#cybersecurity | hacker | Protect your data assets – Building a dscure NAS from the ground up

How long
could your enterprise operate without access to vital data assets and customer
information? Odds are, not very long.

Data is
the oxygen of the modern enterprise, and access to files and data is critical
for business operations. The scourge of ransomware attacks across a wide range
of industries (healthcare, industrial, government, etc.) and victims’
willingness to pay
of thousands of dollars to unlock their files illustrates enterprises’
ever-increasing dependence on data.

Is Where Your Data Lives

Most of
these critical files reside on NAS (Network Attached Storage) devices. Enterprises
use these devices to store and access unstructured data – including documents,
spreadsheets, videos and other files not residing in a structured database – as
well as their backups.

it’s customer data or sensitive internal information, you need to take all
possible precautions to secure your NAS. This should include encryption of all
data at rest and in-transit, two-factor authentication and other access controls to ensure data
privacy and compliance with GDPR, HIPAA and other regulations.  

Building Blocks for a Secure NAS

From a
security standpoint, not all NAS devices are created equal. Some small business-oriented
NAS brands have the reputation of being less security-minded than enterprise-focused
NAS products from larger vendors.

NAS vendors obviously charge a premium, but this reflects the higher
engineering costs of adhering to the strict development processes required by security-conscious
enterprise and government markets.

Your NAS
should implement a security-first approach to protecting customer and corporate
data. Make sure your vendor understands the value of data privacy, security,
compliance and access controls. The efforts invested in meeting enterprise and
government-grade security standards (e.g., FIPS, DISA APL) and using a secure
software development methodology are telltale signs of the importance your
vendor ascribes to your critical data.

FIPS Certification

140-2 is a NIST security standard
used to approve software and hardware products, ensuring their
encryption meets well-defined requirements strong enough for securing sensitive
government data. In this context, be careful not to confuse
“FIPS-compliant” with “FIPS certified.” While many vendors
claim to be FIPS-compliant, only FIPS-certified products passed rigorous
testing by an
accredited cryptographic module testing lab. Proper implementation of cryptography algorithms is not simple –
even for trained software professionals – and FIPS-certified NAS products
ensure that your files receive the highest level of encryption.

Secure SDLC

minimize security vulnerabilities and other defects, your vendor’s software
development lifecycle (SDLC) should be based on thorough testing procedures, including
specific provisions for code reviews and inspections. Internal security
validation processes should be based on industry best practices and standards,
such as Open Web Application Security Project (OWASP). Security-oriented NAS
vendors also work with third parties for code review of security-critical code
segments, as well as automated and manual penetration testing of common
vulnerabilities as recommended by the OWASP and WASC methodologies.

the Right Vendor – Checklist and Tips

If you
want to make sure your NAS is secure, ask your NAS vendor the following

  • Are you
    performing periodical security assessments by a 3rd party
    penetration testing lab? If so, can I see your latest report?
  • Do you
    have FIPS and DISA APL certification?
  • Do you
    have reference customers in the U.S. federal and defense branches, or
    other government agencies?
  • Do you
    have reference customers in financial sector, such as banks and insurance

If the
answer is “Yes” to all these questions, it’s likely that security was built into
the NAS product design.

But it
doesn’t end here. Once you’ve chosen a NAS vendor, it’s important to keep your
NAS secure over time:

  • Keep your
    NAS device regularly updated with the latest firmware. If your NAS vendor
    offers an automatic updates service, use it.
  • Ensure
    your users choose strong
    and make
    them rotate their passwords regularly. It is recommended to use Active
    Directory to enforce password strength, and to avoid having local users on the
    NAS device as much as possible.
  • Configure
    your NAS device to automatically block users using “brute force”
    password-guessing techniques after several attempts.

files in your NAS systems are the crown jewels of your IT environment, and your business depends on their
availability and integrity.  Scrutinize your
vendor’s security approach and hold it accountable for keeping your key data assets

Aron Brand, CTO, CTERA

Original Source link

Leave a Reply

National Cyber Security Consulting App







National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.