Security Recommendations for Network Attached Storage (NAS) Devices

Purpose

NAS devices are often inexpensive to procure and can hold a great deal of data. To protect that data against accidental or unauthorized access, tampering, disclosure, or loss, consider these security recommendations. This list is not exhaustive.

Do A Risk Analysis

When considering impact, please take into account monetary, reputational damage, and contractual obligations for the individuals involved and for the University.

  • Is data in the system subject to regulation, such as PCI DSS, FIPPA, PHIPA, or research agency rules?
  • Is data in the system considered confidential by University standards?
  • What would be the impact if the data were accessed and disclosed?
  • What would be the impact if the data were tampered with, perhaps without that being evident?
  • What would be the impact if the data were accidentally or deliberately deleted, lost or destroyed, perhaps permanently?

If any of the above are true, or are high impact, then an IT-managed and supported device or service should be considered rather than a stand-alone NAS device. Otherwise, please see further steps below.

Planning For Deployment and Configuration

The following are useful questions to consider as part of determining how best to configure the system.

  • Who are the users of the system?
  • Is access limited to only those users?
  • From where (other devices, systems, networks, or locations) do those users need to access the system?
  • Who is the identified person or group who owns/controls the system?
  • Are there different levels of access required for different users?
  • How does someone request access to the system?
  • How is access removed when no longer required and how is that determined?
  • Who is responsible for security configuration and settings?
  • Are backups needed and if so how are they done?
  • Who is the contact if a problem or compromise is identified with the system?

Notification of New or Removed device

Please notify UIT Information Security about the addition or removal of a NAS device, its MAC address, and contact information of individuals responsible for operation of the device. This assists with timely notification and response in the event Information Security detects vulnerability or signs of intrusion.

Follow these Baseline Security Controls

  1. Document the presence of the device in an inventory list so its lifecycle can be tracked. This will be needed as the location and purpose of the device changes, and at the end of its serviceable life to record the secure disposal.
  2. Protect against theft or tampering of the device by locating it in a physically secure area at minimum behind a locked door, but also considering card-based access control, alarms, and CCTV monitoring. Data centre facilities are available from UIT to facilitate this.
  3. Backup and recovery method for data on the device should be considered. Services are available from UIT to facilitate this.
  4. When lifecycle of the device is complete, dispose of it securely either by secure wipe of data or secure destruction of media so confidential data cannot be recovered. Services are available from UIT to facilitate this.
  5. Ensure that the operating system and software used is supported by the manufacturer and that all security updates are regularly applied.
  6. Accounts and passwords must be managed according to University guidelines, including removing default accounts and passwords, setting minimum password strength, and use of identifiable accounts for each individual. http://www.yorku.ca/univsec/policies/document.php?document=126
  7. Enable secure authentication using industry standard methods that encrypt login and password information in transit.
  8. Enable and manage access to data on the system as appropriate for the data and use of the system.
  9. Configure the system to disable network services that are not in use to minimize exposure to potential security vulnerabilities.
  10. Avoid non-secure authentication and file access such as FTP and HTTP.
  11. Configure a firewall or network access controls on the system to restrict access to only those systems that are required for access and operation of the system. Be aware that a typical network port used by researchers on the University network may be open to access by the entire Internet by default.
  12. Configure remote access to require use of a Virtual Private Network (VPN). UIT provides VPN services to the University community.
  13. Enable encryption of the data on disk (at rest) where that feature is available. UIT services are available to facilitate disk encryption for common operating systems.
  14. Enable anti-virus scanning of the data where available. UIT provides anti-virus software free of charge to all York students, staff and faculty.
  15. Ensure that personnel responsible for operation of the system are appropriately trained on system administration and security skills and best practices.
  16. Institute a process to regularly review logs to identify and respond to attacks or abuse.
  17. Notify UIT Information Security immediately in the event of any suspected security breach.
  18. Be aware of and abide by University policy for Network Management and Security.

 

Please note these recommendations are not exhaustive and additional controls and considerations may be required. In particular, research data sets may have specific requirements not stated here.