Valuing the security value of NAS storage

Garmin paid, reportedly millions. Do you sleep well at night knowing that the scourge of ransomware is rampant and ever threatening your business. Is your storage safe enough or have you invested in a storage which was the economical (also to be known as cheap) to your pocket?

Garmin was hacked by ransomware

I have highlighted this before. NAS (Network Attached Storage) has become the goldmine for ransomware. And in the mire of this COVID-19 pandemic, the lackadaisical attitude of securing the NAS storage remains. Too often than not, end users and customers, especially in the small medium enterprises segment, continue to search for the most economical NAS storage to use in their business.

Is price the only factor?

Why do customers and end users like to look at the price? Is an economical capital outlay of a cheap NAS storage with 3-year hardware and shallow technical support that significant to appease the pocket gods? Some end users might decided to rent cloud file storage, Hotel California style until they counted the 3-year “rental” price.

Here is a table I did in March 2020 for a potential customer who has the idea of using cloud file storage with 20% infrequent access. So

  • The capacity is about 250TB
  • The egress and API request fees are not included. Only storage costs
  • The exchange rate (today: Aug 10, 2020) is USD$1.00 = MYR$4.20

Cloud Storage Pricing comparison

Holy smokes, Batman! That is a lot of money because end users are not Bruce Waynes. A 250TB FreeNAS™ storage crafted with  enterprise-grade components using Supermicro servers would probably cost MYR150,000.00 or less. The end user was in a bind.

According to Gartner, the average cost of an IT downtime is USD$5,600 per minute. From the Malaysian businesses point of view, that figure seems relatively big. Let assume that from the Malaysian context, the downtime is USD56.00 per minute, just 1 percent of the Gartner figure. That is about MYR225.00 per minute, MYR324,000.00 per day.

When we contrast the price of a good, hardened NAS storage versus the cost of downtime – MYR150,000.00 vs MYR324,000.00 (per day), it is a no-brainer, right? But why do customers and end users continue to skimp and be stingy with their storage technology investment?

It won’t happen to me

The society worships superiority. Superman makes sense and we see ourselves as invincible. We are played to that tune “It won’t happen to me” over again and over again. We have been conditioned by our society to frown upon vulnerability and the weak, until ….

Let me share a story from 2 years ago. A rather large 3D Animation studio in Malaysia was running QNAP for more than 6 years. Yeah, QNAP was cheap and it was at its limit of 30TB for that particular model. They got hit by ransomware and all their production files were encrypted. They chose not to pay, and decided to redo the entire length of the movie. That took them about 30 days, with about 60 CG artists, video editors and other authors of the content.

In my mind, I did a mental calculation. I am assuming

  • The average salary in the 60 people is MYR4,000.00 per head
  • So, for the work of 30 days, MYR4,000 x 60 = MYR240,000.00 (~USD60,000.00)

Was it worth is? In Garmin case, paying the ransom seems to be the better option. The ransomware may have brought the USD$3 billion business to its knees and may have decimated the organization as well.

Garmin annual revenue 2016 – 2019

QNAP (and other economical NAS) vulnerabilities 

Since that conversation with the 3D Animation studio 2 years ago, I become more aware and acute to security vulnerabilities of economical NAS storage solutions out in the market. Here are a few newsworthy reports:

Naturally, all the affected NAS companies issued their statements that they have fixed the CVE (common vulnerabilities and exposures) but there are probably thousands of economical NAS storage out there unpatched, and not updated to combat ransomware.

Remain vigilant

Targeting these economical NAS storage does not negate the fact that even the more advanced and higher end NAS storage are free from ransomware. That is why we have to continue to advise businesses and enterprises to remain vigilant. Cyber resilience is one of the key “weapons” to defend against this scourge but not all storage protection solutions are the same.

Was the cost saving worth it? 

There are many NAS storage technology companies out there who claimed resiliency and superiority over ransomware. But a good investment is a hardened storage is not enough. Cyber security and cyber resilience are in an ecosystem. The people, processes and technology mix in a constant flux of Tom and Jerry cat-and-mouse game along with the cauldron mix of hell boil and bubble of the 3 witches in MacBeth. And it has to have many layers, just like what Shrek said.

Shrek has layers

Always remember that there is no such thing as “It won’t happen to me“. In the end, if the value of NAS storage is worth a good night sleep, that is value well spent.

 

Tagged , , , , , , , , . Bookmark the permalink.

About cfheoh

I am a technology blogger with 30 years of IT experience. I write heavily on technologies related to storage networking and data management because those are my areas of interest and expertise. I introduce technologies with the objectives to get readers to know the facts and use that knowledge to cut through the marketing hypes, FUD (fear, uncertainty and doubt) and other fancy stuff. Only then, there will be progress. I am involved in SNIA (Storage Networking Industry Association) and between 2013-2015, I was SNIA South Asia & SNIA Malaysia non-voting representation to SNIA Technical Council. I currently employed at iXsystems as their General Manager for Asia Pacific Japan.

One Response to Valuing the security value of NAS storage

  1. Pingback: Ransomware? More Like Ransom Everywhere … | PenguinPunk.net

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.