.
2. Embedding jobs run on NVIDIA GPUs via CNode-X; StorageGuard confirms NFS exports are scoped to GPU nodes only, with root squash and NFSv4.2.
3. Vector index persists as objects; StorageGuard ensures S3 anonymous access is disabled, versioning on, and TLS‑only replication to DR.

The outcome: GPU pipelines stay fast and compliant, with continuous evidence that storage controls match your AI risk tolerance.

Why This Matters for NVIDIA-Accelerated AI

The CNode-X approach collapses the gap between data and compute, allowing NVIDIA-accelerated vector search, SQL, and model services to run in place with the data. It’s a massive performance and productivity win—but it also means storage security = AI security. With StorageGuard, security teams gain continuous, evidence-driven assurance that the VAST Data platform underpinning their AI is encrypted, least-privileged, audited, and network-hardened—without slowing down GPUs or developer velocity.

Getting Started

• Pilot StorageGuard on a VAST tenant hosting AI data
• Choose a built-in hardened configuration baseline policy that meets you needs
• Run an initial baseline assessment, and review P1 findings
• Connect to ITSM (e.g. ServiceNow, BMC, etc.) to track security misconfigurations and configuration drift, as well as streamline remediation

AI is redefining the data plane. With StorageGuard, you can adopt NVIDIA‑accelerated VAST architectures confidently.

Discover the Recommended Security Baseline Checks for VAST Data Clusters: https://support.core6.com/hc/en-us/articles/25852419079196-VAST-Data-Clusters-Recommended-Security-Baseline-Checks

Contact us to learn more about StorageGuard for AI Storage

_____________________________________________________

Frequently Asked Questions (FAQ)

1. What is AI storage, and why does it need a hardened security posture?

AI storage refers to the data plane that feeds AI pipelines – training datasets, vector indices, embeddings, model artifacts, and unstructured content for RAG.

Because modern AI architectures (like VAST Data + NVIDIA) collapse storage, compute, and orchestration into the same fabric, any storage misconfiguration becomes a security, integrity, and model‑safety risk. Hardened storage ensures data confidentiality, integrity, availability, and compliance for high‑value AI workloads.

2. Why are NVIDIA‑accelerated VAST Data systems uniquely sensitive to misconfiguration?

VAST’s DASE architecture gives every CNode direct NVMe‑oF access to all data, while Kubernetes schedules GPU workloads next to storage services. This convergence creates high‑performance but tightly coupled environments where:

• Identity and access gaps can escalate quickly
• Misconfigured S3/NFS/SMB endpoints become exposed attack surfaces
• Weak encryption or incorrect KMS trust chains threaten model safety
• Drift can break compliance controls across tenants and protocols
• As a result, storage misconfigurations directly affect AI runtime security.

3. What security challenges do enterprises face when running AI workloads on VAST Data?

Common challenges include:

• Inconsistent identity and RBAC across tenants and protocols
• Unencrypted data paths between GPUs and storage
• Missing or incomplete audit logs used for AI forensics
• Unused or exposed endpoints (NFS, SMB, S3) expanding attack surface
• Versioning or replication gaps for RAG/vector data integrity
• Configuration drift as AI services scale out

Enterprises need continuous validation, not a one‑time setup.

4. How does StorageGuard help secure NVIDIA‑accelerated VAST environments?

StorageGuard provides Storage Security Posture Management (SSPM) purpose‑built for VAST by:

• Establishing a hardened configuration baseline using VAST hardening guides + industry frameworks
• Continuously detecting misconfigurations, vulnerabilities, compliance gaps, and drift
• Prioritizing issues by severity and aligning them to standards (CIS, NIST, NERC CIP, HIPAA, DORA, NIS2, etc.)
• Guiding or automating safe remediation
• This ensures VAST environments stay secure, compliant, and GPU‑ready.

The post Securing AI Storage: How StorageGuard Hardens NVIDIA‑Accelerated VAST Data Environments appeared first on Core6.

