Network Attached Storage Devices
- Jennifer Allan
Introduction
Data is an important asset for the University and there are policies and procedures in place to protect it. Grant providers may also have requirements regarding data storage and its retention.
Generally speaking, when choosing where or how to store your data you need to consider disaster recovery and business continuity as well as confidentiality, integrity and availability.
This document lays out the considerations when choosing a Network Attached Storage (NAS) device for data storage and when they will be permitted to be connected to the University/Clinical School network.
NAS device discussion
NAS devices often have an important role in research. These include being used for temporary data storage (e.g. scratch space) or holding places for data prior to backup.Â
However, appropriate hardware should be used in these instances. Consumer-grade NAS devices are strongly discouraged because:
They aren’t resilient – knock one over and likely the data is lost
They aren’t usually in a server room so subject to theft, overheating in summer, vulnerable to power surges
When situated in labs, there is a risk of exposure to chemicals or other potentially damaging consumables
They are often put on the same network as end user computers so can be easily compromised when another computer on that network is infected with a virus or malware exploit
They are rarely kept up to date, or subject to exploits (see https://www.engadget.com/western-digital-my-cloud-os-3-vulnerability-212839292.html for interesting example)
Requirements for data storage
Essentially NAS devices are servers with lots of disk space and they need to be adequately secured, be kept up to date and otherwise meet the University’s various policies, such as:
Data owners must ensure that their data is classified according to https://help.uis.cam.ac.uk/service/security/data-sec-classes and located in appropriate data storage for that classification
The Systems Management policy applies to NAS devices:Â https://help.uis.cam.ac.uk/policies/systems-management-policy
And NAS devices must be operated in accordance to the Acceptable Use policy: https://help.uis.cam.ac.uk/policies/acceptable-use-policy
Situations where NAS devices are suitable
The Recovery Task Force has determined that NAS devices can be used when the following conditions are met:
IFS is performance not sufficient (read/write performance or network latency)
Needs mixed NFS/SMB
Scratch space or temporary data that is held on a NAS and quickly moved to another location (provided it is not level 3 data)
NAS is staging data from an instrument device prior to being moved to a central storage system such as RCS, RDS or IFS (e.g. HPC)
Physical proximity or direct connection to an instrument is necessary
What to do if a NAS device is not suitable?
If you previously had a NAS device connected to the network but it does not meet the above criteria, you should consider the many central University data storage services available. It is anticipated that many of the situations in which NAS devices were used IFS would be suitable. If your budget does not stretch to central services speak with CSCS or your Business and Operations Manager to discover what options may be available. The University have agreed to underwrite IFS costs for a period to allow grant applications to catch up with spending requirements. Options are currently being explored for research data.
Institutional File Store (IFS) - https://help.uis.cam.ac.uk/service/cloud-services/institutional-file-store-service-ifs
Research File Share (RFS) - https://www.hpc.cam.ac.uk/research-file-share
Research Data Store (RDS) - https://www.hpc.cam.ac.uk/research-data-store
Research Cold Store - (RCS) https://www.hpc.cam.ac.uk/research-cold-store
To opt to move your data to one of the above central services please fill out this Microsoft Form: https://forms.office.com/Pages/ResponsePage.aspx?id=RQSlSfq9eUut41R7TzmG6eI5ps7YxvhOpLs9ngrUbvRUMUlZQzc3U0FMMkxWRVU3RFY5WFlWRjFXQi4u . Ensure you indicate at the bottom of the form which service you think will be most suitable. CSCS will review the form and get back to you to organise the movement of your data.
Suitable NAS devices
If your NAS device meets any of the suitability points above, fill in this form to request that it be reconnected to the network - Microsoft Forms. Your response will be assessed and then prioritised and assured before connection to the network.
If a NAS device needs to remain on the network, it should be put on a private VLAN so that it is segregated from all other devices. NAS devices require dedicated resources to function properly, fit for purpose and kept up-to-date. Such resources are out of the scope for most IT teams.
To remain on the network, a NAS device should meet the following criteria:
Business-grade hardware is ideal e.g. redundant disks RAID and be rack mountable
Network connection is to a private VLAN with the following characteristics:
Connected directly to the firewall
No access to other devices or systems unless specifically enabled by IP address
Access to other devices or systems limited to instruments, scanning PC’s or storage systems such as IFS.
Limited or no internet access (limited access may be required for some to keep software/firmware updated) but otherwise unavailableNo remote access available (via VPN or other methods)
Suitable location – a NAS device will ideally be placed in a rack in a managed server room; if not possible
Room it is in should have restricted access
It should be on a stable surface
There should be climate control
Each device requires a nominated owner(s)
Hardware is PAT tested
Hardware should have power protection (minimum surge protection, ideally UPS)
Device can be scanned to audit that the NAS operating system is patched and checked for vulnerabilities
Will need to be assured following an agreed process to ensure it is safe for the network
Up-to-date and supported software (firmware)
Enable any malware or virus protection on the NAS or ensure the device accessing it has external on-access scanning of data enabled
Â
Â