How do you build a secure Synology storage system?

How do you build a secure Synology storage system?

A secure storage system is crucial to protect your data. With today’s attack frequency, you can’t ignore it anymore. After all, if you have built a sturdy fence on the front end with all sorts of tools and strategies that will still be breached, you are almost entirely dependent on the security of your storage server. At a recent Synology event, where we spoke with Managing Director Victor Wang, we discussed the importance and realization of a properly secured NAS.

Ransomware and data breaches are in the news daily because of the serious consequences for affected businesses. Hackers penetrate an organization, access internal systems, and encrypt files. The hackers often set a threatening tone: pay up, or we will publish the data on the dark web. Theoretically, this could happen to any company. Additionally, cyberattacks are becoming increasingly professional, including using generative AI by hackers, and the need for adequately secured storage systems only grows. Securing NAS servers and data is, therefore, more relevant than ever, Wang also sees.

The first line of defense

A security strategy should, therefore, consist of multiple layers based on what is coming at organizations. Measures at the front can withstand most attacks. Synology addresses this first line of defense, to put it in security terms, with solutions to prevent unauthorized access. This is done by filling in Identity & Access Management for your NAS systems through user authentication and account lifecycle management. Synology offers C2 Identity, a relatively unknown service that helps build a more robust security wall around your business by reducing the number of access points through a single login portal.

If you want to implement IAM properly, it is essential to limit data access based on a user’s role within the organization. This means giving employees access only to the data necessary for their work. This applies to current and former employees. Upon leaving employment, data access should be revoked immediately to prevent misuse. Within C2 Identity, there are options to delete accounts to stop such unwanted access quickly.

C2 Identity further supports various forms of multi-factor authentication, such as fingerprint and facial recognition and hardware security keys. Thanks to an additional authentication step that is difficult to bypass, unauthorized users cannot access the Synology NAS.

Managing devices

Device management is another important element within a security strategy. After all, unmanaged devices are a weak link and are susceptible to malware or other threats. C2 Identity focuses on central device management in addition to identity management. This allows administrators to configure and secure devices even outside the corporate network. This includes provisioning and monitoring Windows and Mac computers through a single console.

Within the console, administrators have visibility into all devices. If necessary, they can perform management tasks in bulk, such as writing and executing scripts. This is useful for compliance reporting or data protection, such as disabling and locking devices in case of an incident.

Een persoon staat op een podium naast een scherm met de tekst "Van IAM naar back-up: bescherming van buiten naar binnen" tijdens een presentatie-evenement van Synology.

The last line of defense

IAM and device management measures ensure that the necessary steps can be taken at the front end to take storage server security to the next level. However, it is also relevant to put measures in place for emergencies to protect data. Synology can address this as much as possible with Active Backup for Business, which allows you to create backups of data, devices and platforms. Synology has long used a 3-2-1 strategy as the gold standard. That is, three copies of your data, on two different media and one off-site. Using source deduplication, unique data is copied, and the speed and efficiency of backups is up to par.

Regularly checking the integrity of backups is necessary to maintain the right strategy. Active Backup for Business provides verification tools that allow the administrator to verify that data is intact. The tools can be used to automatically restore damaged data and test whether restore actions are feasible. This increases the reliability of backups and provides additional assurance that data will be available in emergencies. Manual recovery testing ensures that stored backups remain usable. This keeps your organization prepared and makes backups a last resort in the event of an incident.

Isolating backups

It is becoming increasingly common within backup strategies to have extra secure versions of data copies. This is done via immutability, a form of preventing backups from being modified. The data is stored in a way that makes it impossible to modify or delete within a few days or weeks. Even a hacker will not succeed in changing the data.

Additionally, you have airgap techniques for modern backups, which temporarily disconnect devices from the network to protect them from attacks. Indeed, to further reduce the impact of attacks, isolating backups from the primary network can be useful. Active Backup for Business provides tools for temporarily disconnecting devices from the network via airgaps. This reduces the likelihood of backups being compromised by ransomware or other network-based threats. Combined with immutable backups, this provides a deepened layer of security.

Additional depth in security strategy

In principle, with the above steps, you have completed much of the first and last line of defense. However, there are additional mechanisms that ensure that data on a Synology system are and remain secure. For example, encryption is used to protect data in motion. The encryption options should ensure that files can only be accessed with the appropriate keys. Even during a data breach, data remains unreadable to unauthorized persons. Additionally, audits and pen tests are one way to detect potential vulnerabilities. To this end, Synology provides tools to support audits, giving organizations insight into possible areas of improvement within their storage system. Regular audits are a preventive measure to stay ahead of attacks.

A NAS server is also part of a broad IT infrastructure. Therefore, it should not be a gateway for a hacker to your entire organization. Network segmentation can improve security by separating access to different network parts. Synology thus offers VLAN deployment options, which can be used to optimize and isolate network traffic. This minimizes the impact of a potential breach by limiting unauthorized access to a single segment. In this way, you ensure that the NAS adopts a layered security strategy, making your storage system a secure storage environment across the board.

Tip: AI is an additional weapon for cybersecurity