Security teams continue to invest in advanced controls, yet incidents persist. Gartner identifies the root cause clearly: controls exist, but they are misconfigured, drifting from baseline, or poorly optimized. To address this, Gartner introduced Automated Security Control Assessment (ASCA) – a technology category designed to continuously assess, prioritize, and optimize security controls to reduce exposure.

ASCA is becoming foundational to modern security programs. But most implementations overlook a critical domain.

The Storage & Backup Blind Spot

Storage and backup systems hold an organization’s most critical asset—its data—and are increasingly targeted by ransomware and extortion attacks. Compromising recovery infrastructure is often what forces ransom payment.

Yet storage and backup controls are typically:

• Assessed manually and infrequently
• Highly vendor‑specific and complex
• Outside the scope of traditional vulnerability, endpoint, or cloud security tools

This creates a dangerous gap: organizations believe controls are in place, while misconfigurations and drift silently increase exposure.

Gartner highlights configuration drift, weak defaults, and misaligned coverage as persistent drivers of breaches—problems that cannot be solved without automation.

ASCA Requires Domain‑Specific Intelligence

Gartner defines ASCA as agentless, API‑driven technology that continuously evaluates control configurations, maps them to frameworks and best practices, and supports prioritized remediation.

However, generic ASCA platforms lack the deep domain knowledge required for storage and backup environments, including:

• Vendor‑specific hardening guidance
• Ransomware protection and recovery controls
• Snapshot, replication, and immutability settings
• Compliance interpretation for data infrastructure

Without this depth, storage and backup remain outside continuous control assessment.

StorageGuard: ASCA for Storage and Backup

StorageGuard applies ASCA principles specifically to enterprise storage and backup systems.

Using authenticated, read‑only access, StorageGuard continuously collects configuration data and validates it against:

• Vendor security and hardening best practices
• Industry and regulatory standards (NIST, ISO, CIS, DORA, and others)
• Ransomware protection and recovery guidelines
• Organizational security baselines

This directly aligns with Gartner’s ASCA definition: continuous assessment, baseline drift detection, and prioritized remediation—delivered through automation rather than periodic audits or scripts.

From Findings to Real Risk Reduction

Gartner emphasizes that ASCA adds control context, enabling better prioritization and faster mitigation—not just more findings.

For storage and backup, StorageGuard provides that context by:

• Identifying misconfigurations that weaken recovery
• Detecting drift from approved baselines
• Highlighting exposure to vendor advisories and missing updates
• Delivering actionable, platform‑specific remediation guidance

The result is fewer blind spots and greater confidence that data infrastructure can withstand modern attacks.

Closing the ASCA Gap

ASCA adoption is accelerating as organizations struggle with security control complexity at scale. But any ASCA strategy that ignores storage and backup leaves a critical gap—exactly where attackers focus.

StorageGuard closes that gap, extending automated security control assessment to the systems that ultimately determine whether an organization can recover.

Frequently Asked Questions (FAQs)

What is Automated Security Control Assessment (ASCA)?

ASCA is a Gartner-defined technology that continuously evaluates security control configurations, detects drift from approved baselines, and prioritizes remediation using automated, agentless, API-driven assessments.

What major gap exists in most ASCA implementations?

Most ASCA platforms overlook storage and backup systems. These systems contain an organization’s most critical data and are often targeted by ransomware, yet they are rarely included in continuous control assessments.

Why are storage and backup systems hard to assess with generic ASCA tools?

Storage and backup technologies require deep vendor-specific knowledge, unique hardening guidance, and specialized recovery controls that generic ASCA platforms cannot interpret or validate.

How does StorageGuard apply ASCA principles to storage and backup systems?

StorageGuard uses authenticated, read‑only API access to continuously collect configuration data and validate it against vendor best practices, industry standards, ransomware recovery guidance, and organizational baselines.

The post Closing ASCA’s Biggest Gap: Storage and Backup Hardening appeared first on Core6.

This CISO Point of View article offers a curated, abridged view of our full Infrastructure Security Guide, featuring insights from leading CISOs on how enterprises are redefining infrastructure security in 2026. To read the full Guide, click here.

