Tag: data security

Buyers’ Guide–Network-Attached Storage

Introduction

Netgear ReadyNAS

Netgear ReadyNAS as a music server

A new class of hardware has been brought about by the networked home and small office environment. This is in the form of the network-attached storage device which works simply as a hard disk that is attached to the small network, sharing its resources using common network protocols.

Description

A network-attached storage device or NAS is an appliance that connects to your home or small business network via Ethernet to serve as a communal storage device for that network. This is instead of purposing an older computer for this role of a common storage device.

One main advantage of these devices is that these devices don’t demand as much power as a regular desktop computer running as a server and they make less noise than the typical ATX desktop tower computer. Therefore they need less power to run and don’t need to have a constantly-running fan. This also leads to a device that is quiet and energy-efficient, values that are being asked of in this era.

The devices are typically very small, often ranging in size from a pair of cassette tapes through a small book to the size of a kitchen toaster for the small-business units.This means that they don’t take up much desk space and can even be hidden behind other computing devices, which also puts them in the good books with those who value aesthetics. This small size also wins favour with those of us who want a data storage to serve multiple devices but that can be quickly shifted to a location at a moment’s notice; as I have seen for myself at the Australian Audio and AV Show with a few of these devices working as DLNA-compliant media servers for demonstration hi-fi equipment. Infact the pictures of the Netgear ReadyNAS and the Seagate GoFlex Home NAS units are images of fully-operational units serving this aforementioned role, with the Seagate single-disk unit being photographed on the floor and it being slightly higher than the skirting board.

Disk Storage

Single-Disk NAS

Seagate GoFlex Home NAS as music server

Seagate GoFlex Home single-disk NAS

Cheaper consumer-focused NAS units are typically equipped with one hard disk with a few of these units like the Seagate GoFlex Home being a network bridge for a removeable hard-disk module that is part of the manufacturer’s modular-hard-disk system.

This also includes the portable NAS units like the Seagate GoFlex Satellite that are their own Wi-Fi network and are intended to work as a data offloading device for tablet computers.

But on the other hand, there are some single-disk NAS units like the QNAP range that can excel as highly-capable network storage hubs. In the case of the QNAP, these units are able work as full-flight Web servers suitable for serving intranets or “proving” Web-site prototypes; or pull off other advanced network-storage tricks.

Multi-Disk NAS

On the other hand, the better units will support two or more hard disks which work the installed hard disks as a RAID (Redundant Array of Independent Disks) that facilitate either extra capacity, higher data throughput or increased fault tolerance.These multi-disk units can be set up to have two hard disks of equal capacity “mirroring” each other as a safeguard if one disk fails or to facilitate high-throughput low-latency data transfer. On the other hand,the disks can be seen simply as a large volume of data. Units which support three or more disk drives can support disk setups that combine failsafe data storage and increased data capacity.

Some multi-disk units like the Netgear ReadyNAS units have the ability to support in-place volume expansion. This is where you can add extra hard drives to the NAS while it is running in order to build up redundant failover storage or increase system capacity. But other systems will require the NAS to be taken out of service if you intend to evolve the multi-disk RAID volume.

User-installed disks and upgrade options

Most of these NAS units have the hard disk integrated, which is at a known capacity whereas others, commonly known as BYOD enclosures, come simply as an enclosure where you buy the hard disk separately and install it yourself. A variety of multi-disk units do come with a single hard disk but you upgrade them to the RAID resilience or extra capacity by installing a hard disk in an empty disk bay. This kind of installation typically can be done without the need for tools in all of the recent implementations.

Of course, the cheapest single-disk NAS units don’t allow you to upgrade or replace the hard disk yourself, so you have to replace the unit if that hard disk fails or you outgrow the hard disk capacity. On the other hand, the better units permit the user to upgrade or replace the hard disk, thus providing for a long device lifespan.

External connection ports

A lot of NAS units have one or more USB ports so you can copy content off a thumbdrive or external hard disk, use an external hard disk as extra storage or a backup device for the NAS or use other peripherals. Some of them may use an eSATA port for the same purpose, especially to add storage or maintain a backup device.

