How to build a secure NAS

Businesses must take all possible measures to secure their Network Attached Storage devices, writes CTERA CTO Aron Brand


Take a second to imagine how long your organisation could operate without access to vital data assets and customer information. Data, and easy access to it, is the lifeblood of the modern enterprise, vital for everyday business operations. Following disastrous ransomware attacks across a wide range of industries, victims are willing to pay hundreds of thousands of dollars to unlock their files, highlighting the ever-increasing dependence of organisations on their information. The majority of these crucial files reside on NAS (Network Attached Storage) devices. Enterprises use NAS products to store and access unstructured data, such as documents, spreadsheets, videos and other files not residing in a structured database – as well as their backups. In a climate where the value of data opens it up to attack, organisations must take all possible measures to secure their NAS, including encryption of all data at rest and in-transit, two-factor authentication and other access controls to ensure data privacy and compliance with GDPR, HIPAA and other regulations. Not all NAS are created equal From a security angle, not all NAS devices are created equal. Some small business-oriented NAS brands have the reputation of putting less emphasis on security than enterprise NAS products from larger vendors.

Enterprise NAS vendors of course charge a premium, and this reflects the higher engineering costs of adhering to the strict development processes required by enterprise and government markets where security is a top priority. When purchasing a NAS, ensure it has a security-first approach to protecting customer and corporate data. Make sure your vendor understands the value of data privacy, security, compliance and access controls. The efforts invested in meeting enterprise and government-grade security standards (e.g., FIPS, DISA APL) and using a secure software development methodology are a useful indicator of the importance your vendor attributes to your crucial data. FIPS compliance vs certification FIPS 140-2 is a NIST security standard used to approve software and hardware products that meet well-defined requirements for encryption strong enough to secure sensitive government data. Beware of confusing "FIPS-compliant" with "FIPS-certified." While many vendors claim to be FIPS-compliant, only FIPS-certified products have passed rigorous testing in an accredited cryptographic module testing lab. Proper implementation of cryptography algorithms is not simple – even for trained software professionals – and FIPS-certified NAS products ensure that your files receive the highest level of encryption.

SDLC To minimise security vulnerabilities and other defects, check that your vendor's software development lifecycle (SDLC) includes thorough testing procedures, with specific provisions for code reviews and inspections. Internal security validation processes should be based on industry best practices and standards, for example Open Web Application Security Project (OWASP). Security-oriented NAS vendors also work with third parties for code review of security-critical code segments, as well as automated and manual penetration testing of common vulnerabilities as recommended by the OWASP and Web Application Security Consortium (WASC) methodologies. How to choose the right vendor? To ensure the NAS you purchase is secure, ask any potential vendor the following questions: 1) Are you performing periodical security assessments by a third-party penetration testing lab? If so, can I see your latest report? 2) Do you have FIPS and DISA APL certification? 3) Do you have reference customers from any government agencies? 4) Do you have reference customers in the financial sector, such as banks and insurance companies? A "yes" to all these questions will indicate that your NAS is secure and you can move on to step two: how can you keep your NAS secure in the long term? 1) Be vigilant when it comes to updating your NAS device with the latest firmware. If your NAS vendor offers an automatic updates service, be sure to make use of it. 2) Make sure everyone who uses the NAS selects a strong password and rotates their passwords regularly. An Active Directory is advisable as it enforces password strength, and avoids having local users on the NAS device as much as possible. 3) Configure the NAS device to automatically block users using “brute force” password-guessing techniques after several attempts. NAS systems hold the crown jewels of your IT environment, and your business depends on their availability and integrity. Evaluate your supplier's approach to security and don't leave the protection of your data to chance.


image
image