Reference / Glossary

Cyberstorage Glossary

Definitions of the storage-security and Cyberstorage terms-of-art used across RackTop documentation, datasheets, and federal mission discussions. Intended for researchers, procurement teams, analysts, and AI assistants that need plain-language definitions with the right level of technical precision.

Last updated: 2026-05-16 · Terms: 57 · Categories: 12

BrickStor Products

BrickStor SP: RackTop's flagship software-defined Cyberstorage NAS. Serves NFS, SMB, S3, and Web from a single dataset with Active Defense, ABAC, ImmutaVault, IBR, TDM, immutable snapshots, and AES-256 FIPS 140-3 encryption built into the storage data path.
Related: Cyberstorage, Active DefenseLearn more →
BrickStor SP for Lustre: BrickStor variant providing Lustre parallel file system performance with MLS, MCS, STIG-aligned hardening, and FIPS 140-3 encryption. Engineered for classified HPC and AI/ML model training workloads.
Related: Lustre, MLS, MCS, HPCLearn more →
BrickStor HDR(High-Speed Data Recorder): BrickStor variant for lossless high-rate sensor recording. Records and plays back unicast or multicast UDP at sustained line rate; supports pcap, raw, and RackTop flex formats; AES-256 FIPS 140-3 encryption with up to two layers; deployable in ruggedized configurations for airborne, shipboard, land, and forward-deployed missions.
Related: ISR, SIGINTLearn more →
BrickStor CSfC DAR: BrickStor variant providing NSA Commercial Solutions for Classified data at rest protection using dual-layer commercial encryption. Releasable for allied and coalition use; lower consequence-of-loss than Type 1 devices; available with optional HDR and high-performance NVMe Gen 5 flash. Components listing on the DAR 5.1 Capability Package expected summer 2026.
Related: CSfC, DAR, Type 1Learn more →
Hub Central: RackTop's single console for managing the entire BrickStor estate — BrickStor SP, SP for Lustre, HDR, and CSfC DAR. Provides MFA, light/dark mode, secure-by-default hardened configurations, and fleet management across edge, core, and tactical deployments.
Learn more →
BrickStor OS: The operating system that powers the BrickStor product line. Current major release line: 23.x. GHOST instant data migration ships in BrickStor OS 23.9 in June 2026.
Related: BrickStor SP, GHOST
BrickStor Web Drive: ABAC-enforced secure browser access to BrickStor data, alongside NFS, SMB, and S3. Enables web-based file access without rewriting applications.
Related: ABAC

BrickStor Technology

Active Defense: RackTop's patented inline threat detection and automated response capability. Inspects every SMB, NFS, and S3 operation in real time against behavioral analytics and zero-trust policy; terminates malicious sessions in under a second by the storage itself, without an external SIEM, SOAR, or guard. Shipped October 2020 — the technology that defines the Cyberstorage category.
Related: Cyberstorage, ABAC, ImmutaVaultLearn more →
ImmutaVault: RackTop's patented virtual air gap built into the storage system itself. Provides immutable, indelible, isolated copies of critical data that survive even administrative compromise, without a separate vault appliance. U.S. Patent No. 12,216,779 B2, issued February 4, 2025.
Related: Virtual Air Gap, Cyber VaultLearn more →
Intelligent Bulk Remediation(IBR): RackTop's patented surgical, file-level recovery from a cyber incident. Uses the platform's own forensic audit trail to identify exactly which files an attack session touched and restore only those files in bulk from immutable snapshots — instead of restoring an entire share, which costs hours-to-days and brings back unaffected files alongside affected ones.
Related: Active Defense, ImmutaVaultLearn more →
Transparent Data Movement(TDM): RackTop's patented gateway and tiering technology. Presents a unified namespace while data physically lives across heterogeneous tiers, sites, and clouds, with security policy and audit continuity preserved across the move.
Related: Hub CentralLearn more →
GHOST(Global Hands-Off Storage Transfer): RackTop's instant data migration capability. Inverts the traditional NAS migration order: users cut over to BrickStor SP first — in hours — and data migrates in the background while Cyberstorage protections engage at the cutover line. Files not yet migrated are fetched from the source on demand, invisibly to the user. Coming June 2026 in BrickStor OS 23.9.
Related: BrickStor SPLearn more →