It is also worth knowing that these ports may be used as a way of extending the functionality of the NAS devices through the use of various device classes; especially if subsequent firmware upgrades take place. Example applications include working as a print server for a USB-only printer to a camera server for a Webcam.

Functions

Network-central backup location

Most network-attached storage devices typically provide the ability to be a network-central backup device for all of the computers in that network. This is typically facilitated through manufacturer-supplied software or backup utilities that are part of a regular-computing operating system such as Windows Backup or Apple Time Machine.

Network-central file storage and drop-off point

They also work as a data-drop-off point where users can “park” redundant data or data being moved between computers and hard drives. This is facilitated using standard SMB/CIFS, FTP or HTTP machine-to-machine data transfer protocols which these operating systems can support natively. The computer may run a manufacturer-supplied “assistance” shell to help with locating the device or linking it to the computer.

In the same extent, the NAS may work as a shared data library for software and data that is needed across the network. This would include utility software, device drivers, updates and patches as well as documents of common interest.

It is being extended to mobile computing devices like smartphones and tablets through the use of manufacturer-supplied or third-party network-file-transfer apps for the common mobile-computing platforms like iOS or Android. I have covered this topic in an article about moving data between your NAS and your smartphone.

Media server

This now covers the ability to share media files like digital images, music and video files to every computer and DLNA-compliant media device across the network.  This is facilitated through an integrated DLNA media server for standards-compliant devices and an iTunes-compatible server for iTunes media managers including Apple iOS devices.

But some manufacturers are targeting some of their consumer-focused NAS units at the distribution of media files across the network. These will typically have software that provides for low-latency transfer of audio and video content as well as an improved DLNA media server. Some of these DLNA media servers may support content-metadata aggregation where they index all media held on every DLNA server in the network and become the single point of reference for that media.

Some of the NAS units like RipNAS, ZoneRipper or Naim UnitiServe may even have an integrated optical drive to allow you to “rip” CDs to the hard disk or allow you to connect an optical drive to their USB port so you don’t have to power up a computer to “rip” new CDs to your media collection.

Remote access and the personal cloud

A new capability that is being promoted by NAS vendors such as Western Digital and Iomega is remote access, commonly marketed as a “private cloud” or “personal cloud”. This requires the NAS to have server software that exposes its location to a cloud service on the Internet and manage access to the data from Internet-based users. It works alongside client software available for regular or mobile operating systems to enable users to transfer the data outside their home network.

Variants of this software, such as what Iomega offer, may support peer-to-peer data transfer between multiple NAS units installed at different locations. This could cater for multi-site content replication or simple offsite data backup requirements.

Platform NAS systems

An increasing number of high-end NAS units have the equivalent of an app store, where the manufacturer can provide free or paid file-handling programs that load on to these devices. These can include a simple photo-viewing intranet app, a DVR for video-surveillance apps, an email server or a download / Bittorrent manager amongst other things.

Some systems like the QNAP units deliver every function in one “hit” when the user purchases the NAS devices whereas others just maintain the “app-store” or “download-point” for users to add the functions on at a later time.

What should you get

A single-disk NAS can serve a typical household well as a data drop-off point and media server. It can also augment a small-business’s server by fulfilling low-risk tasks such as DLNA media-server functionality thus keeping the server for business-critical needs. The high-end varieties of these single-disk NAS units like what QNAP sells would work well for those of us who want more functionality such as a Web-development workbench or a DVR for an IP-based video-surveillance system.

If you end up with more devices in your home and you want to be sure of continuity or expandability, a multi-drive system would fit your bill. You may go for a multi-disk system that has one hard disk installed so you can upgrade to resiliency or extra capacity at a later time.

Small businesses should consider a good multi-disk MAS that has what it takes to support increased resiliency. In some cases, a small business may operate the multi-disk NAS as a backup or file-archive device for their site’s main operational server; as well as a media server or similar application.