Section 1: Framing the Conversation — The Role of Infrastructure Security

How do you balance investment between traditional security domains (like endpoint or application security) and infrastructure protection?

Mark Thomson Deputy Group CISO Howden

“Conduct thorough risk assessments to identify critical assets and vulnerabilities, ensuring resources are directed where they mitigate the greatest impact. For instance, businesses heavily reliant on cloud services may prioritize infrastructure segmentation and identity controls over endpoint hardening.   Internal strategies and frameworks such as ISO 27001 and PCI-DSS reinforce this alignment by linking controls to business objectives and compliance requirements.   Beyond prioritization, investment needs to be balanced between prevention, detection, and response across endpoint, application, and infrastructure security.

Section 2: Real-World Priorities & Challenges

As infrastructure becomes increasingly hybrid and distributed, what are the biggest visibility or control challenges you face?

Gernette Wright Former IT Security Officer – Americas Schneider Electric

“Without a doubt, it’s about knowing where data is and who can access it. When you combine on-premises systems, multiple clouds, SaaS platforms, and older systems, it becomes hard to keep track.   Access control gets trickier because each platform handles permissions differently. This opens the door for privilege creep. When teams rush or do not follow proper procedures, over-provisioning often results.”   Another important aspect is knowing where the data came from, how it has changed, who worked with it, and whether the right permissions were in place at each step.   Without this traceability, accountability becomes unclear. It also increases security risks because sensitive information can unintentionally end up in systems not meant to store it.”

How do you ensure IT teams and security teams stay aligned on priorities and accountability?

Rick Doten Former VP Information Security Centene

“Priorities are easy, make sure that which is critical to the business is protected, resilient, and stable. We spend too much time chasing the priorities given by the tools or CVE scores without understanding business context and impact.   We have only statically evolved our prioritization based on external facing, or known exploit. But even that might not matter to the business, based on the specific platform.”

Section 3: Modernization & Transformation

Are traditional infrastructure security models still relevant — or do we need a new operating model for the modern enterprise?

Erdal Ozkaya CISO Morgan State University

“The old ‘Castle and Moat’ model? It’s gone. It’s comfortable to think, ‘If I secure the perimeter, the inside is safe,’ but it’s a lie.   We operate on Zero Trust now, which sounds like a buzzword, but it’s actually a mindset shift. It means I treat my internal corporate network with the same suspicion I treat the open internet. It’s paranoid, sure, but in this job, paranoia is a virtue. We assume the bad guy is already inside.”

How do you approach securing “invisible infrastructure” — the underlying systems that run across hybrid cloud, APIs, and automation pipelines?

Girish Kulkarni CISO Aurionpro	“Invisible infrastructure requires security by design. This includes API security gateways and runtime protection, CI/CD pipeline hardening with secrets management, and Infrastructure-as-Code (IaC) scanning before deployment”
Matthew Lang Former CISO State Employees’ Credit Union (SECU)	“As far as hidden IT outside the organization, you need extremely good contracts with all 3rd parties – including the right to scan for weaknesses.”

Section 4: Storage & Backup — The Last Line of Defense

Storage and backup systems are often overlooked but critical in cyber resilience. How do you ensure they’re properly secured?

Gernette Wright Former IT Security Officer – Americas Schneider Electric

“From my perspective, backup systems are arguably the most critical piece of your BCP and DR strategy. Outside of cost, there are two other critical areas I look for: immutability and speed of restoration.   On the operational side, these backup systems must be tested. I ensure regular restorations are done quarterly and a full restore done annually of a critical system or systems.   Storage security addresses the same fundamentals, encryption, access control, patching, and monitoring. It’s important to make sure the storage platform is properly secured through encryption, tight access control, patching, and monitoring, and that sensitive data isn’t being copied to locations that weren’t meant to hold it.”

