How long could your enterprise operate without access to vital data assets and customer information? Odds are, not very long.
Data is the oxygen of the modern enterprise, and access to files and data is critical for business operations. The scourge of ransomware attacks across a wide range of industries (healthcare, industrial, government, etc.) and victims' willingness to pay hundreds of thousands of dollars to unlock their files illustrates enterprises' ever-increasing dependence on data.
NAS Is Where Your Data Lives
Most of these critical files reside on NAS (Network Attached Storage) devices. Enterprises use these devices to store and access unstructured data - including documents, spreadsheets, videos and other files not residing in a structured database – as well as their backups.
Whether it's customer data or sensitive internal information, you need to take all possible precautions to secure your NAS. This should include encryption of all data at rest and in-transit, two-factor authentication and other access controls to ensure data privacy and compliance with GDPR, HIPAA and other regulations.
Key Building Blocks for a Secure NAS
From a security standpoint, not all NAS devices are created equal. Some small business-oriented NAS brands have the reputation of being less security-minded than enterprise-focused NAS products from larger vendors.
Enterprise NAS vendors obviously charge a premium, but this reflects the higher engineering costs of adhering to the strict development processes required by security-conscious enterprise and government markets.
Your NAS should implement a security-first approach to protecting customer and corporate data. Make sure your vendor understands the value of data privacy, security, compliance and access controls. The efforts invested in meeting enterprise and government-grade security standards (e.g., FIPS, DISA APL) and using a secure software development methodology are telltale signs of the importance your vendor ascribes to your critical data.
FIPS 140-2 is a NIST security standard used to approve software and hardware products, ensuring their encryption meets well-defined requirements strong enough for securing sensitive government data. In this context, be careful not to confuse "FIPS-compliant" with "FIPS certified." While many vendors claim to be FIPS-compliant, only FIPS-certified products passed rigorous testing by an accredited cryptographic module testing lab. Proper implementation of cryptography algorithms is not simple – even for trained software professionals – and FIPS-certified NAS products ensure that your files receive the highest level of encryption.
To minimize security vulnerabilities and other defects, your vendor's software development lifecycle (SDLC) should be based on thorough testing procedures, including specific provisions for code reviews and inspections. Internal security validation processes should be based on industry best practices and standards, such as Open Web Application Security Project (OWASP). Security-oriented NAS vendors also work with third parties for code review of security-critical code segments, as well as automated and manual penetration testing of common vulnerabilities as recommended by the OWASP and WASC methodologies.
Choosing the Right Vendor – Checklist and Tips
If you want to make sure your NAS is secure, ask your NAS vendor the following questions:
- Are you performing periodical security assessments by a 3rd party penetration testing lab? If so, can I see your latest report?
- Do you have FIPS and DISA APL certification?
- Do you have reference customers in the U.S. federal and defense branches, or other government agencies?
- Do you have reference customers in financial sector, such as banks and insurance companies?
If the answer is “Yes” to all these questions, it's likely that security was built into the NAS product design.
But it doesn't end here. Once you've chosen a NAS vendor, it's important to keep your NAS secure over time:
- Keep your NAS device regularly updated with the latest firmware. If your NAS vendor offers an automatic updates service, use it.
- Ensure your users choose strong passwords and make them rotate their passwords regularly. It is recommended to use Active Directory to enforce password strength, and to avoid having local users on the NAS device as much as possible.
- Configure your NAS device to automatically block users using “brute force” password-guessing techniques after several attempts.
The files in your NAS systems are the crown jewels of your IT environment, and your business depends on their availability and integrity. Scrutinize your vendor's security approach and hold it accountable for keeping your key data assets secure.
Aron Brand, CTO, CTERA