Datacentre security is a complex subject that is unlikely to get simpler any time soon, particularly as the industry continues to expand beyond the use of centralised facilities to more distributed, edge computing-like setups.
Add to this the fact that the datacentre threat landscape is ever-broadening, and it stands to reason that a lot of IT administrators may feel overwhelmed by the work they need to do to ensure the server farms they oversee remain safe and secure.
Fortunately, there is a way to look at fundamental aspects of security that can help administrators understand where the issues lie from and how to keep on top of them all.
It is not by any means a cover-all or exhaustive list, as every datacentre has a unique setup, but it gives a framework that administrators can follow to help make the matter of locking down their datacentres not feel quite so insurmountable.
On this point, all datacentre security issues usually pertain to three different things, which include issues of confidentiality.
The first category is preventing data loss or misappropriation of data by people who should not have access to it. This not only includes data lost through hacks or exploits, but can be (and often is) from individuals within the organisation who access data with a view to selling it on, for example. It can also be discarded print-outs, removable media or an inappropriate disposal process.
The second category of issues relates to situations that serve to harm the integrity of a company’s data.
Data integrity is a key component for any high-performing company, and the information it holds must be both accurate and reliable.
The integrity of the data can potentially be compromised in several ways, including inappropriate testing and validation of applications, and the entry of the data and the constraints placed upon that data.
For example, the database should be utilised properly, verifying that the applications work as expected and are properly tested and their release controlled properly.
Impact of users
Users can also heavily impact the integrity of the data – such as the ability to edit the data where they perhaps should not. The granting of appropriate rights and other controls can help here.
The third category of issues relates to the availability of data, and the infrastructure responsible for processing it.
Availability is what a lot of people think of when information security is mentioned. It boils down to the simple question: “Is the system available for use?” If it has been encrypted or deleted by malware, for example, it certainly will not be.
This category also covers a wide range of issues that affect availability, such as hardware failure, natural disaster and utility availability.
At this point, the administrator may be thinking that the whole scenario is a lost cause, but these are issues and threats that need to be managed.
This can be achieved by deploying one of three type management controls, the first of which can be described as administrative.
These controls can be used by the company to manage risk. Simple examples include having an acceptable use policy (AUP) around the technology so that users know and understand what is expected of them.
Other examples include removing access before a person’s employment is terminated and therefore is unable to access the system after termination.
There are many examples of disgruntled employees being terminated but still retaining access for a period of time, allowing them to access systems they should no longer be able to.
The next category of controls is physical security controls, which tend to be highly visible from outside a datacentre, and act as a deterrent to opportunistic thieves. Examples include CCTV, bomb-proof fencing and man traps.
Some of these methods could be considered overkill for a small company, with a relatively modest datacentre needing protection, but the ability to control who has access to the comms room or datacentre should never be overlooked.
Servers stolen in a ram raid
There have been cases in the past of datacentres and comms rooms having servers stolen in a ram raid through the external wall, because of an absence of bollards and fences to protect against such relatively unsophisticated physical security attacks.
The third and final type of controls is classified as technical. These cover the access that people are granted to a system – role-based access, discretionary, mandatory, and so on – as well as the logging of what is going on within the environment, who can access what, and what they do.
The technical controls that a company can employ may be many and varied, depending on its requirements. Above and beyond access control and auditing, these can also include highly complex items, such as network access control (NAC), host-based protection systems and device encryption.
Auditing and logging, although not new technology, can be key in not only understanding what is going on in your environment and also producing a verifiable record, if needed.
So there are various actions to consider when developing and implementing a security policy for datacentres. Developing and using effective controls is all about breaking down the issues into simple parts and employing focused remediations, rather than trying to find an overarching solution.