Network Attached Storage – NAS

Data needs are in an almost persistent state of evolution and expansion, and solutions for secure, reliable storage to address those needs are a top priority for administrators. It is important when considering solutions to perform due diligence through the selection process, ensuring the appropriate product is chosen.

Purchase of a consumer-grade Network Attached Storage (NAS) solution may stem from a desire to cut costs, or the portability of a desktop attached device, but consumer-grade storage solutions are not an appropriate choice for UNC-Chapel Hill’s sensitive information and not recommended over enterprise shared solutions and services provided by ITS and/or local IT Departments.  Consumer grade NAS devices are designed for ease of use, end-user convenience and usually involve lower cost but typically do not include some of the essential components of enterprise storage. Business-related storage includes robust security components, durable hardware, redundancy and fault tolerance, high quality vendor support, access controls and logging, backup/archiving capabilities and may include encryption. The quality of components present in enterprise grade equipment is tuned for heavy use to prevent failures that can hamper the availability of data (see Appendix A).

Devices that work with any sensitive, University-owned information must meet standards detailed in the Information Security Controls Standard. In addition to the points already discussed, NAS located in a University data center provides far greater physical security, regularly scheduled backups, power redundancy, and peace of mind, making it the preferred avenue for data storage within the UNC-Chapel Hill community.

Considerations and Risks with Standalone NAS Devices

Reports of NAS devices granting file access without authentication over public facing network (IP) addresses, and containing “share all” settings that can be manipulated through firmware vulnerabilities have been a part of the conversation regarding best practices for several years (Leyden, 2014). In 2016, Ameriprise investments suffered a breach related to an employee using an unsecured consumer grade NAS device as a desktop backup (Spring, 2016). This lack of effective access controls led to the exposure of hundreds of investors banking information. More recently, in January 2017, it was revealed that NAS device manufacturer QNAP may have been informed a full year prior to a vulnerability in firmware that allowed for remote access, with no patch having ever been issued (Pilkey, 2017). Examples like these are not isolated incidents, and are indicative of the differing support cycles and quality controls that exist between off-the-shelf consumer grade, and enterprise level solutions.

Please consult your local technical support, your Information Security Liaison or contact if you have questions.

Appendix A

Desktop HDD NAS HDD Enterprise NAS HDD
Reliability 750K Hours MTBF 1M Hours MTBF 1.2M Hours MTBF
Work Load Rating* 55TB 180TB 300TB
Usage 8 x 5 24 x 7 24 x 7
Usage By Form Factor 1-2 Drives 1-8 Drives/Bays 1-16 Drives/Bays
Motor Bottom Attached Bottom Attached Top and Bottom Attached
Rotational Vibration** 5 5 12.5
Balance Control Basic Disc./Motor Balance Dual Plane Balance NA
Vibration Control NA NA RVFF Sensors
RPM 5900 5900 7200
Base Plate Standard Standard Structural Rigidity
Top Cover Attached No No Yes
Voice Coil Magnets Standard Standard High Flux Density
Seagate Acu_trac Non-standard Yes Yes, advanced
Disk Clamps +Weighted +Weighted Top and Bottom Attached
Heads Standard Performance Performance
Disks Standard Performance Performance
Humidity Sensors No No Yes
Adaptive Fly Height Tech. Yes Yes Yes
Firmware Basic Desktop NAS Optimized NAS Optimized

*The average annualized workload rate limit is in units of TB per year, or TB per 8760 power-on hours. Workload rate limit = TB transferred x (8760/recorded power-on hours).
**Rotation Vibration RV 1500 Radians/sec^2

Source (Beeler, 2015)

Appendix B

NAS devices to consider if needed:

Greater than $1,000 with storage…

  • Synology DiskStation DS412+ or DS1513+
  • LaCie 6big or 12big Thunderbolt 3

Less than $1,000 with storage…

  • WD My Cloud EX4 or EX2
  • Synology214se


Pilkey, A. (2017). Serious vulnerabilities in qnap nas not patched after almost a year. F-Secure. Retrieved on 13 Feb 17 from

Beeler, B. (2015). Pick the right drive for the job – 24/7 nas hdds vs desktop hdds. Storage Review. Retrieved on 13 Feb 17 from

Leyden, J. (2014). Do you use nas drive? For work? One just leaked secret cash-machine blueprints. The Register. Retrieved on 13 Feb 17 from

Spring, T. (2016). Insecure nas device exposes 350 ameriprise investment accounts.  Threat Post. Retrieved on 13 Feb 17 from