Is DAS or NAS Storage More Secure? DAS vs NAS Security

Direct-attached storage (DAS) and network-attached storage (NAS) contain volumes of significant business data and need to be protected. Your organization has probably been hearing about the importance of securing stored data for months, if not years, and maybe now it just sounds like another business tip. But there’s a reason storage professionals are recognizing that tight security controls are indispensable.

Data is one of the most valuable commodities in the world, and cyberattackers use systems like NAS and DAS to steal it. It might be tempting to compare DAS and NAS and choose a more “secure” storage solution, but many businesses have been using both for years.

In short, the more secure solution entirely depends on the protective measures, policies, and controls that IT and storage professionals deploy and maintain. Security for DAS and NAS is a long game, and this guide breaks down their major vulnerabilities and strategies to protect each.

Is DAS or NAS more secure?

Main security threats for DAS and NAS storage

DAS and NAS systems are susceptible to plenty of common storage vulnerabilities. These include internet sessions, limited access controls, and employee mistakes. IT and security teams should address all of the following vulnerabilities when configuring DAS and NAS systems respectively.

DAS security threats

Direct-attached storage connects to computer systems and servers in business settings, either main offices, home offices, or data centers. Examples of DAS include internal SSDs, internal HDDs, and external flash drives. DAS is vulnerable to all connected machines’ weaknesses, too.

Threats to direct-attached storage security include:

  • Unsecured internet sessions on the host computer. If the computer is hacked or someone downloads a strain of malware onto it, all direct-attached storage is automatically compromised.
  • Default admin passwords. These credentials are provided by the hardware vendor and are incredibly easy for attackers to guess or know outright.
  • Weak user passwords. Don’t think that any old password will do as long as it’s not a hardcoded or default manufacturer password — if it’s easy to guess or in use for multiple system logins, it’s still a liability.
  • Physical theft. Office buildings and data centers suffer break-ins, and thieves can snatch DAS devices straight out of your computer or server.
  • Unpatched or outdated operating system software. If the computer hasn’t been updated to protect against malware and other threats, attackers have an easy target.
  • Insufficient access controls. The wrong people can log into systems with DAS if your business doesn’t set access level requirements.
  • No backup copies. If DAS isn’t backed up and someone steals it or the computer goes down, that data is now irretrievable.

Read more about direct-attached storage security.

NAS security threats

Network-attached storage systems hold large volumes of enterprise files and are a gold mine for data thieves. NAS systems enable file sharing between devices through a network connection. They’re important to companies, too, since they contain both proprietary and customer data, and ransomware groups take advantage of that.

The following vulnerabilities endanger the data stored in NAS systems:

  • Unsecured networks and outdated protocols. Connecting a NAS to an open or unprotected network as does using deprecated or less secure network protocols.
  • Vulnerabilities in the NAS operating system. NAS arrays from vendors like Synology have their own OS and management console, and years after their initial release, the vendor may reveal new vulnerabilities.
  • Limited or no access controls. Without policies that determine who can access a NAS system or that restrict admin levels, a NAS is more susceptible to threat actors.
  • Internet vulnerabilities. If the NAS is connected to the internet, it could be exposed to unsecured web pages or malicious downloads.
  • Employees. Human error is one of the greatest threats to stored data, and password mistakes, opening email attachments without approving them, and other careless actions put NAS systems at risk.

Read more about NAS security

Security policies for DAS and NAS

Many businesses use both DAS and NAS for their storage, and it’s important for them to protect both. Each storage type requires security for company networks as well as the storage devices themselves.

DAS security strategies

The key to implementing and maintaining direct-attached storage security is to not only take protective measures for the device itself, but to also secure all systems and applications in proximity to it.

