Securing data centers is not just about guards, guns and lockable server racks. There are other – often overlooked and misunderstood – security weaknesses you must focus on as well. Some are old and have been around for years, while others are related to emerging technologies. At the end of the day, if information security weaknesses are not made a business priority, it's merely a waiting game for someone to penetrate the “ Fort Knox ” you have created and create problems for your business.
Many people in IT and corporate security are of the mindset that any relatively modern data center is secured from the elements. Providing four solid walls of reliable protection is a large part of what defines a secure data center, right? This is true at a high level, but data centers are often much less secure than people think they are. Sure, for the most part, physical security is established and mature. It's the technical weaknesses and operational oversights – what's going on behind the scenes – that are creating the problems. As always, the devil is in the details.
Data center managers say “We just have so much redundancy built-in that we're not really worried about any outages.” This is mostly acceptable from a business continuity perspective – it just doesn't bode well for unauthorized data center access and information security as a whole. I've found over the years that most of the major data center security issues are actually tiny little gotchas that can be exploited in big ways. Year after year, I see and hear of cases where security weaknesses provide not just simple, but juvenile means for unauthorized data center access. It's a rogue employee or an outside criminal's dream!
Issues to Consider
The critical “innards” of today's data centers are just as much electronic as they are physical. There's hardly any type of data center system that's not reachable over the network. It's this network accessibility that's causing a lot of the security problems. Here are some of the technical weaknesses you need to be concerned with in your data center:
1. Automated management systems: The answer to make most things better, faster, and cheaper in business these days is to automate. Most data centers have some combination of configuration management systems, identity management systems, video and other control systems. With this automation comes risk. The new servers and applications required to run these systems are providing a wider attack surface and introducing new security vulnerabilities at all levels.
I've discovered network-accessible data center control systems that were fully accessible to outside intruders due to poor network design and weak system configurations. In one instance, all data center controls could be “owned” by an internal or external intruder in a matter of minutes. Data center complexities are leading to information insecurities.
2. Server consolidation: In the virtual environments that are growing by leaps and bounds in today's data centers, security is now a holistic problem with security concerns coming from all around – not just the classic hardware and software layers. In addition to firmware, operating systems and applications, you now have to worry about the virtual management layer. In addition, replacing physical servers with virtual servers removes the hardware-software link that many IT professionals depend on when securing the infrastructure. Also, the increased numbers of virtual servers can lead to oversights when performing security assessments and audits. All of this is requiring a new mindset.
3. Storage systems: Along with server consolidation, most organizations are experiencing greater needs in the storage arena. Be it NAS systems, SANs , direct-attached storage, or even continuous data protection systems, attacker inroads into the storage environment are on clearly defined paths. It used to be that storage was segmented off the main data center network and confined only to internal access. Now, with networks growing more complex and Internet-based hosts needing access to the information being housed, storage systems are much more exposed to the elements. On top of that, storage-specific “hacking” tools are now available paving the way for simpler and quicker attacks that go unnoticed.
4. Wireless: Many businesses are using 802.11-based wireless systems for access controls and monitoring. Wireless is easy to implement and it gets the job done. The problem is that it's also introducing a lot of unintended security problems. Attackers no longer have to bother cracking your WEP or WPA encryption keys. They can just take down your wireless radio communications altogether by jamming or exploiting the clear channel assessment (a.k.a. Queensland ) attack. With an older model D-Link wireless card and the Prism chipset control software (both of which are available via the Internet), 802.11 communications cannot be defended. Whether the attacker is inside the data center or outside of the building — as long as he's within signal range, wireless network components used in data centers can be taken down or offline indefinitely – and it's tricky to find out who's doing it.
It's a known fact that technical problems are only part of the security equation. The other side of security reality is operational weaknesses creating additional problems for data centers. For instance, the resources required to manage the growing number virtual servers creates a distraction away from security management. So are all of the new data center management applications. There's also a dependence on annual SAS 70 reports and “checklist” audits. The belief is that as long as the audit is performed once a year and the results are reasonable, then all is well. This misnomer creates a false sense of security and can get businesses into trouble if they're relied on too heavily. Entry-level security reviews are only the beginning of uncovering data center security problems.
What You Can Do
The goal of data center security is to keep the bad guys out and the good guys honest. You may have the best access control systems and the most vigilant gatekeepers. However, if you are not focusing on what's important, bad things can easily happen. Here's a list of steps to take to ensure your data center is locked down from current and future security threats.
• Scan your entire data center network for live hosts and analyze vulnerabilities on everything in existence – not just what you think is the most visible or important. Find out each and every electronic entry point to the data center. Keep in mind that data center security is not just for your publicly-accessible systems. Internal systems are equally important and both need to be treated with the same level of seriousness.
• Use the ethical hacking methodology of reconnaissance, enumeration, vulnerability testing and exploitation to test all of your systems and entry points. This will help ensure you find the most weaknesses and demonstrate how they can be exploited in real-world scenarios.
• Manual analysis of your systems is very important, but it's next to impossible to do a good job without the right tools. Invest in some quality commercial vulnerability scanners for operating systems, Web applications and databases and seek out open-source and freeware tools for testing wireless, storage systems and other niche technologies.
• Based on your testing results, classify what your systems and information mean to the business and how they should be appropriately managed and handled moving forward.
• Test again and again – consistently over time. You or your team's security testing skills will improve, you will acquire better tools and new weaknesses will emerge. New problems are bound to be uncovered.
Fix the Short-Term, Think Long-Term
The data center is the focal point for many types of attacks. It's w here everything security-related is supposed to come together. Just because your data center is locked down physically, that doesn't mean that everything's secure. The most valuable corporate assets today are electronic – the majority of which are housed in your data center. If you're going to protect these assets in your data center for the future, your first step is to focus on the short term by finding and fixing what's broken now.
Once you get your current environment under control, think about how emerging data center technologies can be used to help – and hinder – your data center operations. It takes a persistent, watchful eye to uncover new weaknesses and keep a data center locked down. This is something that you can make happen but only if you look at the bits and bytes inside those feeble four walls we hold upon a pedestal all too often.
Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic LLC. He has more than 19 years of experience in IT and specializes in performing information security assessments revolving around IT compliance. He has authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance ( Auerbach ). He's also the creator and producer of Security On Wheels - security learning for IT professionals on the go. Mr. Beaver can be reached at [email protected].