A device configured to receive a data storage request that identifies a target data storage device for a data element. The device is further configured to determine a security level associated with the target data storage device. The device is further configured to determine a protection level range based on the determined security level and to identify one or more security controls within the protection level range. Each security control comprises a hardware configuration for data storage devices that are associated with mitigating one or more vulnerability types. The device is further configured to output the identified one or more security controls.