Network Attached Storage (NAS) Devices: Policy and Guidelines

Purpose

This document outlines the security policy for Network Attached Storage (NAS) units connected to the campus network. This policy is designed to balance the need for cost-effective data storage with the security of the overall university network.

Scope

This policy applies to all NAS units that are connected to the campus network, including units owned by departments, faculty, and staff.

The definition of a NAS unit includes both commercially available devices in the NAS category, as well as any servers that are built or configured for the purpose of file storage and sharing.

 

Policy Details

  • Registration and Network Placement
    • Faculty and staff may place NAS units on designated networks (such as a “faculty/staff” network or lab network).
    • NAS owners should register their NAS units with IT Services so that network access and supports can be provided. Registration can be completed by submitting a “Network connectivity” service ticket with IT Services.
  • IP Address Management
    • A reserved IP address will be assigned to each registered NAS unit.
    • The assigned IP address will be recorded on a "Known NAS List." This list will be maintained for the sole purpose of enabling access across the network.
  • Local Access
    • Access to the NAS from within the same network (VLAN) where it is located will not be limited or restricted by IT Services.
    • NAS access across and between campus networks will be prohibited, with the exception of allowing inbound connections from the campus VPN network. (Note that the VPN service can be used whether users are on-site or physically remote.)
    • If it is essential that a NAS be accessed from multiple campus VLANs, a request can be submitted to locate the NAS at IT Services and place it on a specialized shared network.
  • Inbound Access
    • Inbound access from the open Internet will be prohibited for all NAS units.
    • Users may use the campus secure virtual private network (“securelogin”) to access any NAS on the Known NAS List.
  • Outbound Access
    • Specific outbound services, such as HTTPS, FTP, and SSH, will be allowed as required from the NAS to the Internet, but only for the purpose of keeping the NAS software secure and up to date.
    • Outbound internet access for NAS units will be controlled by firewall policies applied to the "Known NAS List."
  • Remote and Local Access
    • Remote access to general NAS services (e.g., Windows Shares (CIFS), NFS, Web interfaces) will only be permitted via the university's MFA-restricted Virtual Private Network (“securelogin”).
    • This remote access will be enabled by adding the NAS to the “Known NAS List.”
    • Inbound access from the open internet or from other campus VLANs, and outbound access to other campus VLANs, is prohibited. Specialized security policies will not be implemented for particular NAS units.
  • No Centralized Management or Monitoring
    • IT Services will not manage, monitor, inspect, or audit NAS units beyond the limits described in this policy. In particular, IT Services will not request or acquire access to the file contents of a NAS unit, or manage access controls for the unit.
  • Security Incident Responses
    • Any networked device such as a NAS may, if compromised, be used to launch attacks on other networked devices. Therefore, the risks of an insecure NAS extend far beyond those of the NAS owner.
    • IT Services retains the right to isolate a NAS from the network if we determine that the device poses a threat to other networked devices. Justification for isolating a NAS could include: evidence of intrusion attempts or compromise, evidence of potential attacks upon other devices, or evidence of failure to maintain up-to-date security updates (patches).
  • Device Owner Responsibilities
    • Annual renewal: Owners will need to confirm their NAS unit’s registration with IT Services on a yearly basis. This renewal is important because of the extended permissions being associated with the devices. IT Services will issue notices and reminders well in advance before service for any NAS unit is withdrawn.
    • Change of status or ownership: Owners must notify IT Services whenever a NAS is removed from service, as well as whenever ownership of a NAS changes. This will ensure that the NAS units and the campus network are properly secured, and that notices to owners can be properly delivered.
    • Semesterly updates: Owners are responsible for the security and maintenance of their NAS units, including managing access controls and applying security updates (“patches”). In particular, security updates must be reviewed on a semesterly basis at minimum.
    • Risks of cloud software: Owners are cautioned about the risks associated with accessing their NAS through a bundled cloud application (such as remote compromise risks, data leakage, or data loss). IT Services will not block the use of these applications but strongly recommends owners disable them where possible and instead use the NAS as a locally networked storage device.
  • Acceptance of Terms
    • The owner of the NAS unit must review and accept the terms of this policy before service will be provided.
 

Relation to other standards

This policy is prescriptive in nature, establishing boundaries and behavioural expectations. It does not override, replace, or diminish any requirements, constraints, or obligations set out in other applicable university policies, laws, or other binding regulations.

Policy Review

This policy will be reviewed in one year from the date of its implementation to ensure it remains relevant and effective.

Recommended changes to the policy should be directed to Graham Fawcett, Director, IT Infrastructure, IT Services.

Print Article