I'm struggling trying to understand NAS security. Can you send me a brief and basic explanation of NAS security and how to implement that security further?
This is a complex subject that just gets more troubling as you dig deeper. There are several layers to consider with security for NAS and not all have to do with NAS itself. From the NAS perspective, you need to look at the access to shared data, the access to administrative functions, the access to the NAS device over a network (any data access), and the security of the individual packets of information that are being transmitted.
The access to shared data is setting up permissions and access control lists to designate who has access to what data and the rules for simultaneous access. Unix systems use what are called advisory level locking while Microsoft CIFS uses what are called hard locks. They are fundamentally different and most NAS devices use one or the other (mapping to whatever they have implemented). It's an administrative task to set up the access controls and easily be overlooked or defaulted to create a significant security risk.
The administrative function on the NAS device also needs to be secure. This means that not just someone with super user privileges can go in and make changes but only an authorized person can and it is verified. Protecting the access for administration includes things like encrypting the passwords, etc. and is definitely needed for a degree of security.
The access to a NAS device over an Ethernet network using IP is also one of the areas that in the past has been exploited for security breaches. Isolating the network, using firewalls, and other mechanisms can help but there may be paths where an "outsider" can penetrate and hack to the device. For this, you need someone very skilled in network security. This can put all data on the NAS device at risk unless you have a protected environment.
Data being altered or monitored in the individual IP packets being transmitted is also a security concern. Devices and software that can do this are readily available. Incidentally, half the security attacks come from within companies so this is a high-risk area. Isolation is still the best plan but may not be practical. Again, a network security specialist should be consulted.
I hope this helps as an introduction to the problem. You need to consider all these and use the different resources available. Those from the NAS vendor you choose are just a part of the answer.
Evaluator Group, Inc.
This was first published in September 2001