Network attached storage (NAS) provides a central way to store data that can be accessed over the network, making it a popular enterprise solution. The benefits are convenience, performance, affordability, and storage efficiency, but the downside is security. NAS devices aren’t inherently unsafe compared to other solutions, but attackers who gain access to the device could also gain access to the network, creating the potential for damage that impacts a broad range of users, applications, and systems.
Vendors have turned their attention to security in recent years to shore up their defenses, and the security profile of NAS devices has grown. Here are the top trends for NAS security in late 2023.
Table of Contents
Top Network Attached Storage Security Trends
NAS might be a 30-year old technology, but it’s still going strong even in the face of stiff competition from cloud and object storage. The NAS market will be worth around $30 billion by the end of 2023, and vendors continue to pour resources into making solutions that are faster and more secure. But that increased popularity also means heightened risk.
NAS is no longer used primarily within enterprise data centers and server rooms. Not only is it connected to all kinds of cloud applications, but it’s got to deal with 5G connectivity, the Internet of Things (IoT), and data generated from a wide range of mobile devices too. Each point of connection represents a potential point of vulnerability—attackers have breached enterprise networks through smart coffee makers, fridges, and other IoT connections. As a result, NAS security is evolving from traditional safeguards to encompass defenses against incursions across a broader spectrum.
NAS Remains Poorly Protected
According to research by security software vendor Continuity, NAS devices are poorly protected relative to other types of storage solutions—enterprise NAS devices, or filers, have 14 security risks on average, three of which are of a high or critical risk rating. In other words, they could represent significant compromise potential if exploited. Key weaknesses found by Continuity include:
- Insecure network settings—NAS filers are either wide open to the outside world, use outdated storage and security protocols, are exposed due to configuration mistakes, or lack data encryption.
- Unaddressed CVEs—vendors issue common Vulnerabilities and Exposures (CVEs) to inform about threats and provide mitigation strategies and patches, but many NAS devices are vulnerable due to their use of obsolete operating systems, firmware and management systems, and undeployed patches.
- Access issues—some NAS devices provide unrestricted access to network shares and individual files, and suffer from poorly configured read and write permissions.
Edge NAS is Driving Features
NAS is well known in the data center, and many organizations have multiple devices on-premises. But lately NAS has been making its way out to the edge, making edge data centers a growing use case for NAS. Advancements in ease of management and functionality are driving this trend, as are the new NAS form factors entering the market at price points that make them cost-effective for edge deployment and smaller businesses.
This push brings features and benefits that previously reserved for enterprise use to a wider range of users—security features among them—like in-line compression, Active Directory (AD) support, data-at-rest encryption, and data sharing, as well as additional advanced data backup and protection.
Immutable Storage is on the Rise
Immutable storage—data that, once written, cannot be edited, altered, or deleted—is important for compliance, but it’s also essential for security. It guards against ransomware, for example, which blocks access to data unless a ransom is paid. Because attackers can’t alter or render data unusable, immutable storage is a safeguard being implemented broadly across NAS platforms.
Malicious actors are launching increasingly complex attacks at a time when storage volumes continue to grow. Users not already using immutable storage in their NAS solutions should consider implementing it to better protect their digital assets from cyberattacks.
AI is Driving Sales… and Risks
As many organizations explore AI-centric workloads, the technology is also making its way into the NAS storage and security markets. AI workloads are both performance- and data-intensive—the more AI is in use, the more likely the organization is to need increased storage capacity. This makes AI a boon to NAS sales.
But NAS with AI also opens up a whole new series of security threats, particularly with the current popularity of generative AI. Employees could be entering proprietary or sensitive data into ChatGPT prompts or using insecure third-party tools for AI that could be exploited by hackers. The good news is that vendors are also starting to incorporate AI into some NAS security systems to help detect incursions and data leaks faster.
There’s a Need for Global Audits
As hybrid cloud environments for unstructured data become more common, NAS data gets siloed as data is copied and spread across multiple purpose-built vendor storage systems at the edge, in data centers, and in the cloud. Organizations need a way to track how and where data is copied and how well it is complying with applicable data protection and privacy mandates.
“Security officers and IT teams focused on compliance and tracking of activity with unstructured file data will begin to make global audit a requirement in data orchestration and data management software selection,” Hammerspace’s senior vice president of marketing Molly Presley said. “Solutions are becoming available that create an audit log of all file system activities across the hybrid cloud.”
But NAS storage auditing and logging represents another security weakness. Though NAS device activity should be logged and audited as a security best practice, a Continuity survey found 15 percent of production storage devices were not logged at all—and of those that were, many were susceptible to manipulation.
NAS Sniffing Safeguards Should be Enacted
The security technical work group of the Storage Networking Industry Association (SNIA) has called attention to the fact that cybercriminals can and do attempt unauthorized observation of network traffic. This kind of traffic sniffing could constitute a data breach.
NAS users should enable protections to guard against traffic sniffing when using certain NAS protocols. SNIA’s recommendation is to make remote procedure call encryption, which uses an authentication mechanism to protect certain network procedures, the default on NAS systems.
Bottom Line: NAS Security Requires Oversight
Network attached storage solutions make up a big part of the overall enterprise data storage market, even three decades into their existence. But their prevalence makes them a target for attackers who’ve had plenty of time to study the playing field for weaknesses they can exploit.
Enterprises should subject their NAS systems to the same rigorous security standards and best practices as any other piece of their IT and keep current on security trends to make sure their defense posture is the best it can be.
Read 12 Best Practices for Enterprise Data Storage Security to learn more ways to effectively protect your business’s critical data.