Digital information is the lifeblood of every modern organisation. Used properly, it can be transformed into knowledge for guiding strategy, making key business decisions and managing day-to-day operations. For data to be used in these ways, it has to be untainted, kept safe, and made available. This means that the data centre, the ‘heart’ through which almost all data flows, has to be kept healthy and secure.
Data centre security today is vastly different from what it was, say, a decade ago. Firstly, the data centre has undergone a huge transformation. While the traditional ‘big iron’ data centre was tasked with providing raw computing power, the new-generation data centre acts as a fast, agile and serviceoriented provider of IT utility.
Furthermore, while the traditional data centre served mostly internal users, the new-generation one caters to a broader constituency comprising increasingly mobile employees, customers, suppliers, and business partners across the globe. This makes the responsibility of securing the data centre even more onerous.
Many enterprises have consolidated their data centres in order to mitigate IT and process complexity, increase resource utilisation and efficiency, improve performance, and raise service levels and consistency – all while trimming costs. Such consolidation centralises information in a smaller number of locations. While this makes the responsibility for keeping information secure more exacting as it should, it also gives organisations the opportunity to address security in a proper manner, with the outcome being a sturdier overall IT security posture.
New technologies, too, impact security in today’s data centres. While virtualisation and cloud technologies help reduce costs, boost efficiencies, and speed up business operations, they also introduce new risks. For example, in a virtualised environment it can be difficult to separate or gain visibility into communication between virtual machines on the same host, or locate all critical servers to check if they have been properly patched and configured. The use of cloud offerings brings challenges around data sovereignty, and dependencies on service level agreements (SLAs) and security controls outside of the company.
In addition, the threat landscape is increasingly ominous. Hackers have evolved from hobbyists out to cause mischief, to professional criminals and for-hire outfits engaged by states and corporations eyeing sensitive information and commercial secrets. Hackers deploy very targeted attacks and have more advanced means than ever before.
While most organisations understand the importance of keeping data secure, security and compliance remain one of the most challenging disciplines to comprehend, implement and maintain. Security in a data centre is a very broad domain that requires an understanding of complex challenges. Without a proper information security governance framework, many businesses are simply unaware of their risk exposure and could be vulnerable to operational, financial and reputational damage.
Information security governance ensures that information security strategies support business objectives, manage risks appropriately, use organisational resources responsibly, and are consistent with applicable laws and regulations.
For it to be effective, information security governance needs to be ‘real time’ and an integral subset of the overall corporate governance model. Board-level sponsorship is thus vital as this facilitates the assignment of roles, the division of responsibilities, and the allocation of ownership. Top IT management, of course, must be included in the organisational sub-structure holding the security mandate.
Effective security governance requires a framework to guide the development and maintenance of a comprehensive information security architecture. This framework generally consists of:
• an information security risk management methodology
• a security strategy explicitly linked with business and IT objectives
• a security organisational structure
• a security assessment strategy that evaluates the value of information that is protected and delivered
• security policies that address each aspect of strategy, control and regulation
• security standards for each control
• monitoring processes to ensure compliance and provide feedback
• continual evaluation and updating of security policies, standards, procedures and risks
Once the information security governance framework has been constructed, it can be used as the basis for developing a security architecture that supports the organisation’s security objectives.
Security architecture should link business and IT objectives, limit the impact of adverse events, and provide the right information for compliance requirements. In addition, it should strike a balance between optimal technical security controls and operational expenses, as well as take into account the existing IT infrastructure and deployment models. The development of such an architecture is a multi-phase endeavour. The first step is to gain an understanding of the organisation’s business strategy for, say, the next three years. What the organisation aims to do or become has an influence on the security architecture. For example, if the plan is to expand the business geographically or make additions to the application deployment model, this will impact not just the IT architecture in the data centre but also its security. The current security state of the data centre is then determined. The best way to do this is to gather and analyse information on the network and security devices to identify vulnerabilities related to the internetwork operating system, and network and device configuration. Such vulnerability assessments are usually conducted manually by security specialists, either from within the organisation or from a third party that can provide the proverbial ‘extra pair’ of hands and eyes. This assessment should include penetration tests, and internal and external audits of policy and controls compliance. A similar assessment of the security infrastructure then follows, covering the network, systems, end points, applications, and compliance, policies and rules. The evaluation of the current security state of the data centre and of the security infrastructure will reveal areas where the effectiveness of security measures can be improved. These gaps need to be filled using the necessary security solutions and technologies, and changes to the existing IT infrastructure and deployment models may be required. Using the improved security architecture as a base, the business can then map out the actions and projects that will eventually align its business strategy with its IT master plan.