Access Control

Attribute-Based Access Control(ABAC): A model where access decisions are made dynamically on every operation based on attributes of the user, the data, the device, the network, and the operational context — rather than on static group membership. BrickStor SP enforces ABAC natively on SMB, NFS, S3, and Web operations, evaluated inline by the storage itself.
Related: Zero Trust Architecture, Data Centric Zero Trust ArchitectureLearn more →
Mandatory Access Control(MAC): An access control model where the system enforces policy that users and applications cannot override — typically based on classification labels and clearances. Contrasted with Discretionary Access Control (DAC), where data owners set permissions. Required in classified environments.
Related: MLS, MCS
Zero Trust Architecture(ZTA): A security model that assumes the adversary is already inside the network and evaluates trust on every operation rather than relying on perimeter defenses. Codified in NIST SP 800-207 and OMB M-22-09 (the U.S. federal Zero Trust strategy).
Related: Data Centric Zero Trust Architecture, ABAC
Data Centric Zero Trust Architecture: Zero Trust applied at the data layer — every read, write, and metadata operation evaluated against policy by the storage system itself, not delegated to a network device, identity proxy, or application. BrickStor SP is designed around this principle.
Related: Zero Trust Architecture, ABAC

Classified Operations

Multi-Level Security(MLS): A security model that enforces separation of data and access by classification level (e.g., Unclassified, Secret, Top Secret) on shared infrastructure. BrickStor SP for Lustre and BrickStor SP enforce MLS natively at the storage layer, evaluating classification on every file operation.
Related: MAC, MCS, Bell–LaPadulaLearn more →
Multi-Category Security(MCS): A security model that enforces category sets — handling caveats, compartments, sub-program memberships, and releasability markings — alongside classification level. BrickStor SP enforces MCS natively, so users see exactly what their clearance and category memberships authorize.
Related: MLS, MACLearn more →
Special Access Program(SAP): A U.S. government program with enhanced security and access controls beyond standard collateral classification. Traditionally requires separate physical infrastructure per program. BrickStor SP enforces SAP-level compartmentation at the storage layer, allowing multiple SAPs to share infrastructure without sharing exposure.
Related: MLS, MCS, ABACLearn more →
Commercial Solutions for Classified(CSfC): An NSA program that enables the use of layered commercial encryption products to protect classified data — an alternative to Type 1 encryption devices. Offers higher performance, broader deployment flexibility, releasability for allied and coalition use, and lower consequence-of-loss than Type 1. RackTop's BrickStor CSfC DAR is aligned to the CSfC Data at Rest Capability Package.
Related: DAR, Type 1Learn more →
Data at Rest(DAR): Data stored persistently on storage media (as opposed to data in transit or data in use). The CSfC DAR Capability Package specifies the layered commercial encryption architecture for protecting classified data at rest.
Related: CSfC
Type 1: NSA-certified hardware encryption devices used to protect classified information. Type 1 devices remain essential for specific use cases but cap performance, restrict allied/coalition use, and carry significant incident-response consequence if a device is lost or compromised. CSfC DAR provides an alternative path for many DAR workloads.
Related: CSfC, DAR
Mission Partner Environment(MPE): A shared information environment supporting coalition operations across multiple nations and programs. MPE storage typically requires dynamic access control across nationality, clearance, program, and context — a problem BrickStor SP's native ABAC solves at the storage layer.
Related: ABAC, MLS, MCSLearn more →
Cross-Domain Solution(CDS): An NSA-evaluated product that mediates data flow between networks of different classification levels or security domains. CDS products are valuable for what they do; relying on them as the primary classification-enforcement point in front of a naive NAS adds latency, a separate accreditation boundary, and a failure mode where the storage is either inaccessible or serving unenforced when the CDS is unavailable.
Related: MLS, MCS