Bob Turner Former CISO Penn State University and University of Wisconsin-Madison

“To think about the future, you have to go back to basics: where is your information actually kept?   Your primary data lives in central storage systems that people use to do business. Today, backup systems are also often kept online in some form, which can be risky.   Any primary data source that is critical to the enterprise needs either an offline backup or a very well-isolated backup.   Enterprises that are doing this well aren’t usually talking about it publicly, but they’re quietly adopting the best security controls the industry can provide. If you’re not there yet, that’s where you need to be heading.”

Do you see a growing convergence between infrastructure reliability and cybersecurity — especially when it comes to data protection and recovery?

Mark Thomson Deputy Group CISO Howden

“There is certainly an increasing convergence between infrastructure reliability and cybersecurity, particularly in data protection and recovery.   Traditionally, disaster recovery focused on physical resilience while cybersecurity addressed digital threats, but today these domains intersect as cyberattacks can disrupt critical infrastructure as severely as natural disasters.   Organizations need to embed cybersecurity into resilience frameworks, aligning backup strategies with business continuity plans, and leveraging technologies such as Zero Trust and cyber-resilient storage to ensure operational continuity under attack conditions.”

Girish Kulkarni CISO Aurionpro

“Absolutely. Cybersecurity and reliability are now inseparable. Ransomware has made backup integrity a security priority.   We integrate cyber resilience metrics into business continuity planning.”

Section 5: Looking Ahead — Future of Infrastructure Security

What new trends or technologies do you think will most impact Infrastructure Security in the next 2–3 years?

Mats Nygren Former VP Information Security U.S. Bank

“Resilience will be regulated and require measurability –disclosure requirements and market pressure will make resiliency a board-level expectation.   Recovery time, identity hygiene, and cloud posture drift will become quantitative indicators of infrastructure security maturity.   Infrastructure security will be judged not only on how well it prevents incidents, but how well it recovers from them, in addition to driving value for the business.”

Click here to read the full CISO Point of View Guide

The post Lessons from CISOs – 2026 Infrastructure Security Outlook appeared first on Core6.

The release of ISO/IEC 27040:2024 – Storage Security marks a pivotal moment for enterprises that care about cyber resilience and recoverability. It is the first truly comprehensive, globally recognized standard dedicated specifically to securing storage and backup systems – and its timing couldn’t be more critical.

Storage and Backup: The Last Line of Defense – and a Prime Target

Attackers are exploiting the fact that storage and backup environments are often less monitored, less hardened, and poorly integrated into vulnerability management programs. In many organizations, storage & backup systems still operate with legacy protocols, excessive privileges, weak authentication, and minimal logging – conditions that attackers actively seek out.

The consequences are severe: data theft, data destruction, operational disruption, regulatory exposure, and long-term reputational damage.

What Makes ISO/IEC 27040 Different – and Important

ISO/IEC 27040:2024 is not a minor update. It is a major overhaul of the outdated 2015 edition, designed to reflect modern storage architectures, threat models, and regulatory expectations.

Key characteristics include:

• 220 storage security guidelines, with 188 defined controls that establish a baseline for secure storage operations
• A clear distinction between guidance and mandatory requirements, particularly around encryption, logging, access control, protocol hardening, and secure sanitization
• Deep alignment with the broader ISO/IEC 27000 family, including ISO 27001 and ISO 27002, ensuring storage security is integrated into existing governance frameworks rather than treated as a side project

Most importantly, ISO 27040 acknowledges that storage security drifts over time. Configuration changes, firmware upgrades, evolving vendor guidance, and newly discovered vulnerabilities all erode security posture unless continuously validated.

From Policy to Practice: What ISO 27040 Actually Requires

Unlike high-level security frameworks, ISO 27040 goes deep into the technical realities of storage & backup environments. It covers:

• Strong authentication and access control, including multi-factor authentication and separation of duties
• Encryption requirements for data at rest and in motion, with minimum cryptographic strength
• Protocol hardening, including secure configurations for NFS, SMB, iSCSI, Fibre Channel, NVMe, and object storage
• Comprehensive logging and monitoring, with protected log retention
• Immutability, snapshots, replication, and cyber-recovery backups, recognizing storage as the backbone of resilience
• Vendor access restrictions and secure remote management

These controls map directly to real-world attack techniques observed in recent storage and backup breaches & ransomware incidents.