It is also essential to look at an offsite backup option for these units, such as the ability to connect a USB external hard drive for the duration of a backup job or the ability to backup to another NAS or cloud service via the Internet.

Mandatory features

For basic functionality, the NAS should support the SMB/CIFS and NFS network file protocols and have an integrated DLNA and iTunes media server. The computer-NAS backup options can be hosted with manufacturer-supplied software bout should work with Windows Backup or Apple Time Machine options.

I would also prefer that the NAS supports a continual software upgrade path for its functions. This is where the manufacturer keeps the firmware up to date as new standards come about, thus opening up the door to newer functionality and better performance.

The connection to the networks should be at least one Gigabit Ethernet port in order to support higher data throughput. You may not get this throughput with your existing router but if you upgrade to a newer router that has Gigabit Ethernet ports, you will end up with significantly higher throughput which would benefit applications like movies or high-quality music files.

Conclusion

Once you have a network-attached storage device in place, you will never know what capabilities these devices will open up to the connected home and small business. It doesn’t matter whether it’s a backup location for your computers or a media server or just simply a “file parking lot” for your home network.

Interview and Presentation–Security Issues associated with cloud-based computing

Introduction

Alastair MacGibbon - Centre For Internet Safety (University of Canberra)

Alastair MacGibbon – Centre For Internet Safety (University of Camberra)

I have been invited to do an interview with Alastair MacGibbon of Centre For Internet Safety (University Of Canberra) and Brahman Thiyagalingham of SAI Global who is involved in auditing computing service providers for data security compliance.

This interview and the presentation delivered by Alastair which I attended subsequently is about the issue of data security in the cloud-driven “computing-as-a-service” world of information technology.

Cloud based computing

We often hear the term “cloud computing” being used to describe newer outsourced computing setups, especially those which use multiple data centers and servers. But, for the context of this interview, we use this term to cover all “computing-as-a-service” models that are in place.

Brahman Thyagalingham - SAI Global

Brahman Thyagalingham – SAI Global

These “cloud-based computing” setups are in use by every consumer and business owner or manager as they go through their online and offline lives. Examples of these include client-based and Web-based email services, the Social Web (Facebook, Twitter, etc), photo-sharing services and online-gaming services. But it also encompasses systems that are part of our everyday lives like payment for goods and services; the use of public transport including air travel; as well as private and public medical services.

This is an increasing trend as an increasing number of companies offer information solutions for our work or play life that are dependent on some form of “computing-as-a-service” backend. It also encompasses building control, security and energy management; as well as telehealth with these services offered through the use of outsourced backend servers.

Factors concerning cloud-based computing and data security

Risks to data

There are many risks that can affect data in cloud-based computing and other “computing-as-a-service” setups.

Data theft

The most obvious and highly-publicised risk is threats to data security. This can come in the form of the computing infrastructure being hacked including malware attacks on client or other computers in the infrastructure to social-engineering attacks on the service’s participants.

A clear example of this were the recent attacks on Sony’s online gaming systems like the PlayStation Network. Here, there was a successful break-in in April which caused Sony to shut down the PlayStation Network and Qriocity for a month. Then, a break-in attempt on many of the PlayStation Network accounts had taken place this week ending 13 October 2011.

The attack on data isn’t just by lonely script kiddies anymore. It is being performed by organised crime; competitors engaging in industrial espionage and nation states engaging in economic or political espionage. The data that is being stolen is identities of end-users; personal and business financial data; and business intellectual property like customer information, the “secret sauce” and details about the brand and image.

Other risks

Other situations can occur that compromise the integrity of the data, For example, a computing service provider could become insolvent or change ownership. This can affect the continuity of the computing service and the availability of the data on the systems. It also can affect who owns the actual data held in these systems.

Another situation can occur if there is a system or network breakdown or drop in performance. This may be caused by a security breach; but can be caused by ageing hardware and software or, as I have seen more recently, an oversubscribed service where there is more demand than the service can handle. I have mentioned this latest scenario in HomeNetworking01.info in relation to Web-based email providers like Gmail becoming oversubscribed and performing too slowly for their users.

