Balancing Convenience, Redundancy, and Data Security in a NAS-driven Environment

31 01 2012
As both enterprise and home users seek convenient methods for storing growing amounts of data, and since modern iterations of both environments (almost always in the former, increasingly in the latter) include networking hardware, the popularity of Network-Attached Storage (NAS) devices has increased steadily over the past few years.  One source even claims the need for increased storage is best modeled by an exponential function.[1]  The key underpinnings of NAS proliferation, in a technical sense, are: further miniaturization of computing into form factors like micro, and even pico ITX[2], low and decreasing cost of mass storage drives, and the aforementioned availability of networks, even if, as may be the case with many home users, the network is as simple as a single 4-port switch, cable modem, and a PC.  NAS devices may be as simple as a single hard drive in an enclosure, no doubt an evolution from the first generations of external hard drive enclosures that reached wide popularity when USB 2.0 interfaces entered the market and allowed for reasonable (i.e.: “IDE-like”) rates of access.  NAS appliances are also available in larger and more complex configurations, such as the popular ReadyNAS line.[3]  With the physical package around data stores being relatively small and not generally involving constrained entry/use through a host OS, these devices might also appear to be “concentrated” targets of interest: a small item to steal compared to a desktop, and likely few or no passwords that would inhibit access to the data.  In some cases, they may be more lucrative targets than laptops if the purpose of the theft is to acquire information rather than the street value of a serially-tracked laptop.  This possibility begs the question, then, of what security mechanisms are available to protect the data on the device.
Self-encrypting hard-drives[4] are the preferred solution of federal government IA professionals as they offer a very high degree of protection in the event that an individual drive is stolen and that the attacker attempts to exploit the information stored on the drive.  Realistically, though, most vendors provide these with Serially-Attached SCSI (SAS) interfaces to target the enterprise market in which they are most in demand, and the average consumer NAS instead uses the more affordable SATA family of drive interfaces.  One solution is to create a TrueCrypt volume on the drive and mount the drive on a client system[5].  This creates two new challenges, however, one is performance-related, and the second relates to convenience.  With respect to performance, additional network overhead is unavoidable, but the principal performance hit to mitigate is decryption on the client machine.  The AES New Instructions found on some Intel chips can ameliorate the condition[6], and programs like TrueCrypt are able to utilize these hardware enhancements.
The convenience problem, and one the author has yet to solve effectively, is that the mounting of the encrypted volume, though located on a network store, has the decidedly frustrating side-effect of making access to the data a single-user experience.  How is this relevant?  Suppose you want to take advantage of a more complex NAS with integrated RAID and to synchronize your documents folder between your desktop, laptop, and any other computer onto which you might want to mirror the records.  The task is relatively simple to accomplish in recent versions of Windows.  Simply move the target location to a folder on the NAS and the OS will invoke the Sync Framework to move the files and make an “offline cache” copy, thus allowing for availability when disconnected or in the event of total NAS failure.  Synchronization occurs when you repeat the same move on a subsequent computer, and now changes reflect across both machines, and data lives on the NAS.  This maneuver emphasizes convenience, but is not possible inside a TrueCrypt volume.  Solutions for the “data at rest” problem in an environment of NAS proliferation (where self-encrypting drives are a limited, niche, and sometimes rather expensive solution), unfortunately, do not abound.  As your customers use more and more of these devices, consider the security risk that they pose with respect to being miniaturized containers of exploitable data.
_________________
2.  VIA Pico-ITX Mainboard Form Factor, http://www.via.com.tw/en/initiatives/spearhead/pico-itx/.
5.  TrueCrypt, http://www.truecrypt.org/.
Advertisements

Actions

Information

One response

4 02 2012
heinzISStudent@gmail.com

I agree that, with the miniaturization and cost per Gb improvements that have been achieved we will continue to see proliferation of NAS storage with it’s related security risks. Frankly, I think that these devices and the associated risks will exist predominately in the consumer and small business environments and to a much lesser degree in industry. Large enterprise data centers are generally high security environments where as small businesses and consumer compute are much more casual. Given the growing amount and criticality of data as discussed in this post consumers and inexpensive NAS devices will most certainly proliferate. It would not be surprising to learn that thieves see NAS devices as one of the most valuable “trinkets”.

Encryption of data at rest is intended to address information loss through device theft. While there are many technological solutions such as TrueCrypt the biggest enemy is the lack awareness and technical capability among common consumers. These individuals must first recognize the risk then take appropriate steps to mitigate it, both of which are unlikely in the generally non-technical population. Most small business and the vast majority of end consumers have neither the resources or technological ability to implement many of the available solutions. Devices that integrate these capabilities with a simple user experience will have a strong competitive advantage in the marketplace.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: