NAS is not necessarily less secure than a SAN; NAS security is just done differently. With a SAN, you are getting volumes (or LUNs) served up to operating systems for usage. Those LUNs can have file systems on them or databases or some other direct usage. The security is at the SAN level, controlling the access to the LUN, and at the server operating system (and application) level, controlling the users who have access to the data.
For NAS security, the file system (or file systems) are on the NAS device and the access to the file system and the files within the file system is controlled by the privileges that are assigned (typically called access control lists). If the privileges are set up correctly (either manually or through system control such as Active Directory), users that are not authorized are denied access.
This was first published in November 2010