critical servers to check if they have been properly patched and ... Server and endpoint security. Server & endpoint
white paper
Securing today’s data centre The intelligent use of data is core to achieving business success. There is, therefore, an indisputable need to safeguard the data centre, where most data in its various forms is processed and transited. This can be an onerous responsibility, and increasingly so with the continual evolution of business models and new technology, the proliferation of threats, and increased pressure around compliance.
Traditional data centre security approaches that worked before have no place in this new scheme of things. We need to use new technologies like virtualisation and cloud solutions, and establish the right security ecosystem of controls, processes and policies. When properly crafted and applied to form a cohesive whole, and guided by a well thought-out information security governance framework with a matching security architecture, these approaches can offer robust protection for the modern data centre.
white paper | Securing today’s Data Centre
Contents Executive Summary 01 Data centre security imperatives 01 Information security governance framework 02 Security architecture 03 Layering security 03
white paper | Securing today’s Data Centre
In this paper, Dimension Data provides insight on how to deal with this new challenge and lays out an approach for establishing a secure ecosystem of controls in the modern data centre. Data centre security imperatives Digital information is the lifeblood of every modern organisation. Used properly, it can be transformed into knowledge for guiding strategy, making key business decisions and managing day-to-day operations. For data to be used in these ways, it has to be untainted, kept safe, and made available. This means that the data centre, the ‘heart’ through which almost all data flows, has to be kept healthy and secure. Data centre security today is vastly different from what it was, say, a decade ago. Firstly, the data centre has undergone a huge transformation. While the traditional ‘big iron’ data centre was tasked with providing raw computing power, the new-generation data centre acts as a fast, agile and serviceoriented provider of IT utility. Furthermore, while the traditional data centre served mostly internal users, the new-generation one caters to a broader constituency comprising increasingly mobile employees, customers, suppliers, and business partners across the globe. This makes the responsibility of securing the data centre even more onerous.
Many enterprises have consolidated their data centres in order to mitigate IT and process complexity, increase resource utilisation and efficiency, improve performance, and raise service levels and consistency – all while trimming costs. Such consolidation centralises information in a smaller number of locations. While this makes the responsibility for keeping information secure more exacting as it should, it also gives organisations the opportunity to address security in a proper manner, with the outcome being a sturdier overall IT security posture. New technologies, too, impact security in today’s data centres. While virtualisation and cloud technologies help reduce costs, boost efficiencies, and speed up business operations, they also introduce new risks. For example, in a virtualised environment it can be difficult to separate or gain visibility into communication between virtual machines on the same host, or locate all critical servers to check if they have been properly patched and configured. The use of cloud offerings brings challenges around data sovereignty, and dependencies on service level agreements (SLAs) and security controls outside of the company. In addition, the threat landscape is increasingly ominous. Hackers have evolved from hobbyists out to cause mischief, to professional criminals and for-hire outfits engaged by states and corporations eyeing sensitive information and commercial secrets. Hackers deploy very targeted attacks and have more advanced means than ever before.
Digital information is the lifeblood of every modern organisation. Used properly, it can be transformed into knowledge for guiding strategy, making key business decisions and managing day-to-day operations.
04
white paper | Securing today’s Data Centre
Security architecture Change management
Architecture principle & model
N-tier architecture
Governance
Security operation Configuration and asset management
Incident management
Application security Application platforms Internet facing web server
Data warehouse
Collaboration Email
Data encryption
Access management Instant messaging
Identity management
SSO Policy
Antivirus & HIPS
Patch management
Authentication Vulnerability management
DLP
Wireless
Network security
Virtualised F/W and IPS
Private cloud
Network admission control
Web gateway solutions
Network antivirus
Public cloud
SaaS
Role & responsibility
DLP Risk management
Perimeter and infrastructure Virtualised security
Strategy
Server and endpoint security Server & endpoint
Service orientated architecture
Event monitoring and management
Forensics investigation
Wireless
DLP
Legal & regulatory
Hybrid cloud Compliance
Virtualised IT platform
Figure 1: The total secure data centre domain
Information security governance framework While most organisations understand the importance of keeping data secure, security and compliance remain one of the most challenging disciplines to comprehend, implement and maintain. Security in a data centre is a very broad domain that requires an understanding of complex challenges. Without a proper information security governance framework, many businesses are simply unaware of their risk exposure and could be vulnerable to operational, financial and reputational damage. Information security governance ensures that information security strategies support business objectives, manage risks appropriately, use organisational resources responsibly, and are consistent with applicable laws and regulations. For it to be effective, information security governance needs to be ‘real time’ and an integral subset of the overall corporate governance model. Board-level
sponsorship is thus vital as this facilitates the assignment of roles, the division of responsibilities, and the allocation of ownership. Top IT management, of course, must be included in the organisational sub-structure holding the security mandate. Effective security governance requires a framework to guide the development and maintenance of a comprehensive information security architecture. This framework generally consists of: • an information security risk management methodology
• monitoring processes to ensure compliance and provide feedback • continual evaluation and updating of security policies, standards, procedures and risks Once the information security governance framework has been constructed, it can be used as the basis for developing a security architecture that supports the organisation’s security objectives.
