The core principle for achieving success in business operations is through the intelligent use of data. Hence, data center security becomes important as all the data is stored, archived, processed and transmitted through a data center. Securing the data center is a formidable task for data center operators with the continuous innovation in business models, new technology coming to the fore, the growing incidences of threats and the heightened pressure around compliance.
Traditional data center security approaches that have been used in the past will not hold good in the new scenario. Data center operators need to use new technologies and establish a comprehensive security ecosystem of controls, processes and policies.
Data center security, in current times, is completely different from what it was, say, a decade ago. The data center in itself has undergone a huge transformation. The erstwhile data center was just an IT establishment for providing raw computing power whereas the new data center acts as a catalyst in an organization’s growth plan and has to be agile, scalable, fast and service oriented.
While the traditional data center mostly supported the demands of internal users, the scope of operations of a modern data center is varied – in addition to internal users it also caters to an increasingly mobile workforce, customers, suppliers and business partners globally. Hence, the task of securing the data center becomes arduous.
Enterprises look at consolidation of the data center as a strategy to mitigate complexities in the data center environment, increase resource utilization and efficiency to improve performance and service levels while at the same time reduce costs. Consolidation helps in centralizing information in a few locations. Consolidation also helps in keeping the information secure and gives organizations the opportunity to address security bottlenecks in a deemed manner in order to have a robust IT security infrastructure.
New technologies like virtualization and cloud help organisations to grow and expand their business but bring with them a few challenges too. For example, in a virtualized environment, it can be difficult to segregate or gain visibility into communication between two virtual machines on the same host, or check if all the critical servers have been properly configured and patched. With the cloud, there may be challenges related to sovereignty of the data, dependence on service level agreements (SLAs) and security controls that are external to the business enterprise. To add to all these, there are cyber threats that can have adverse impact on the business and can lead to financial as well as reputation loss.
Information security governance framework
Though most business enterprises understand the importance of ensuring safety of data, security and compliance still remain a challenge to comprehend, implement and maintain. In relation to a data center, security is a vital component but one that involves complex challenges. Without a proper information security governance framework, many businesses are simply unaware of their risk exposure and could be vulnerable to operational, financial and reputational damage.
An information security governance framework ensures that information security strategies support business objectives, manage risks appropriately, use organizational resources responsibly, and are consistent with applicable laws and regulations.
In order to be effective, the information security governance framework has to be an integral part of the overall corporate governance strategy and has to be ‘real time’. It also needs a complete sign in and support from the top management for roles, responsibilities and ownership to be assigned.
For any security initiative to be successful, it requires a framework that can lay down a road map for the development and maintenance of comprehensive information security architecture. This framework generally consists of:
- An information security risk management methodology
- A security strategy explicitly linked with business and IT objectives
- A security organizational structure
- A security assessment strategy that evaluates the value of information that is protected and delivered
- Security policies that address each aspect of strategy, control and regulation
- Security standards for each control monitoring processes to ensure compliance and provide feedback
- Continual evaluation and updating of security policies, standards, procedures and risks Once the organization has developed a security governance framework, it can be used to develop a security architecture that supports and augments the organization’s security objectives.
Developing the Security architecture
Efficient security architecture is one that links business and IT objectives, provides the correct information for compliance requirements, strikes a balance between security controls and operational expenses and takes into consideration the existing IT infrastructure and deployment models. Developing security architecture is a multi-phased approach that takes into account the business strategy of the organization over a period of time. If the organization plans to embark on a business expansion path or make additions to the application deployment model, this will not just have a bearing on the IT architecture in the data center but also its security.
The next step is to determine the current security state of the data center. The ideal way to do this is to collate and analyze information on the network and security devices to identify vulnerabilities with respect to inter-network operating system, network and device configuration. This assessment should include penetration tests, internal and external audits of security policy and compliance controls. It should be followed with an assessment of the security infrastructure covering the network, systems, end points, applications, compliance policies and regulations.
