could your enterprise operate without access to vital data assets and customer
information? Odds are, not very long.
the oxygen of the modern enterprise, and access to files and data is critical
for business operations. The scourge of ransomware attacks across a wide range
of industries (healthcare, industrial, government, etc.) and victims’
willingness to pay hundreds
of thousands of dollars to unlock their files illustrates enterprises’
ever-increasing dependence on data.
Is Where Your Data Lives
these critical files reside on NAS (Network Attached Storage) devices. Enterprises
use these devices to store and access unstructured data – including documents,
spreadsheets, videos and other files not residing in a structured database – as
well as their backups.
it’s customer data or sensitive internal information, you need to take all
possible precautions to secure your NAS. This should include encryption of all
data at rest and in-transit, two-factor authentication and other access controls to ensure data
privacy and compliance with GDPR, HIPAA and other regulations.
Building Blocks for a Secure NAS
security standpoint, not all NAS devices are created equal. Some small business-oriented
NAS brands have the reputation of being less security-minded than enterprise-focused
NAS products from larger vendors.
NAS vendors obviously charge a premium, but this reflects the higher
engineering costs of adhering to the strict development processes required by security-conscious
enterprise and government markets.
should implement a security-first approach to protecting customer and corporate
data. Make sure your vendor understands the value of data privacy, security,
compliance and access controls. The efforts invested in meeting enterprise and
government-grade security standards (e.g., FIPS, DISA APL) and using a secure
software development methodology are telltale signs of the importance your
vendor ascribes to your critical data.
140-2 is a NIST security standard used to approve software and hardware products, ensuring their
encryption meets well-defined requirements strong enough for securing sensitive
government data. In this context, be careful not to confuse
“FIPS-compliant” with “FIPS certified.” While many vendors
claim to be FIPS-compliant, only FIPS-certified products passed rigorous
testing by an
accredited cryptographic module testing lab. Proper implementation of cryptography algorithms is not simple –
even for trained software professionals – and FIPS-certified NAS products
ensure that your files receive the highest level of encryption.
minimize security vulnerabilities and other defects, your vendor’s software
development lifecycle (SDLC) should be based on thorough testing procedures, including
specific provisions for code reviews and inspections. Internal security
validation processes should be based on industry best practices and standards,
such as Open Web Application Security Project (OWASP). Security-oriented NAS
vendors also work with third parties for code review of security-critical code
segments, as well as automated and manual penetration testing of common
vulnerabilities as recommended by the OWASP and WASC methodologies.
the Right Vendor – Checklist and Tips
want to make sure your NAS is secure, ask your NAS vendor the following
- Are you
performing periodical security assessments by a 3rd party
penetration testing lab? If so, can I see your latest report?
- Do you
have FIPS and DISA APL certification?
- Do you
have reference customers in the U.S. federal and defense branches, or
other government agencies?
- Do you
have reference customers in financial sector, such as banks and insurance
answer is “Yes” to all these questions, it’s likely that security was built into
the NAS product design.
doesn’t end here. Once you’ve chosen a NAS vendor, it’s important to keep your
NAS secure over time:
- Keep your
NAS device regularly updated with the latest firmware. If your NAS vendor
offers an automatic updates service, use it.
your users choose strong
passwords and make
them rotate their passwords regularly. It is recommended to use Active
Directory to enforce password strength, and to avoid having local users on the
NAS device as much as possible.
your NAS device to automatically block users using “brute force”
password-guessing techniques after several attempts.
files in your NAS systems are the crown jewels of your IT environment, and your business depends on their
availability and integrity. Scrutinize your
vendor’s security approach and hold it accountable for keeping your key data assets
Aron Brand, CTO, CTERA