7 NAS encryption best practices to protect data
Data storage security is as important now as it's ever been. Encryption is one way to make NAS devices more secure against such threats as ransomware.
Encryption is one of the most effective tools to protect data on network-attached storage. Even if cybercriminals gain access to the drives or intercept communications to or from them, encryption makes the data unreadable to anyone who does not have the cryptographic key.
Use NAS encryption to prevent unauthorized access to confidential data at rest or in motion. The data might include credit card numbers, intellectual property, medical records, personally identifiable information (PII) or other types of confidential data. Also, use encryption to comply with regulations such as GDPR or HIPAA.
Without encryption, data is stored and transmitted as clear text, which can be read by anyone who intercepts communications or gains access to the drives. A NAS device also shares the same LAN as other devices and traffic. These systems include computers, printers, smartphones, tablets and IoT devices.
NAS encryption can be a complex process and, if done incorrectly, can put sensitive data at risk. However, administrators can make their jobs easier by following these seven best practices.
This article is part of
What is network-attached storage (NAS)? A complete guide
1. Identify what to encrypt
Encrypting and decrypting data can slow performance, sometimes significantly. The extent of the impact depends on the NAS device, how the organization implements encryption and whether the storage unit includes a cryptographic accelerator. In some cases, encryption can also make data reduction techniques less effective.
Encrypt only the data that needs protection or that applicable regulations govern. Prioritize the data based on its requirements for confidentiality. To help prioritize data, consider what the repercussions would be if certain types of data were compromised.
2. Encrypt sensitive data at rest
At-rest data refers to the data stored on the NAS device, as opposed to the data transmitted between endpoints. This doesn't preclude copies of the data from being transmitted, but the core data itself is persisted to the NAS media.
Use NAS encryption to protect sensitive data from unauthorized access, even if a device is stolen. However, ensure that the cryptographic modules used for the encryption and decryption operations have been validated against recognized standards such as the Federal Information Processing Standards developed by NIST.
Use advanced cryptographic technologies such as AES 256-bit encryption. Encrypt metadata along with the rest of the data. In addition, encryption should be able to scale as needed with little disruption to operations.
3. Encrypt sensitive data in motion
Data in transit is susceptible to threats such as eavesdropping and hijacking. Unless that data is encrypted, cybercriminals can access confidential information transmitted between a NAS device and other systems -- including other NAS devices. For this reason, it's important to encrypt any sensitive data transmitted to or from a NAS device.
NAS encryption is especially important for communications that extend beyond an organization's protected domain, although that doesn't mean the internal network is free from risk. A rogue employee or careless user can be just as much a threat. When encrypting data in motion, use industry-standard protocols such as the transport layer security protocol and close all unused ports on the NAS device. Also, include all sensitive information, including backups and replicated data.
4. Encrypt administrative sessions
Administrators routinely access their NAS systems to configure and control storage components, sometimes connecting to the systems remotely. Administrative access is just as vulnerable to attack as other types of communication. Hackers could intercept the session data and also access the NAS environment itself, where they could change permissions, steal sensitive information, introduce malware or destroy the data. Always encrypt administrative sessions to prevent data breaches and other risks, whether administrators connect through APIs, command-line interfaces or other client tools.
5. Use virtual private networks
A VPN provides an encrypted connection over the internet. It hides details about the session and adds an extra layer of protection for client systems that communicate remotely with NAS devices. Because a VPN disguises a user's online identity and activity, it is more difficult for hackers to steal data or compromise systems -- or even infer a session's contents or type of data. VPNs have become especially important during the COVID-19 pandemic, with more people who work from home and require remote connectivity to do their jobs.
6. Implement centralized key management
Most approaches to encryption rely on cryptographic keys for encrypting and decrypting the data. As a result, incorporate key management into the NAS encryption strategy. Cryptographic keys must be properly generated, distributed, stored and, when the time comes, destroyed. This process requires a centralized key management system that maintains the keys and protects them against unauthorized access.
Without this system, keys could be compromised, making it possible for unauthorized individuals to impersonate users, access sensitive data, intercept messages or carry out a range of other nefarious acts. Key management should also consider applicable regulations, including data protection laws and laws related to importing and exporting encryption technologies.
7. Don't rely solely on encryption to protect sensitive data
Encryption is one of the most important mechanisms available for protecting sensitive data, but it's not the only tool. Data protection requires multiple layers of security to safeguard against the many ways data can be compromised.
For example, an employee might be authorized to access PII data on the company network. When the user logs in and accesses the data, it is decrypted and presented as plain text so the user can work with the information. If a cybercriminal acquires the user's login credentials, the hacker will be able to access the network and view any data available to that employee, even if the data is normally encrypted.