As previously mentioned, organisations can no longer depend on traditional security approaches to secure their data centres. Other than physical protection, these approaches focus mostly on protection at the network perimeter. This method has one major flaw: once the network has been breached, intruders have relatively easy access to systems and data within the network. Network perimeter defences also fail to counter threats from internal sources. To defend corporate systems and data assets in today’s data centres, organisations need a strategy that encompasses all the components of their IT environment, from the network to the perimeter, data, applications, servers and end points, thus minimising and managing all the weak points and vulnerabilities that expose the organisation to risk.
Obviously no single technology can protect against all threats. Multiple technologies have to be deployed. These technologies are most effective when applied as layers. This way, should one defensive layer be breached, the other layers continue to provide security. A multi-layered security strategy for today’s data centre should include elements for protecting the infrastructure (corporate network, servers and end points) and applications, with an additional layer comprising security operations.
A layered strategy for data centre security starts at the first line of defence – the network layer. Almost all physical devices in today’s business environment have an IP address and are connected to a network. Most attacks happen at the network level, and those that do turn into breaches eventually touch the network at some point. A cohesive network security strategy should incorporate several distinct technologies that together protect the entire network fabric, making it resilient. These technologies include those for traffic monitoring and access control, intrusion prevention (including wireless), zero-day attack prevention, Web security gateways, and end-point protection. At the server level, protective technologies include those for malware protection, host intrusion prevention, and data loss prevention. Complementing these are application control software for blocking unauthorised applications and code on servers and other assets, and for whitelisting users who are authorised to make configuration and other changes. As with all software, it’s very important that these be updated with the latest security patches. Default user accounts created during a server installation must be deleted. Unused modules and application extensions, and unnecessary services also need to be removed so as to minimise the number of open ports. Servers containing sensitive data should be further shielded by being isolated in dedicated, secure segments of the corporate network, with access to these segments controlled via tiered firewalls. As for end point security, many of today’s workers access the intranet from outside the office environment, sometimes through their own personal handheld devices. Together with the proliferation of portable media, this increases the risk of infection. To minimise this risk, end points can be secured using solutions for malware protection, access control and identity verification.
Many organisations use a mix of opensource, internally developed applications and commercially available applications. Some of these may not have been written to strict secure code guidelines or not secured on a life cycle basis, making them vulnerable. The need to keep applications secure has become more critical as more organisations transact and engage customers, partners and even regulators over the internet and are expected to keep the related data safe. Having a dedicated web server for internet-facing applications and storing the data in a protected data warehouse can help ensure this. To ensure that only authorised users are allowed to access and use applications, organisations should have, at the minimum, identity management and single sign-on technologies. Complementary solutions include encryption software and gateways for applications such as email.
For a security architecture and security technologies to be effective, they need to be supported by the people who operate and manage these tools. Security operations encompass risk and vulnerability assessment, incident management and remediation, change management, event monitoring, forensic investigation of attempts and intrusions, and asset and configuration management. When reinforced by the right policies, procedures and processes, and managed in a cohesive and co-ordinated manner, these services can give the organisation a full view of its current security risk, enabling it to make informed decisions about both its immediate priorities and future plans to improve security and manage risk. However, more often than not, such ‘big picture’ management of security operations is lacking in today’s organisations. The reasons for this include a lack of IT staff with the requisite skills, disproportionate attention paid to operational tasks such as patch management and firewall rule changes, having too many diverse technologies to manage, and being fixated by security technology but not its operational management. Another reason is not having the tools necessary for providing the services. Together, these three security layers provide a protective shield for the data centre, keeping the information belonging to the organisation, its employees, its customers and its business partners confidential, uncorrupted and available.
The way businesses use data will contribute to their success in the marketplace. The consequent responsibility to secure the data centre can be burdensome – but this burden can be lightened through the use of the correct technologies within a sound security ecosystem. Elegantly deployed and crafted, and guided by a considered information security governance framework and matching security architecture, these technologies and security ecosystem can shield the modern data centre from threats.