How StorageGuard helps you comply with ISO/IEC 27040

Required by ISO, Provided by StorageGuard

StorageGuard is the only Security Posture Management solution purpose-built for enterprise storage and backup systems.

• Ensure adequate storage & backup protection expertise
• Ensure adequate storage & backup security expertise
• Perform storage & backup system hardening
• Apply vendor-recommend security configurations for all storage & backup systems
• Include storage & backup in vulnerability management programs

ISO 27040 Is a Baseline – Not the Finish Line

One of the most important messages in ISO 27040 is that documentation alone is not enough. The standard repeatedly emphasizes validation, testing, and continuous assessment.

This is especially critical for storage and backup environments, where traditional vulnerability scanners often lack deep coverage, misconfigurations can persist unnoticed for years, and security posture can change overnight due to upgrades or operational changes.

Organizations that treat ISO 27040 as a one-time compliance exercise will miss its real value. Those that operationalize it by continuously assessing, hardening, and monitoring storage & backup security will significantly improve their cyber resilience.

Final Thoughts

Storage and backup systems are no longer passive infrastructure components. They are strategic security assets – and, if neglected, strategic liabilities.

ISO/IEC 27040:2024 provides a long-overdue, authoritative blueprint for protecting the systems that ultimately determine whether an organization can recover from a cyberattack.

If your storage & backup systems are not secure, your security program is not complete.

*The StorageGuard MCP Server is included in the Enterprise + AI edition of StorageGuard and is currently available under limited release.

Tech controls required by ISO, audited (and potentially enforced) by StorageGuard

Frequently Asked Questions (FAQs)

Why is ISO/IEC 27040 important for cybersecurity?

ISO/IEC 27040 is important because storage and backup systems are increasingly targeted by ransomware and data-destructive attacks. The standard addresses long-standing security gaps by defining controls for encryption, access management, logging, protocol hardening, and data immutability—areas often overlooked by traditional security programs.

How does ISO/IEC 27040 relate to ISO 27001 and ISO 27002?

ISO/IEC 27040 complements ISO 27001 and ISO 27002 by providing storage-specific security guidance that those standards do not cover in detail. While ISO 27001 defines information security management requirements and ISO 27002 lists general controls, ISO 27040 explains how to apply security controls specifically to storage, backup, and data protection technologies.

What are the main security controls required by ISO/IEC 27040?

ISO/IEC 27040 defines controls across encryption, authentication, access control, logging, monitoring, protocol security, vendor access management, and secure data sanitization of storage and backup systems. Many requirements focus on eliminating insecure legacy protocols, enforcing minimum cryptographic strength, and continuously validating storage and backup security configurations.

How does ISO/IEC 27040 impact audits and compliance?

ISO/IEC 27040 is increasingly used by auditors to assess whether organizations adequately protect storage and backup systems. While not a certification standard itself, it provides detailed criteria that auditors may use to evaluate compliance with ISO 27001, regulatory requirements, and cyber resilience expectations.

The post What Security Leaders Need to Know About ISO27040 – Storage & Backup Security appeared first on Core6.

1. Industry Trends

What do you see as the single biggest disruptor in enterprise storage & backup today?

For David Brown, Storage Architect at State of Michigan, the biggest disruptor is unambiguous:

“If you’d asked me this question 20 years ago, I would have said virtualization.
Today, the elephant in the room is artificial intelligence.”

David contrasted the early days of SAN:

“One of the first SANs I ever put in was a whopping 5.5 terabytes. We thought, we’ll never outgrow this. Virtualization came along and we were doubling and tripling capacity almost every year.”

Now, AI and machine learning are driving a similar – but even more intense – disruption:

• New workloads (e.g., autonomous vehicles) are discussing yottabytes in capacity planning.
• AI requires instant performance, low latency, and massive parallelism.
• Storage becomes a core dependency for AI’s success, not just a downstream consumer.