• a security strategy explicitly linked with business and IT objectives • a security organisational structure • a security assessment strategy that evaluates the value of information that is protected and delivered • security policies that address each aspect of strategy, control and regulation • security standards for each control
05
white paper | Securing today’s Data Centre
Security architecture Security architecture should link business and IT objectives, limit the impact of adverse events, and provide the right information for compliance requirements. In addition, it should strike a balance between optimal technical security controls and operational expenses, as well as take into account the existing IT infrastructure and deployment models. The development of such an architecture is a multi-phase endeavour. The first step is to gain an understanding of the organisation’s business strategy for, say, the next three years. What the organisation aims to do or become has an influence on the security architecture. For example, if the plan is to expand the business geographically or make additions to the application deployment model, this will impact not just the IT architecture in the data centre but also its security. The current security state of the data centre is then determined. The best way to do this is to gather and analyse information on the network and security devices to identify vulnerabilities related to the internetwork operating system, and network and device configuration. Such vulnerability assessments are usually conducted manually by security specialists, either from within the organisation or from a third party that can provide the proverbial ‘extra pair’ of hands and eyes. This assessment should include penetration tests, and internal and external audits of policy and controls compliance. A similar assessment of the security infrastructure then follows, covering the network, systems, end points, applications, and compliance, policies and rules. The evaluation of the current security state of the data centre and of the security infrastructure will reveal areas where the effectiveness of security measures can be improved. These gaps need to be filled using the necessary security solutions and technologies, and changes to the existing IT infrastructure and deployment models may be required. Using the improved security architecture as a base, the business can then map out the actions and projects that will eventually align its business strategy with its IT master plan.
Technology: layering security controls As previously mentioned, organisations can no longer depend on traditional security approaches to secure their data centres. Other than physical protection, these approaches focus mostly on protection at the network perimeter. This method has one major flaw: once the network has been breached, intruders have relatively easy access to systems and data within the network. Network perimeter defences also fail to counter threats from internal sources.
Obviously no single technology can protect against all threats. Multiple technologies have to be deployed. These technologies are most effective when applied as layers. This way, should one defensive layer be breached, the other layers continue to provide security. A multi-layered security strategy for today’s data centre should include elements for protecting the infrastructure (corporate network, servers and end points) and applications, with an additional layer comprising security operations.
To defend corporate systems and data assets in today’s data centres, organisations need a strategy that encompasses all the components of their IT environment, from the network to the perimeter, data, applications, servers and end points, thus minimising and managing all the weak points and vulnerabilities that expose the organisation to risk.
Data centre security
Physical security
Field level security
Application security
Access level
Network security
Encryption
Figure 2: Layered defence
06
white paper | Securing today’s Data Centre
Infrastructure protection
Application layer security
A layered strategy for data centre security starts at the first line of defence – the network layer. Almost all physical devices in today’s business environment have an IP address and are connected to a network. Most attacks happen at the network level, and those that do turn into breaches eventually touch the network at some point.
Many organisations use a mix of opensource, internally developed applications and commercially available applications. Some of these may not have been written to strict secure code guidelines or not secured on a life cycle basis, making them vulnerable.
