How to Secure Direct-Attached Storage (DAS): 5 Steps

Enterprise Storage Forum content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Direct-attached storage (DAS) security is critical for all companies that use solid-state drives (SSDs), hard disk drives (HDDs), or arrays in conjunction with their computer systems. 

DAS is directly connected to a computer or server, whether through a cable or installed inside the computer. It’s not accessed over a network and cannot be remotely accessed, such as from geographically separate data centers. DAS systems should be protected at the server and physical level, when sharing data, and by maintaining backups. The following guide to securing DAS systems provides recommendations for companies that need to protect their storage devices and arrays: 

How to secure DAS

• Protect computers and servers
• Secure physical premises
• Share stored data securely
• Implement strong backup practices
• Monitor storage devices and systems

1. Protect all computers and servers 

Businesses should implement strong passwords for all devices, set clear access controls, and perform immediate system updates and patching to keep their computer systems secure.

Create strong passwords

Teams should require strong individual passwords for all users to access the computer or server to which any storage device is connected. Once a user has access to the computing system, they have a clearer path to the HDD, SSD, or array attached to it. 

To implement strong passwords for all storage systems: 

1. Closely collaborate with the company’s IT team to determine their minimum password requirements.
2. Change all default and hard-coded passwords. Some storage devices and servers are manufactured with default admin passwords, which are very easy for attackers to guess.
3. Create passwords that have a minimum of eight characters and at least one number and special character (such as &, #, or $). Some applications, including security solutions like Norton, also generate difficult-to-guess passwords.
4. Create different passwords for each storage solution. Employees shouldn’t be using the same credentials for separate servers; if an attacker guesses one password, they’ll have access to more than one system. 
5. Use a password management system so employees don’t have to remember their difficult-to-guess passwords. Password managers use cryptography to protect credentials from unauthorized discovery.  

Implement strong access controls

Teams can set access controls manually or through an identity and access management (IAM) solution. Smaller IT teams or smaller organizations may wish to simply configure access manually, particularly if they have one or two experienced technicians who know how to closely manage system access. Large companies, especially with many team members who need at least some level of access, will benefit from IAM software so the IT team has to do less manual configuration work.

• Manual configuration: To manually configure access controls, navigate to the policy editor of the computer or server that needs to be secured. List each user that is permitted access to the system. This can also be done for individual business applications, depending on the software.
• IAM solution: With IAM software, administrators can configure access controls for each business application through the solution’s management console. These policies are automatically applied each time a user attempts to log into an application.  

Aside from requiring strong passwords to enter the computer system initially, administrators should also implement access controls for all applications on the computer or server that permit DAS storage access. Only approved users should be able to view or manage files on the connected drives or arrays. This is also a form of segmentation, a computing technology that decreases lateral movement through the system. An attacker who is required to present credentials at each application entry point will have a more difficult time breaching programs. 

IT teams should create whitelisting and blacklisting policies for each computer or server. This can be done through the machine’s security policy editor. Only approved users will be able to access the computer to which the storage device or array is connected. In a highly detailed set of policies, each authorized user’s credentials are whitelisted, or put on an approved list, and each unauthorized user is blacklisted so they can’t access the computer. 

All employees who leave the company should have their access rights revoked. This can also be done either manually or through an IAM platform, but it must be done thoroughly so no previous storage personnel are able to enter systems with old credentials or back doors.

Update systems and device regularly 

Computer systems and servers are vulnerable to attacks when they have out-of-date software and unpatched vulnerabilities. Often, attackers anticipate vulnerabilities and immediately breach a system when updates on a bug are released to the general public. Companies must be a step ahead and immediately patch their software or update to the latest version to protect against rapid attacks.

To stay up-to-date on system software: 

1. Monitor feeds from hardware and software providers, including the manufacturers of all storage devices as well as the operating systems on company computers. These providers will announce when a vulnerability is discovered so their customers can immediately patch it. 
2. Determine the chain of command for IT teams. Knowing who is responsible for various updates will help IT personnel react quickly when a change is needed. 
3. Scan both computer system software and storage devices for anomalous activity. Using security monitoring software can help teams uncover when an unauthorized user has accessed a system.   

Learn more about how to defend common IT security vulnerabilities. 

2. Secure all physical premises

Since DAS is connected to a computer or server in either an office or data center setting, the storage device or devices can be physically stolen. Businesses should require all employees and contractors to present credentials, such as a key fob or badge, at their premises if they store their data at their office. 

Data centers should have the same, if more, physical security. To secure data centers: 

1. Require entry credentials for the entire facility. Server rooms with DAS should also require a separate key for entry. 
2. Only give keys to team members who absolutely need to enter the server room to do their job.
3. Set policies that require two people to enter server rooms at the same time to decrease the risk of insider theft and increase responsibility.

3. Share stored data securely

Because DAS cannot travel across a network, like a SAN, businesses must find secure ways to transfer stored data from arrays and disk drives. All data transfers should be encrypted end to end, and all shared files should have specific permission controls to determine not only who can edit the file, but who can view it. 

Sharing DAS data can be cumbersome because the storage is only available to the attached device, like a specific server. To share files stored on a flash drive or SSD, for example, users may have to download the files first. 

File sharing tools are beneficial tools for storage teams that need to share DAS-stored data frequently. These solutions often include features like password-protected sharing links and link expiration after a determined period of time. If storage employees choose to send files through email, the data should always be encrypted.

4. Implement strong backup practices 

All hard drives, SSDs, and arrays should be backed up. Take inventory of each storage device and array, making copies of every file on each device. 

Determine how often the business’s data needs to be backed up and set backup schedules based on that time frame. Determine the company recovery time objective (RTO) as well, so backups can be restored in an acceptable time frame to avoid losing money and data. 

Store at least one copy of all data on each device in a different location or in the cloud. Additionally, make sure that any mission-critical data is still available in case of theft or an outage. This looks like storing backups of critical files in a quickly accessible protected location, such as a private cloud storage solution.

DAS is difficult to back up and make available, but storing backups of DAS data is still critical. It ensures that other copies of the data exist if a breach or system failure occurs. 

5. Monitor storage devices and systems continually 

Ensure that your business is frequently scanning all storage devices for malware. Teams can do this with vulnerability scanning software. Each time an employee removes a device from one computer system, scan it for viruses before transferring it to a new system. If the device is infected with malware, installing it in a new computer or server will spread the malicious code farther. If it’s scanned before moving, the business is better able to quarantine the infected system and deal with the malware there, rather than in two systems. 

IT teams should also frequently scan and monitor the computer systems on which DAS is installed. Downloading antivirus software onto all computers with DAS will help identify potential infections so they can be mitigated. If a user visited an application or website on that computer system and accidentally downloaded malware onto it, any connected storage could also be infected. 

Learn more about data center security.

Bottom line

Protecting proprietary information and customer data stored on DAS devices requires businesses to not only secure the devices themselves but also to safeguard computer and server access. All DAS is connected to a machine that needs strict access controls as well as physical security protocols, like limited on-premises access. All businesses with DAS should create a detailed plan that includes these five steps so their data remains safe.