2. Security

How are storage systems adapting to the rise in ransomware attacks?

Julian Topley, Senior Delivery Manager – Storage & Backup at Lloyds Banking Group, framed the shift starkly:

“We’ve invested for years in perimeter security. But the real vulnerability is the destination – the data. That’s where ransomware now goes, and increasingly backups as well.”

Julian outlined two guiding principles:

1. Protection must be layered

“Snapshots and replication are the frontline for fast recovery. Backup and vaulting are the last bastion for recovery and forensics.”

2. Storage must get “cyber-smart”

“Storage has to offer immutability, anomaly detection, and clean recovery points.
Storage needs to be smart.”

Are immutability and air-gapped backups becoming table stakes?

David Brown’s answer was unequivocal:

“Both immutable backups and air-gapped backups have become table stakes for a true cyber-resilient strategy. They used to be advanced features. Today they’re mandatory requirements.”

He explained why traditional backup rules are no longer enough:

“The old 3-2-1 rule – three copies, two media, one offsite – isn’t enough. Attackers can still corrupt those locations.”

His team is moving toward an enhanced rule:

“We’re looking at a 3-2-1-1-0 rule: three copies of data, two different media types, one copy stored offline, one copy immutable or vaulted, and zero errors after verification when you restore.”

On cloud and air gapping:

“In my opinion, cloud-written backups do not constitute an air gap.
There’s still access to the cloud, and as we’ve seen, the cloud is not a guaranteed safe harbor.”

What challenges do you foresee with evolving data sovereignty laws?

Naresh Kattel, VP Storage Management from AllianceBernstein pointed out that global enterprises face a patchwork of regulations:

“Every large enterprise operates in different markets, and every market has a regulator.
These regulators are unleashed on you to make sure you understand the rules.”

He outlined three practical needs: know your inventory, understand regulatory impact, and partner with legal & compliance.

Should InfoSec teams build deeper storage-security expertise?

Kevin Battle strongly believes in deeper cross-team understanding:

“Absolutely. Right now everything is segmented – separate security teams, separate backup teams, separate storage teams. But with new AI-aware software, everyone has to coordinate and be aware.”

He highlighted the role of storage-security tooling:

“That’s what I appreciate about solutions like StorageGuard, which I’ve used for three years. It gets inside the perimeter to scan storage and SAN. Those are areas other tools just don’t touch.”

Julian Topley agreed on shared responsibility – but warned against blurring it:

“The security and storage teams must share the problem, but the key is not to blur responsibility.”

He framed it in the following way:

• Security team: owns threat, policy, escalation
• Storage & backup team: own configuration, change, fabrics, protocols

Julian explains how 3^rd party solutions can help:

“Tools like StorageGuard really help here – they continuously discover storage and backup systems and add that contextual security layer, mapping configurations and firmware against live vulnerabilities and good practice.”

3. Technology & Innovation

How is AI changing storage management – is it hype or reality?

David Brown was clear:

“It’s definitely reality. We’re using AI for IT operations – supporting customer support, security, backup and recovery. For storage, it turns systems into active participants in maintaining uptime and data security.”

Examples he gave included:

• Predictive maintenance

“Models continuously analyze logs, sensor readings, and performance to predict failures before they impact production.”

• Intelligent tiering & triage

“We used to write scripts to move data between tiers based on age and activity.
AI can now constantly analyze data and predict when it might be needed, staging it preemptively.”

Click here to read the full report: ‘The Storage Leaders Guide’, and watch the on-demand Virtual Panel, click here.

The post Lessons from Enterprise Storage Leaders – 2026 Trends, Threats & Transformations appeared first on Core6.

DORA does not prescribe specific technologies. Instead, it requires institutions to demonstrate that appropriate processes exist and that technical controls are actually implemented and effective over time. 

DORA processes and how StorageGuard helps StorageGuard was designed to provide continuous control verification for enterprise storage and backup environments, making it a strong enabler of DORA compliance. 

