Network Attached Storage – NAS

Data needs are in an almost persistent state of evolution and expansion, and solutions for secure, reliable storage to address those needs are a top priority for administrators. It is important when considering solutions to perform due diligence through the selection process, ensuring the appropriate product is chosen.

Purchase of a consumer-grade Network Attached Storage (NAS) solution may stem from a desire to cut costs, or the portability of a desktop attached device, but consumer-grade storage solutions are not an appropriate choice for UNC-Chapel Hill business-related information.

Consumer grade NAS devices are designed for ease of use, end user convenience and low cost but do not include some of the essential components of enterprise storage. Business-related storage includes robust security components, durable hardware, redundancy and fault tolerance, high quality vendor support, access controls, access logging, backup/archiving capabilities and may include encryption to protect sensitive information. The quality of components present in enterprise grade equipment is tuned for heavy use to prevent failures that can hamper the availability of data (see Appendix A).   Devices that work with any sensitive, University-owned information must meet standards detailed in the Information Security Controls Standard. In addition to the points already discussed, NAS located in a University datacenter provides for greater physical security, regularly scheduled backups, power redundancy, and peace of mind, making it the preferred avenue for data storage within the UNC-Chapel Hill community.

Reports of NAS devices granting file access without authentication over public facing IP addresses, and containing “share all” settings that can be manipulated through firmware vulnerabilities have been a part of the conversation regarding best practices for several years (Leyden, 2014). In 2016, Ameriprise investments suffered a breach related to an employee using an unsecured consumer grade NAS device as a desktop backup (Spring, 2016). This lack of effective access controls led to the exposure of hundreds of investors banking information. More recently, in January 2017, it was revealed that NAS device manufacturer QNAP may have been informed a full year prior to a vulnerability in firmware that allowed for remote access, with no patch having ever been issued (Pilkey, 2017). Examples like these are not isolated incidents, and are indicative of the differing support cycles and quality controls that exist between off-the-shelf consumer grade, and enterprise level solutions.

Please consult your local technical support, your Information Security Liaison or contact help.unc.edu if you have questions.

Appendix A

*The average annualized workload rate limit is in units of TB per year, or TB per 8760 power-on hours. Workload rate limit = TB transferred x (8760/recorded power-on hours).
**Rotation Vibration RV 1500 Radians/sec^2

Source (Beeler, 2015)

References 

Pilkey, A. (2017). Serious vulnerabilities in qnap nas not patched after almost a year. F-Secure. Retrieved on 13 Feb 17 from https://safeandsavvy.f-secure.com/2017/01/17/the-iot-needs-vulnerability-research-to-survive/

Beeler, B. (2015). Pick the right drive for the job – 24/7 nas hdds vs desktop hdds. Storage Review. Retrieved on 13 feb 17 from http://www.storagereview.com/pick_the_right_drive_for_the_job_24_7_nas_hdds_vs_desktop_hdds

Leyden, J. (2014). Do you use nas drive? For work? One just leaked secret cash-machine blueprints. The Register. Retrieved on 13 feb 17 from http://www.theregister.co.uk/2014/05/13/nas_security_risk/

Spring, T. (2016). Insecure nas device exposes 350 ameriprise investment accounts.  Threat Post. Retrieved on 13 feb 17 from https://threatpost.com/insecure-nas-device-exposes-350-ameriprise-investment-accounts/122588/