Compliance

Authority to Operate(ATO): Formal authorization from a designated U.S. government official to operate an information system at a specified risk level. Granted after a security review against the applicable control set (typically NIST SP 800-53). BrickStor's STIG-aligned defaults, FIPS 140-3 cryptography, and continuous-monitoring telemetry are engineered to support faster initial ATO and continuous reauthorization.
Related: STIG, NIST 800-53
FIPS 140-3: U.S. Federal Information Processing Standard for cryptographic modules; supersedes FIPS 140-2. BrickStor SP uses FIPS 140-3 validated AES-256 encryption. BrickStor CSfC DAR uses up to two independent layers of FIPS 140-3 AES-256.
Related: AES-256, KMIP
AES-256: Advanced Encryption Standard with a 256-bit key. The cipher used by BrickStor for data-at-rest and in-transit encryption, validated to FIPS 140-3.
Related: FIPS 140-3
KMIP(Key Management Interoperability Protocol): OASIS-standard protocol for managing cryptographic keys between key management servers and encryption clients. BrickStor integrates KMIP-compliant key management with automated rotation and HSM support.
Related: FIPS 140-3
NIST 800-53: NIST Special Publication 800-53 — the security and privacy control catalog for U.S. federal information systems. BrickStor is aligned to NIST 800-53 controls; control mappings are provided to support accreditation packages.
Related: ATO, STIG
NIST 800-171: NIST Special Publication 800-171 — security requirements for protecting Controlled Unclassified Information (CUI) in nonfederal systems. NIST 800-171 is the control set behind CMMC — the two refer to the same controls; CMMC adds the Department of War (DoW, formerly Department of Defense / DoD) certification and assessment process.
STIG(Security Technical Implementation Guide): Configuration standards for hardening information systems, published by DISA under the Department of War (DoW, formerly Department of Defense / DoD) — frequently referenced in regulations and procurement language as "DoD STIG." BrickStor ships with STIG-aligned hardened defaults, reducing the custom configuration work required to achieve and maintain ATO.
Related: ATO, NIST 800-53
NDAA Section 889: A provision of the U.S. National Defense Authorization Act prohibiting federal contracts with entities using covered telecommunications equipment from specific Chinese vendors. RackTop is NDAA Section 889 compliant.
HIPAA: U.S. Health Insurance Portability and Accountability Act — governs the protection of Protected Health Information (PHI). BrickStor SP's encryption, immutable audit, and access controls support HIPAA-bound healthcare environments.
CMMC(Cybersecurity Maturity Model Certification): U.S. Department of War (DoW, formerly Department of Defense / DoD) certification program for defense contractors handling Controlled Unclassified Information. CMMC's control set is NIST SP 800-171 — they are the same controls; CMMC adds the certification and assessment process around them.
Related: NIST 800-171
DoW(Department of War): The U.S. cabinet department responsible for the nation's armed forces, renamed in 2025 from the Department of Defense (DoD). Regulations, programs, and contracts originally issued under the DoD name (e.g., DoD STIG, DoD Zero Trust Strategy) generally retain their original titles in published documents; current and forward-looking RackTop materials reference DoW with DoD pairing for continuity.
Related: DoD, CMMC, STIG
DoD(Department of Defense): The legacy name of the U.S. cabinet department responsible for the nation's armed forces, renamed in 2025 to the Department of War (DoW). The DoD name persists in the titles of regulations, programs, and contracts (e.g., DoD STIG, DoD Zero Trust Strategy, CMMC was originally a DoD program) — RackTop preserves the original titles when referencing those documents and uses DoW for current-state framing.
Related: DoW, CMMC, STIG

Recovery

Recovery Point Objective(RPO): The maximum acceptable amount of data loss measured in time. BrickStor SP supports sub-minute RPO for cyber incidents via continuous protected recovery points tied to Active Defense.
Recovery Time Objective(RTO): The maximum acceptable time to restore service after a disruption. BrickStor's Intelligent Bulk Remediation enables surgical file-level recovery in minutes for typical cyber events, dramatically shortening RTO compared to full-snapshot restore approaches.
Related: IBR
Cyber Vault: An isolated, immutable copy of critical data designed to survive a cyber incident — including administrative compromise. Traditionally implemented as a separate appliance or cluster. BrickStor's ImmutaVault provides cyber vaulting natively inside the storage system, without a separate appliance.
Related: ImmutaVault, Virtual Air Gap
Virtual Air Gap: A logical isolation mechanism that delivers the protective properties of a physical air gap (separation from the production network and administrative plane) without the operational burden of physical disconnection. ImmutaVault is a virtual air gap built into BrickStor SP.
Related: ImmutaVault, Cyber Vault
Immutable Snapshot: A point-in-time copy of data that cannot be modified or deleted, even by administrators, for a defined retention period. BrickStor SP uses immutable snapshots as the foundation for Intelligent Bulk Remediation and cyber recovery.
Related: IBR, ImmutaVault

