S 2.352 Drawing up a security policy for NAS systems

Initiation responsibility: IT Security Officer, Top Management

Implementation responsibility: IT Security Officer

An NAS system is essential as a central data storage for the procedures and business processes in the organisation. Secure and correct operation can only be ensured when stationing, administration, and operation are integrated into the existing security-related specifications.

The main security-related requirements and the security level to be attained are derived from the organisation-wide security policy and should be formulated in a security policy specifically for NAS systems. This policy therefore specifies the application of the higher-level and general security guidelines to NAS systems in more detail.

When creating a security policy for NAS systems, safeguard S 2.316 Defining a security policy for a general server must be taken into consideration first. This safeguard presents the general security precautions for IT systems functioning as servers. When creating a security policy for NAS, the policy must be specified according to the area of application of the NAS system.

The general administration and configuration strategy for the NAS ("liberal" or "restrictive") should be developed according to the protection requirements of the information processed by the NAS and the applications accessing this information.

The following points must also be taken into account when specifying the individual parts of the NAS security policy:

• The specifications for the installation and configuration found in S 4.274 Secure basic configuration of storage systems must be followed. Additional procedures and regulations for installation and configuration must be defined:
  • The procedure for initial installation is to be defined and documented. If the initial installation is performed by the manufacturer or a supplier, then they must be required to provide the corresponding documentation.
  • If remote maintenance by the manufacturer or a service provider is intended, then the corresponding organisational and technical regulations for remote maintenance must be defined.
• A concept for access control must be created. In NAS systems, this is usually achieved with the aid of access control lists. Even so-called storage security appliances may be installed between the clients and the NAS to act as transparent proxies and therefore provide additional access protection.
• If an NAS system contains an integrated web server that not only serves as an internal configuration tool, it must be avoided that network zones with different levels of trust are served. It is permitted to operate the NAS system simultaneously as a file server in the intranet and as an intranet web server. It is not permitted to operate the NAS system simultaneously as a file server in the intranet and as a web server.
• The security policy for NAS systems must define specifications for secure administration and secure operation (see also S 4.275 Secure operation of storage systems).
• The use of encryption (standards, key strength) may need to be specified depending on the area of application.
• The use of suitable tools for operation and maintenance and the integration in the existing network management are to be examined (see S 2.359 Monitoring and administration of storage systems).
• Authorisations and procedures for updating software and changing configurations must be defined. Changes must be documented.
• The NAS system must be integrated into the virus protection concept of the organisation, installation and configuration of anti-virus software, as well as the provision of signature updates must be planned.
  An appropriate data backup policy (see also module S 1.4 Data Backup Policy) must be created that matches the protection level determined for the NAS system and that is coordinated with the organisation-wide data backup policy.
• Module S 1.8 Handling of security incidents must be taken into account when defining the regulations for security incidents. Furthermore,
  • guidelines for the reaction to operational disruptions and technical errors (local support, remote maintenance) as well as
  • regulations for special security incidents such as malicious software, unauthorised accesses, or unexpectedly high usage of CPU resources must be defined.
• The NAS contingency planning must also be integrated into the organisation-wide contingency planning concept, and S 6.98 Contingency planning for storage systems must also be taken into account in the contingency planning for NAS systems.

The security policy for NAS systems must be accessible to all participants. It must be updated regularly.

Review questions:

• Has a security policy been drawn up for NAS systems?
• Does the security policy for NAS systems include an access control concept?
• Were specifications for the configuration, operation, and fault management of NAS systems described in the security policy?
• Does the security policy request the integration into a anti-virus concept and the data backup policy for NAS systems?
• Is the security policy updated regularly?