The assessment of the current security state and security architecture & infrastructure of the data center will highlight areas that need to be augmented. The gaps, if any, need to be fixed by employing the necessary security solutions and technologies. Additionally, changes to the existing IT infrastructure and deployment models may also be required. Using the improved security architecture as a base, the business can then map out the actions and projects that will eventually align its business strategy with its IT master plan.
Layered security controls
As discussed earlier, organizations can no longer depend on traditional security methods to secure their data centers. Most of the traditional approaches focus mostly on protection at the network perimeter and physical security. One major flaw of the approach is that once the network is breached, intruders can get easy access to systems and data within the network.
Network perimeter defences also fail to counter threats from internal sources. In order to defend corporate systems and data assets in today’s data centers, organizations need a strategy that encompasses all the components of their IT environment, from the network to the perimeter, data, applications, servers and end points, thus minimizing and managing all the weak points and vulnerabilities that expose the organization to risk.
Since no single technology can counter all the threats, multiple technologies have to be deployed. It is advisable to deploy these technologies in layers, should one be breached, the others continue to provide security. Data centers, today, should look at multi-layered security strategy that includes elements for protecting the infrastructure (corporate network, servers and end points) and applications, with an additional layer comprising security operations.
Protecting the infrastructure
A layered strategy for data center security starts at the first line of defence – the network layer. All physical devices in today’s business environment have an IP address and are connected to a network. Most of the attacks happen at the network level including breaches that eventually touch the network at some point. A network security strategy should be cohesive and should include technologies that together protect the entire network fabric, making it resilient to breaches and attacks. This includes technologies for traffic monitoring and access control, intrusion prevention (including wireless), zero-day attack prevention, web security gateways, and end-point protection.
Technologies at the server level include malware protection, host intrusion prevention, and data loss prevention systems. These are complemented by the inclusion of application control software for blocking unauthorized applications and code on servers and other assets, and for whitelisting users who are authorized to make configuration and other changes. In addition, all software must be updated with the most current security patches.
The default user accounts created for server installations must be deleted. Unused modules and application extensions, and unnecessary services also need to be removed so as to minimize the number of open ports. Servers containing sensitive data should be further shielded isolating them in dedicated secure segments of the corporate network, with access to these segments controlled via tiered firewalls.
To minimize the risk to corporate infrastructure and data from an increasingly mobile workforce, end points can be secured using solutions for malware protection, access control and identity verification.
Application layer security
Organizations use a mix of open source, internally developed applications and commercially available applications. These applications can be vulnerable to attacks if they have not been written to strict secure code guidelines or not secured on a life cycle basis.
The need to keep applications secure has become more critical as more organizations transact and engage customers, partners and even regulators over the Internet and are expected to keep the related data safe. Having a dedicated web server for Internet facing applications and storing the data in a protected data warehouse can help ensure this.
To ensure that only authorized users are allowed to access and use applications, organizations should have, at the minimum, identity management and single sign-on technologies. Complementary solutions include encryption software and gateways for applications such as email.
Security operations and management
For security architecture and security technologies to be effective, they need to be supported by the people who operate and manage these tools. Security operations encompass risk and vulnerability assessment, incident management and remediation, change management, event monitoring, forensic investigation of attempts and intrusions, and asset and configuration management.
When reinforced by the right policies, procedures and processes, and managed in a cohesive and coordinated manner, these services can give the organization a full view of its current security risk, enabling it to make informed decisions about both its immediate priorities and future plans to improve security and manage risk.
The success of any business enterprise depends on how it uses data and information gathered from disparate sources. The responsibility of securing this data and the data center lies with the enterprise and it can do so through the use of correct technologies to build a fail proof security ecosystem. An information security governance framework and well-implemented security architecture can enhance the capability of the technologies deployed in creating a security ecosystem that can shield the modern day data center from threats.