This article can also be found in the Premium Editorial Download "Storage magazine: New rules change data retention game."
Download it now to read this article plus other related content.
While network security restricts the ability to communicate with the NAS device, authentication and authorization protect files and shares from being accessed and manipulated by unauthorized users. This is no different from protecting regular file servers and, more than in any other area, security policies play an instrumental role in regulating user access and permissions.
Authentication is the process of determining who the user is by verifying user credentials against a central repository that maintains user names, passwords, security identifiers (SIDs) or user ids (UIDs), as well as group membership information. User credentials are akin to keys that open the door to your data, and protecting these keys and reducing the risk of someone guessing passwords is critical. It goes without saying that securing the central repository of user credentials, such as Active Directory, is of utmost importance. Keeping it properly patched, making sure it has up-to-date virus and malware protection, and limiting administrative access to it are all essential practices.
Security risks around authorization are likely to occur because of improper provisioning. Without strong policies and procedures, users may have inappropriate permissions or get access to files they shouldn't see.
A few simple guidelines can prevent your losing control of the data-access provisioning process. Any access grant or change should only be performed after proper approval.
You should also periodically conduct information-access audits that require data owners to verify that the current permission grants are correct. These simple steps will not only make access to data on your NAS more secure, they'll be tremendously helpful for regulatory compliance audits like Sarbanes-Oxley.
This was first published in September 2007