Common rhetoric delivered to end-users of computing services

The industry focuses the responsibility of data security for these services on to the end-users of the services.

Typically the mantra is to keep software on end computers (including firmware on dedicated devices) up-to-date; develop good password habits by using strong passwords that are regularly changed and not visible to others; and make backup copies of the data.

New trends brought on by the Social Web

But there are factors that are being undone by the use of the Social Web. One is the use of password-reset questions and procedures that are based on factors known to the end user. Here, the factors can be disclosed by crawling data left available on social-networking sites, blogs and similar services.

Similarly, consumer sites like forums, and comment trees are implementing single-sign-on setups that use credential pools hosted by other services popular to consumers; namely Google, Facebook and Windows Live. This also extends to “account-tying” by popular services so that you are logged on to one service if you are logged on to another. These can create a weaker security environment and aren’t valued by companies like banks which hold high-stakes data.

The new direction

As well, it has been previously very easy for a service provider to absolve themselves of the responsibility they have to their users and the data they create. This has been through the use of complex legalese in their service agreements that users have to assent to before they sign up to the service.

Now the weight for data security is now being placed primarily on the service providers who offer these services to the end users rather than the end users themselves. Even if the service provider is providing technology to facilitate another organisation’s operations, they will have to be responsible for that organisation’s data and the data stream created by the organisation’s customers.

Handling a data break-in or similar incident

Common procedures taken by service providers

A typical procedure in handling a compromised user account is that the account is locked down by the service provider. The user is then forced to set a new password for that account. In the case of banking and other cards that are compromised, the compromised account cards would be voided sot that retailers or ATMs seize them and the customer would be issued with a new card and have to determine a new PIN.

The question that was raised in the interview and presentation today is what was placed at risk during the recent Sony break-ins. The typical report was that the customers’ login credentials were compromised, with some doubtful talk about the customers’ credit-card and stored-value-wallet data being at risk.

Inconsistent data-protection laws

One issue that was raised today was inconsistent data-protection laws that were in place across the globe. An example of this is Australia – the “She’ll Be Right” nation. Compared to the USA and the UK, Australians don’t benefit from data-protection laws that require data-compromise disclosure.

What is needed in a robust data-compromise-disclosure law or regulation is for data-security incidents to the disclosed properly and promptly to the law-enforcement authorities and the end-users.

This should cover what data was affected, which end-users were placed at risk by the security breach, when the incident took place and where it took place

International issues

We also raised the issue of what happens if the situation crosses national borders. Here nations would have to set out practices in handling these incidents.

It may be an issue that has to evolved in the similar way that other factors of international law like extradition, international child-custody/access, and money-laundering have evolved.

Use of industry standards

Customers place trust in brands associated with products and services. The example that we were talking about with the Sony data breach was the Sony name has been well-respected for audio-visual electronics since the 1960s. As well, the PlayStation name was a brand of respect associated with a highly-innovative electronic gaming experience. But these names were compromised in the recent security incidents.

There is a demand for standards that prove the ability for a computing service provider to provide a stable proper secure computing service. Analogies that we raised were those standards that were in place to assure the provision of safe goods like those concerning vehicle parts like windscreens or those affecting the fire-safety rating of the upholstered furniture and soft-furnishings in the hotel that we were in during the afternoon.

Examples of these are the nationally-recognised standards bodies like Standards Australia, British Standards Institute and Underwriters Laboratories. As well there have been internationally-recognised standards bodies like the International Standards Organisation; and industry-driven standards groups like DLNA.

The standards we were focusing on today were the ISO 27001 which covers information security and the ISO 20000 which covers IT service management.

Regulation of standards

Here, the government regulators need to “have teeth” when it comes to assuring proper compliance. This includes the ability to issue severe fines against companies who aren’t handling the data breaches responsibly as well as mitigation of these fines for companies who had an incident but had audited compliance to the standards. This would be demonstrated with evidence of compliant workflow through their procedures, especially through the data incident.

