|
Access control
While network security restricts the ability to communicate with the NAS device, authentication and authorization protect files and shares from being accessed and manipulated by unauthorized users. This is no different from protecting regular file servers and, more than in any other area, security policies play an instrumental role in regulating user access and permissions.
Authentication is the process of determining who the user is by verifying user credentials against a central repository that maintains user names, passwords, security identifiers (SIDs) or user ids (UIDs), as well as group membership information. User credentials are akin to keys that open the door to your data, and protecting these keys and reducing the risk of someone guessing passwords is critical. It goes without saying that securing the central repository of user credentials, such as Active Directory, is of utmost importance. Keeping it properly patched, making sure it has up-to-date virus and malware protection, and limiting administrative access to it are all essential practices.
Security risks around authorization are likely to occur because of improper provisioning. Without strong policies and procedures, users may have inappropriate permissions or get access to files they shouldn't see.
A few simple guidelines can prevent your losing control of the data-access provisioning process. Any access grant or change should only be performed after proper approval. Take advantage of security groups and roles; with the exception of user directories, data is typically accessed by more than one user. Don't grant access to specific files; instead assign permissions at a folder or share level. Default permissions should always default to deny rather than permit. "We default to having no access unless explicitly granted, and we try to not default anything to open but to closed," says Bob Lockhart, security portfolio manager, EDS.
You should also periodically conduct information-access audits that require data owners to verify that the current permission grants are correct. These simple steps will not only make access to data on your NAS more secure, they'll be tremendously helpful for regulatory compliance audits like Sarbanes-Oxley.
|