A cohesive network security strategy should incorporate several distinct technologies that together protect the entire network fabric, making it resilient. These technologies include those for traffic monitoring and access control, intrusion prevention (including wireless), zero-day attack prevention, Web security gateways, and end-point protection. At the server level, protective technologies include those for malware protection, host intrusion prevention, and data loss prevention. Complementing these are application control software for blocking unauthorised applications and code on servers and other assets, and for whitelisting users who are authorised to make configuration and other changes. As with all software, it’s very important that these be updated with the latest security patches.
The need to keep applications secure has become more critical as more organisations transact and engage customers, partners and even regulators over the internet and are expected to keep the related data safe. Having a dedicated web server for internetfacing applications and storing the data in a protected data warehouse can help ensure this. To ensure that only authorised users are allowed to access and use applications, organisations should have, at the minimum, identity management and single sign-on technologies. Complementary solutions include encryption software and gateways for applications such as email.
Many organisations use a mix of opensource, internally developed applications and commercially available applications.
Default user accounts created during a server installation must be deleted. Unused modules and application extensions, and unnecessary services also need to be removed so as to minimise the number of open ports. Servers containing sensitive data should be further shielded by being isolated in dedicated, secure segments of the corporate network, with access to these segments controlled via tiered firewalls. As for end point security, many of today’s workers access the intranet from outside the office environment, sometimes through their own personal handheld devices. Together with the proliferation of portable media, this increases the risk of infection. To minimise this risk, end points can be secured using solutions for malware protection, access control and identity verification.
07
white paper | Securing today’s Data Centre
Security operations and management For a security architecture and security technologies to be effective, they need to be supported by the people who operate and manage these tools. Security operations encompass risk and vulnerability assessment, incident management and remediation, change management, event monitoring, forensic investigation of attempts and intrusions, and asset and configuration management. When reinforced by the right policies, procedures and processes, and managed in a cohesive and co-ordinated manner, these services can give the organisation a full view of its current security risk, enabling it to make informed decisions about both its immediate priorities and future plans to improve security and manage risk. However, more often than not, such ‘big picture’ management of security operations is lacking in today’s organisations. The reasons for this include a lack of IT staff with the requisite skills, disproportionate attention paid to operational tasks such as patch management and firewall rule changes, having too many diverse technologies to manage, and being fixated by security technology but not its operational management. Another reason is not having the tools necessary for providing the services. Together, these three security layers provide a protective shield for the data centre, keeping the information belonging to the organisation, its employees, its customers and its business partners confidential, uncorrupted and available.
Conclusion The way businesses use data will contribute to their success in the marketplace. The consequent responsibility to secure the data centre can be burdensome – but this burden can be lightened through the use of the correct technologies within a sound security ecosystem. Elegantly deployed and crafted, and guided by a considered information security governance framework and matching security architecture, these technologies and security ecosystem can shield the modern data centre from threats.
Dimension Data is a global security systems integrator that helps clients to create, integrate and manage their security infrastructure in a way that supports their business goals. We offer a broad portfolio of security services coupled with proven technologies from a select group of innovative partners including Blue Coat, Check Point, Cisco, F5, McAfee and AirWatch. Our security professionals are recognised for their depth of expertise and passionate client delivery. They’re globally connected to bring you the best solutions for your security needs, delivered anywhere in the world.
CS / DDMS-1432 / 11/13 © Copyright Dimension Data 2013
08
Middle East & Africa
·
Algeria Angola Botswana Congo Burundi Democratic Republic of the Congo Gabon Ghana Kenya Malawi Mauritius Morocco Mozambique Namibia Nigeria Oman Rwanda Saudi Arabia South Africa Tanzania Uganda United Arab Emirates Zambia
·
·
·
·
·
· ·
·
·
·
·
Asia
·
China Hong Kong India Indonesia Japan Korea Malaysia New Zealand Philippines Singapore Taiwan Thailand Vietnam
·
·
·
·
· ·
Australia
Europe
Australian Capital Territory New South Wales Queensland South Australia Victoria Western Australia
Belgium Czech Republic France Germany Italy Luxembourg Netherlands Spain Switzerland United Kingdom
·
·
·
For contact details in your region please visit www.dimensiondata.com/globalpresence
·
·
·
·
·
Americas
·
·
Brazil Canada Chile Mexico United States
·