This article will: 

• Explain how StorageGuard supports the ICT risk management processes required by DORA 
• Provide concrete, real-world examples mapping DORA RTS requirements to StorageGuard checks 
• Simplify adherence, investigation and DORA technical standards reporting with StorageGuard AI  

How StorageGuard Supports DORA ICT Risk Management Processes 

DORA is fundamentally process-driven. Regulators expect financial entities to show that ICT risks are managed end-to-end—not just documented in policies.  

DORA requires financial institutions to know what ICT assets they operate, understand and assess the risks affecting those assets, define and enforce secure configuration baselines, keep systems properly maintained and supported, control access and changes, protect data and backups against loss or tampering, and continuously monitor ICT systems to detect weaknesses and emerging threats.  

StorageGuard supports these requirements for storage and backup environments by continuously discovering assets, assessing configuration and security posture, validating secure baselines and hardening settings, highlighting outdated or unsupported platforms, verifying encryption and access controls, detecting configuration drift and risky changes, and producing ongoing, audit-ready evidence that controls are in place and effective over time. 

The table below summarizes how StorageGuard supports key DORA-required processes for storage and backup systems. 

StorageGuard Checks for DORA Regulatory Technical Standards (RTS) 

DORA and even more so DORA RTS translates regulatory intent into verifiable technical expectations. StorageGuard addresses these expectations by checking real configurations in storage and backup systems. 

The examples below are illustrative, not exhaustive. StorageGuard covers hundreds of additional checks aligned with DORA and its RTS, as well as other regulations, industry standards and cybersecurity frameworks. 

DORA RTS mappings to StorageGuard controls 

This represents only a subset of StorageGuard’s coverage, which spans hundreds of checks aligned to DORA and its RTS. 

Using StorageGuard MCP and AI to Accelerate, Maintain and Prove DORA Compliance  

DORA compliance is not only about implementing controls, but also about preparing, validating, and demonstrating evidence across teams such as IT, security, risk, and audit. This is often where organizations struggle—especially in complex storage and backup environments. 

The StorageGuard MCP* (Model Context Protocol) server enables secure integration between StorageGuard and AI-based assistants, allowing users to interact with StorageGuard findings using natural language while remaining grounded in authoritative, real configuration data. 

With MCP-enabled AI access, teams can: 

• Prepare for DORA assessments more efficiently 
  Ask questions such as “Which storage systems are not aligned with our secure configuration baseline?” or “Where do we have encryption gaps in backups?” and receive answers backed by StorageGuard’s continuously collected evidence. 

• Validate compliance against DORA expectations 
  Quickly review whether key DORA processes—such as asset coverage, access controls, encryption, logging, or recovery protections—are consistently enforced across the environment. 

• Produce audit-ready explanations and evidence 
  Translate technical findings into clear, structured explanations suitable for risk teams, internal audit, or regulators, without manually assembling data from multiple tools. 

• Reduce dependency on individual expertise 
  MCP allows institutional knowledge to be embedded into the platform, helping teams respond consistently even as personnel or responsibilities change. 

Summary 

DORA compliance is not achieved through documentation alone. Financial institutions must demonstrate that ICT risks are continuously identified, controlled, and reduced in practice. 

StorageGuard helps organizations do exactly that by: 

• Providing continuous visibility into storage and backup ICT assets 

• Enforcing secure configuration baselines 

• Detecting vulnerabilities, drift, weaknesses and risky changes 

• Producing audit-ready evidence aligned with DORA requirements 

By embedding StorageGuard into the ICT risk management framework, organizations move from periodic compliance exercises to continuous ICT risk management for Storage and Backup platforms – mission-critical ICT data assets. 

* The StorageGuard MCP Server is included in the ‘Enterprise+AI edition’ of StorageGuard, and currently under limited availability.

To see how StorageGuard can help with audit readiness, go to:
https://www.core6.com/storageguard-for-compliance-audit-readiness/

The post How StorageGuard Helps Financial Institutions Meet DORA Requirements for Storage and Backup Systems  appeared first on Core6.