Brian Chappell, the director of engineering, EMEAI, with BeyondTrust, says data centre operators need to move away from reactive security measures and into pre-emptive security design.
Any organisation investing in information technology and networks including data centres should build their security strategies based on solid foundations. This may sound like an obvious statement but all too often it does not happen and instead, organisations continue to build ‘big walls’ around their environments and invest in the latest technology tools, in the hope that this will keep them safe.
Without accurate knowledge of the entire security landscape – at every point in the network – there is the risk that companies are relying on security strategies that are built on shifting sands and are, therefore, at risk of collapse. So what’s the answer? It boils down to three areas: having the right information, viable policies and processes, plus the appropriate tools.
Having the right information entails knowing what the starting point is: who has access to what. Who in your organisation has admin rights? Organisations can find this kind of information very hard to map, because admin rights are often automatically granted. As has been seen in the news over recent months, loose admin rights – or excessive ‘privilege’ – lead to all kinds of data breaches.
So, a very easy step is to start applying the principle of ‘least privilege’. Instead of admin rights being the default, in effect giving implicit privileges, only apply it as and when needed (explicitly). This approach is partly policy-driven, but there are also software tools available that can help.
Least privilege is a great way of locking down many holes on the attack landscape (an estimated 90 per cent of known Windows 7 vulnerabilities), so with that in place, organisations can start taking a proper look at the foundations.
Let’s use the analogy of a building. You wouldn’t construct a data centre building without having a clear idea of who has access to what: you would know where the access points are, what kinds of locks are being used and where, which rooms have interconnecting doors and you would certainly make sure that the doors and windows are secure. IT systems are no different. There are tools that can help organisations to identify where potential vulnerabilities in the technology framework could occur.
In today’s increasingly disparate environment, vulnerable points can include virtual machines, mobile equipment and web apps. In a data centre, this could be the data centre manager who can log into his or her VPN from a tablet. Importantly, security is not just about stopping the bad guys getting in; it is about limiting what they can do once they are inside. Since many security issues are created (often mistakenly) by internal staff, focus on making sure that once there is a problem, different levels of the data centre’s technology infrastructure can be locked down.
Achieving this requires effective application of both policies and processes, then the technology tools to manage them. A good starting point for ‘best practice’ in systems configuration is the Security Content Automation Protocol (SCAP) framework, which gives companies access to a whole host of resources that can allow them to leapfrog forward in managing their environment’s securely.
With the right processes and policies in place, organisations can start looking at tools, including intrusion detection, vulnerability management or good old anti-virus software. There is not room here to list the vast array of options available these days, but I would say that it is important to understand the following:
• No one tool will do everything
• What works well in one part of the organisation may not work as well in another
• Security tools DO overlap – and that needs to be taken into account
• While each part of the data centre’s security needs to be looked at individually, don’t lose sight of the whole picture as well as how one process or tool may impact on another
• Don’t be tempted to go out and buy every new tool that is introduced – the latest ‘shiny new thing’ may not be right for you (and applying the ‘sticking plaster’ approach isn’t a cure).
Fundamentally we need to move away from reactive security measures and into pre-emptive security design. This can only be achieved if we know what the current landscape looks like, with a solid foundation of knowledge. It’s much easier to plan the next leg of your journey if you know your starting point. The basics of configuration compliance, least privilege and vulnerability management all allow data centres to know where they are in terms of security, while also allowing them to plan where they are going.