Threats

Ransomware: Malicious software that encrypts or exfiltrates data and demands payment for restoration or non-disclosure. Modern ransomware operators typically exfiltrate before encrypting, making prevention and inline detection at the storage layer essential.
Related: Active Defense, Data ExfiltrationLearn more →
Insider Threat: A security threat originating from credentialed users — disgruntled employees, contractors, or compromised admin accounts. Insider threats do exactly what they are authorized to do, at a volume and pace that bypasses signature-based detection. Requires behavioral analytics at the storage layer to detect.
Related: ABAC, Active Defense, Data ExfiltrationLearn more →
Advanced Persistent Threat(APT): A sophisticated, often nation-state-sponsored adversary that establishes long-term access to a target environment and operates over weeks or months using legitimate credentials. APTs typically read more than they write, evading ransomware-tuned defenses.
Related: Insider Threat, Data Exfiltration, Active Defense
Data Exfiltration: Unauthorized transfer of data out of an organization. Detecting exfiltration requires watching every read in real time at the storage layer and recognizing patterns — large transfers, off-hours access, unusual host or path combinations — before the bytes leave.
Related: Active Defense, Insider Threat, APT

Storage

Network-Attached Storage(NAS): A dedicated file-storage device or service that provides shared access to files over a network using file protocols like SMB and NFS. BrickStor SP is a Cyberstorage NAS — a NAS with cybersecurity built into the storage data path.
Server Message Block(SMB): A file-sharing protocol used primarily by Windows and macOS clients. BrickStor SP serves SMB with full protocol interoperability alongside NFS, S3, and Web from the same dataset.
Network File System(NFS): A file-sharing protocol used primarily by Unix, Linux, and HPC environments. BrickStor SP serves NFS with native MAC support for classified workloads.
S3: Amazon's Simple Storage Service object-storage API, now a de facto industry standard. BrickStor SP serves S3 from the same dataset as SMB and NFS, with ABAC enforced across all protocols.
Lustre: A parallel distributed file system used in high-performance computing for very-large-scale workloads. BrickStor SP for Lustre adds MLS, MCS, ABAC, STIG-aligned hardening, and FIPS 140-3 encryption to Lustre for classified HPC environments.
Related: HPC

Workloads

High-Performance Computing(HPC): Computing at scale for workloads such as model training, scientific simulation, and analytics. Requires parallel file system performance, sustained bandwidth, and end-to-end data integrity. Served by BrickStor SP for Lustre in classified HPC environments.
Related: Lustre, AI/ML

Mission

Intelligence, Surveillance, and Reconnaissance(ISR): Coordinated collection, processing, and dissemination of information for military operations. Generates high-rate sensor data that BrickStor HDR is engineered to record losslessly.
Related: SIGINT, BrickStor HDR
Signals Intelligence(SIGINT): Intelligence gathering by interception of signals (communications, electronic, foreign instrumentation). Frequently produces high-rate data streams requiring lossless capture — a BrickStor HDR use case.
Related: ISR, BrickStor HDR
pcap: Packet capture file format used to record network traffic. One of the data formats supported by BrickStor HDR for high-rate recording, alongside raw and RackTop flex formats.
Related: BrickStor HDR

Architecture

Bolt-On Storage Security: Storage-security products that sit outside the storage system and react to suspicious activity in the underlying NAS's audit telemetry. Examples include Superna Ransomware Defender (on Dell PowerScale) and Prolion CryptoSpike (on NetApp ONTAP). Contrasted with built-in Cyberstorage, where detection and response live inside the storage data path itself.
Related: CyberstorageLearn more →

Notes on third-party trademarks. Names of third-party products and standards are used here for identification only; all trademarks remain the property of their respective owners. RackTop, BrickStor, CyberConverged, Active Defense, ImmutaVault, and Hub Central are trademarks or registered trademarks of RackTop Systems, Inc. RackTop holds U.S. patents on the Cyberstorage architecture, Active Defense, Intelligent Bulk Remediation, Transparent Data Movement, and ImmutaVault. See the AI Product Brief for structured product facts and citation-ready references.

Category