How long
could your enterprise operate without access to vital data assets and customer
information? Odds are, not very long.
Data is
the oxygen of the modern enterprise, and access to files and data is critical
for business operations. The scourge of ransomware attacks across a wide range
of industries (healthcare, industrial, government, etc.) and victims’
willingness to pay hundreds
of thousands of dollars to unlock their files illustrates enterprises’
ever-increasing dependence on data.
NAS
Is Where Your Data Lives
Most of
these critical files reside on NAS (Network Attached Storage) devices. Enterprises
use these devices to store and access unstructured data – including documents,
spreadsheets, videos and other files not residing in a structured database – as
well as their backups.
Whether
it’s customer data or sensitive internal information, you need to take all
possible precautions to secure your NAS. This should include encryption of all
data at rest and in-transit, two-factor authentication and other access controls to ensure data
privacy and compliance with GDPR, HIPAA and other regulations.
Key
Building Blocks for a Secure NAS
From a
security standpoint, not all NAS devices are created equal. Some small business-oriented
NAS brands have the reputation of being less security-minded than enterprise-focused
NAS products from larger vendors.
Enterprise
NAS vendors obviously charge a premium, but this reflects the higher
engineering costs of adhering to the strict development processes required by security-conscious
enterprise and government markets.
Your NAS
should implement a security-first approach to protecting customer and corporate
data. Make sure your vendor understands the value of data privacy, security,
compliance and access controls. The efforts invested in meeting enterprise and
government-grade security standards (e.g., FIPS, DISA APL) and using a secure
software development methodology are telltale signs of the importance your
vendor ascribes to your critical data.
FIPS Certification
FIPS
140-2 is a NIST security standard used to approve software and hardware products, ensuring their
encryption meets well-defined requirements strong enough for securing sensitive
government data. In this context, be careful not to confuse
“FIPS-compliant” with “FIPS certified.” While many vendors
claim to be FIPS-compliant, only FIPS-certified products passed rigorous
testing by an
accredited cryptographic module testing lab. Proper implementation of cryptography algorithms is not simple –
even for trained software professionals – and FIPS-certified NAS products
ensure that your files receive the highest level of encryption.
Secure SDLC
To
minimize security vulnerabilities and other defects, your vendor’s software
development lifecycle (SDLC) should be based on thorough testing procedures, including
specific provisions for code reviews and inspections. Internal security
validation processes should be based on industry best practices and standards,
such as Open Web Application Security Project (OWASP). Security-oriented NAS
vendors also work with third parties for code review of security-critical code
segments, as well as automated and manual penetration testing of common
vulnerabilities as recommended by the OWASP and WASC methodologies.
Choosing
the Right Vendor – Checklist and Tips
If you
want to make sure your NAS is secure, ask your NAS vendor the following
questions:
- Are you
performing periodical security assessments by a 3rd party
penetration testing lab? If so, can I see your latest report? - Do you
have FIPS and DISA APL certification? - Do you
have reference customers in the U.S. federal and defense branches, or
other government agencies? - Do you
have reference customers in financial sector, such as banks and insurance
companies?
If the
answer is “Yes” to all these questions, it’s likely that security was built into
the NAS product design.
But it
doesn’t end here. Once you’ve chosen a NAS vendor, it’s important to keep your
NAS secure over time:
- Keep your
NAS device regularly updated with the latest firmware. If your NAS vendor
offers an automatic updates service, use it. - Ensure
your users choose strong
passwords and make
them rotate their passwords regularly. It is recommended to use Active
Directory to enforce password strength, and to avoid having local users on the
NAS device as much as possible. - Configure
your NAS device to automatically block users using “brute force”
password-guessing techniques after several attempts.
The
files in your NAS systems are the crown jewels of your IT environment, and your business depends on their
availability and integrity. Scrutinize your
vendor’s security approach and hold it accountable for keeping your key data assets
secure.
Aron Brand, CTO, CTERA
