Locking Down Today's Data Centers

Securing data centers is not just about guards, guns and lockable server racks. There are other – often overlooked and misunderstood – security weaknesses you must focus on as well. Some are old and have been around for years, while others are related to emerging technologies. At the end of the day, if information security weaknesses are not made a business priority, it's merely a waiting game for someone to penetrate the “ Fort Knox ” you have created and create problems for your business.

Many people in IT and corporate security are of the mindset that any relatively modern data center is secured from the elements. Providing four solid walls of reliable protection is a large part of what defines a secure data center, right? This is true at a high level, but data centers are often much less secure than people think they are. Sure, for the most part, physical security is established and mature. It's the technical weaknesses and operational oversights – what's going on behind the scenes – that are creating the problems. As always, the devil is in the details.

Data center managers say “We just have so much redundancy built-in that we're not really worried about any outages.” This is mostly acceptable from a business continuity perspective – it just doesn't bode well for unauthorized data center access and information security as a whole. I've found over the years that most of the major data center security issues are actually tiny little gotchas that can be exploited in big ways. Year after year, I see and hear of cases where security weaknesses provide not just simple, but juvenile means for unauthorized data center access. It's a rogue employee or an outside criminal's dream!

Issues to Consider

The critical “innards” of today's data centers are just as much electronic as they are physical. There's hardly any type of data center system that's not reachable over the network. It's this network accessibility that's causing a lot of the security problems. Here are some of the technical weaknesses you need to be concerned with in your data center:

1. Automated management systems: The answer to make most things better, faster, and cheaper in business these days is to automate. Most data centers have some combination of configuration management systems, identity management systems, video and other control systems. With this automation comes risk. The new servers and applications required to run these systems are providing a wider attack surface and introducing new security vulnerabilities at all levels.

I've discovered network-accessible data center control systems that were fully accessible to outside intruders due to poor network design and weak system configurations. In one instance, all data center controls could be “owned” by an internal or external intruder in a matter of minutes. Data center complexities are leading to information insecurities.

2. Server consolidation: In the virtual environments that are growing by leaps and bounds in today's data centers, security is now a holistic problem with security concerns coming from all around – not just the classic hardware and software layers. In addition to firmware, operating systems and applications, you now have to worry about the virtual management layer. In addition, replacing physical servers with virtual servers removes the hardware-software link that many IT professionals depend on when securing the infrastructure. Also, the increased numbers of virtual servers can lead to oversights when performing security assessments and audits. All of this is requiring a new mindset.