DAS security strategies include:

  • Secure all internet sessions. Ensure that your computer browsers flag web pages that don’t use HTTPS, and enable the most recent version of TLS.
  • Create strong passwords for all systems. This includes computers and servers, but also applications on those machines, which helps protect any DAS connected to that machine.
  • Set strong access controls. Passwords are part of this, but not all — your business should also specify viewing and editing permissions for DAS data where necessary.
  • Update operating systems and any other software regularly. The moment a vulnerability is revealed on your servers, patch it.
  • Secure your organization’s physical premises. Data centers and offices should require keycards for access, and for even more stringent security, maintain an access-restricted server room for all machines with DAS.
  • Back up all DAS data and store copies. To prevent total data loss, make copies of all your enterprise’s DAS data and store them in the cloud and in various physical locations.

Learn more about implementing DAS security in your business’s infrastructure.

NAS security strategies

The files held in NAS systems must be examined for vulnerabilities, but your business should also focus on protecting the entry point to the whole storage system — the NAS manager software.

NAS security strategies include:

  • Configuring company networks. Set secure policies for the network that the NAS connects to, and solve misconfigurations as quickly as possible.
  • Scanning files for malware. The average enterprise NAS stores many files, and some of them could be corrupted by viruses. Files should be regularly scanned and quarantined away from the NAS if malware is identified.
  • Proper NAS operating system training. Each storage admin needs to know how to configure storage settings, update the NAS firmware, and recognize anomalous behavior on the NAS.
  • Train employees. Don’t just teach the bare minimum — get your storage and IT personnel actively involved in identifying phishing attempts, malware, and best practices.
  • Setting strong access controls. NAS system use should be restricted to authorized storage administrators, and storage managers should set viewing and editing permissions for all authorized users, too.

Learn more about access permissions and the principle of least privilege access.

Is DAS or NAS more expensive to secure?

The cost of securing a storage system largely depends on the cost of the solutions required and the number of personnel needed to maintain the security policies. However, broadly speaking, NAS will probably be more expensive to secure overall. NAS systems are farther-reaching and more expensive than DAS themselves, and hiring the personnel to manage large businesses’ NAS systems will likely be a greater investment than a smaller IT team to handle DAS policies.

This isn’t to say that thorough DAS security doesn’t require an investment. Purchasing strong antivirus or antimalware software, training all employees, and implementing an access control solution takes time and financial resources. But an enterprise-level NAS, particularly one with full-featured management software, will require a large investment.

That investment, though costly and time-consuming, is indispensable for organizations that want to remain compliant with data protection regulations and serve their customers. Sensitive data stored on NAS systems is a key target for ransomware gangs. Sometimes, legacy storage solutions don’t receive the level of protection that modern cloud-based solutions do. Ensure that your company doesn’t neglect older storage systems like DAS and NAS.

Bottom line: Which is more secure — DAS or NAS?

Both DAS and NAS solutions are vulnerable to physical attacks, malware, and network-based attacks. The real comparison here is between the security measures a business has taken to guard their storage, because many organizations have both and need to protect both.

DAS and NAS security don’t have radical differences or an advantage over the other. Ideally, businesses should use strategies from both of the lists above to protect their network-attached arrays and connected drives alike. DAS or NAS systems are only as secure as the protective measures put into place, consistently practiced, and taught to other employees in the organization.

Is your organization considering an enterprise-level security platform to protect DAS, NAS, or other storage systems? Read our picks for top cybersecurity solutions next.

Jenna Phipps
Jenna Phipps
Jenna Phipps is a contributor for Enterprise Mobile Today, Webopedia.com, and Enterprise Storage Forum. She writes about information technology security, networking, and data storage. Jenna lives in Nashville, TN.
Get the Free Newsletter!
Subscribe to Cloud Insider for top news, trends & analysis
This email address is invalid.
Get the Free Newsletter!
Subscribe to Cloud Insider for top news, trends & analysis
This email address is invalid.

Latest Articles

Stateful vs Stateless Firewalls: Comparing the Differences

Stateful and stateless firewalls have several core differences. Learn how stateful and stateless firewalls differ now.

10 Best Open Source Storage Software for Enterprises in 2023

These 64 Open Source Storage Projects help you create a NAS/SAN device, set up cloud storage, backup your system & more. Click here now.

How to Do a Vulnerability Scan Effectively in 6 Steps

Vulnerability scans are the process of examining and scrutinizing a piece of digital infrastructure — software or hardware — in order to locate and...