As well, Brahmin had underscored the need for regular auditing of “computing as a service” providers so they can prove to customers and end users that they have procedures in place to deal with data incidents.

I would augment this with the use of a customer-recognisable distinct “Trusted Computing Service Provider” logo that can only be used if the company is compliant the the standards in their processes. The logo would be promoted with a customer-facing advertising campaign that promotes the virtues of buying serviced computing from a compliant provider. This would be the “computing-as-a-service” equivalent of the classic “Good Housekeeping Seal” that was used for food and kitchen equipment in the USA,

Conclusion

What I have taken from this event is that the effort for maintaining a secure computing service is now moving away from the customer who uses the service towards the provider who provides the service. As well, there is a requirement to establish and enforce industry-recognised standards concerning the provision of these services.

Lost data on USB drives–can even affect individuals and small business

Articles – From the horse’s mouth

Press Release | Kingston

My Comments

I have had a look at the Kingston press release about the security of data held on USB flash drives and found that it was based on a Ponemon Institute study commissioned by Kingston. The main factor that I had observed was that the survey was based on data that represented the “big end of town” – the larger companies and government departments who typically handle a lot of high-stakes company and customer data.

Here I still find that small businesses and individuals are as at risk from removable-media data theft as are larger organisations. Most of these users would consider secure data storage as storing the confidential data on a USB memory key or external hard disk rather than on the computer’s hard disk. Here, they would keep that memory key or external hard disk locked in a desk drawer, filing cabinet or safe when the data is not needed. If the data isn’t changed or viewed often, like a valuables inventory, the USB memory key or external hard disk may be kept at a bank’s safe-deposit facility.

As well, the typical USB memory key can be attached to one’s keyring that has their house, car and business keys on it and a lot of these users may take advantage of the fact. These key rings are often at risk of loss due to absent-mindedness that can be common amongst us or theft as has been known to happen in the UK and Europe where houses have been broken into in order to steal the keys for powerful or expensive cars that are parked at these houses.

Of course, it is not just government and big business who handle or are responsible for “high-stakes” ultra-confidential data. Small businesses and individuals can also handle this kind of data, whether they provide services to these entities or not.

For example, I had provided technology assistance to a “one-person” business who valued fine art, antiques and collectables. This involved the handling of data relating to the collectable items and who owned the collectable items, as I commissioned newly-bought computers or trained her in computing techniques.

As well, individuals may need to keep copies of information pertaining to personal medical and legal issues where there is a strong emotional link. This information may be considered of high value where it concerns individuals who are in the “public eye” and the tabloid media are hungry for any bit of information about these individuals in order to run that exclusive “scoop”.

A common reality that this “enterprise-focused” article misses is that the typical small-business owner or personal user chooses and purchases their own computer hardware from retail. This is compared to larger organisations who maintain a dedicated IT team who is responsible for purchasing and maintaining the computer and communications technology for that organisation.

For this class of user, I would recommend that they use removable storage that is made by respected brands like Kingston, Verbatim, Sony or SanDisk. It may be worth knowing that some of the good retailers may resell these good brands under their own labels, usually in the premium end of those labels.

I would also recommend that you investigate the use of security-enabled encrypted USB memory keys. Here, I would look for those units that have continual software support from the vendor. This is important if you change your computing platform like what Apple hopes use do or move to newer versions of our current operating systems.

As well, you should make sure that you have good desktop security software on your computer. You could even get by with free programs like AVG or Microsoft Security Essentials. Even Macintosh users should make sure they run good anti-malware software on these computers especially as software threats are targeting this platform as well.

It is also worth making use of strong passwords or other data-locking options that the operating system or USB security software may provide for the confidential data. This may work in conjunction with the common practice of keeping the removable media under lock and key such as in a locked filing cabinet or safe.

What I fear is that a lot of press concerning data security tends to be focused at the big end of town and smaller users tend to be forgotten about. As well, a lot of the good-quality data-security options are often designed and priced out of the range of the small business operator or consumer even though there is a need for this level of data security amongst some of this class of user.