Making Data Center Security a Priority
Date: Sunday , March 30, 2008
The data Center is the heart that pumps the lifeblood of any organization - core business and operational data throughout the network. The goals of data Centers have always been to provide high performance access to flexible and adaptive business applications, with extremely high availability, while minimizing costs by standardizing and automating support processes. This is reflected in the current and planned network, storage, and processor architectures.
However, data centers are attractive targets for malicious activity. Improperly secured data centers are targets of hackers and worms, which can cause significant havoc and costly damage. Unfortunately, data centers assembled quickly during the economic boom were rarely built with an emphasis on the security, and many applications and storage “islands” resulting from these efforts are often vulnerable to attack and compromise.
Challenges and Threats
In support of management goals to protect, optimize, and grow the business many IT organizations are consolidating data center resources such as servers, storage, networks, and applications. Another common phenomenon is the outsourcing of data Centers today. In the past, managers relied upon physical application isolation or perimeter defense for security. This is inadequate to defend today’s virtualized data center resources and applications from attacks, which continuously become more sophisticated and dangerous. Any “script kiddie” can download hacker tools from a Website and inflict considerable damage to poorly protected data Centers. Attacks progress faster than ever. More damage occurs in a few seconds today than was possible in a few days five years ago. The Slammer, Blaster, and MyDoom worms took only minutes to circle the globe.
Threats from inside the enterprise can be even more damaging because hackers exploit detailed knowledge of the organization to wreak serious financial damage inadvertently or deliberately. These hackers can include employees, temporary workers, and consultants. To protect applications, data center managers must use modern technologies that limit user access to only those resources they need to do their job.
It is essential that security and network managers collaborate to understand the particular vulnerabilities and threats to data center resources, so that they can develop a robust network security architecture. Vulnerabilities and threats can prevent users from accessing mission-critical applications, directly disrupt application operation, or compromise confidential and valuable information. Threats can include the following:
Attacks on mission-critical applications, application servers, databases, database servers, and storage resources through buffer overflows, malicious worms, viruses, and administrative access breaches
*Vulnerabilities resulting from misconfigured systems and incorrect or outdated software expose IT managers to the time-consuming task of operating system and patch updates, resulting in possible system downtime and productivity loss
*Attacks on network systems and devices such as routers, switches, and firewalls through administrative access breaches
*Threats to the network infrastructure through distributed denial of service (DDoS) and syn flood attacks
The Backbone of the Data Center
Modern-day data centers are distinguished by the size of their operations. A data Center considered economically viable could contain between a hundred to several thousand servers. To enable this, a cohesive network architecture that supports immediate data center demands such as consolidation, virtualization, business continuity and security would be needed at each layer.
It is critical for a business critical data center to ensure maximum data security and cent percent availability. Data Centers have to be protected against intruders by controlling access to the facility, and using biometrics & video surveillance. In addition, data centers must have the capability to withstand calamities like fire and power failures. Recovery sites have to be maintained where everything in the data center is replicated. Data Centers provide a shared, multi-host, multi-application environment to carry out the hosting of large volumes of corporate data along with providing functionalities like data mining and data warehousing. As businesses go global and get Internet-enabled, these services become mission-critical. There is a requirement for services from simple Web-hosting to managed services such as storage on demand, performance measurement and storage management.
Data Center network architecture should comprise of the following three layers:
* Foundation Infrastructure: including the intelligent IP network infrastructure, intelligent storage networking, and data Center interconnect
* Network System Intelligence: including security, delivery optimization, manageability and availability
* Embedded Application and Storage Services: including storage virtualization, data replication and distribution, and advanced application services.
Comprehensive architectures like Cisco’s Data Center Network Architecture enable IT executives to perform the following:
* Consolidate and virtualize computing, storage and network resources to cater to growing business needs on-demand and on-time
* Deliver secure and optimized employee, partner and customer access to information and applications by defense in depth strategy
* Protect and rapidly recover IT resources and applications
* Enable the data center for emerging Service Oriented and Utility computing technologies such as blade servers, virtualization, Web services and GRID.
* Day-Zero attack mitigation, easier management, flexible, integrated and collaborative security architecture enabling lower cost of ownership.
Data Center Security Strategy: A Self Defending Network with Defense in Depth is the Need of the Hour
Today many organizations are using biometric-based access control for critical areas inside the data center to enhance security. With the increase in use of integrated building management systems (which have capabilities of remote monitoring using IP addressing), integration of data center systems with network management systems has also empowered IT managers to manage their data Center more effectively.
Robust data Center security strategies recognize that security is a continuous process that should be integrated with data center operations, communicated to the user community, and incorporated into the organization’s culture and way of doing business.
Any security strategy begins with a security policy, which aligns business needs with security goals and defines how to implement them through processes and technologies. The policy determines security design, management processes, and technologies that enable policy implementation and enforcement. The policy is not static and should be refined and adjusted as the security posture changes.
A Security Posture assessment can identify specific vulnerabilities and risks within the existing environment and recommend ways to mitigate them. The network is an essential component of the assessment and should provide solid first layer of defense, complementing operating system and application level security. Segregating the network into virtual components allows security managers to consolidate resources in a cost effective manner and control user access to each application.
In conclusion, the enterprise data center is the heart of the enterprise network because it contains the data, applications, and other resources for business. Protecting and ensuring the ongoing availability of these resources is vital to the success of any organization. Customers, partners, and internal users need to trust that confidential information remains private and reliable. Maintaining the integrity of the network and its attached resources is vital. This will enable businesses to move toward data centers that are able to deliver better uptime, lower downtime, better access and power distribution, a seamless expansion and well-managed capacity.
Cisco Security Architecture
a) Threat Defense
Threat defense security solutions mitigate network and host attacks caused by viruses and worms, DDoS attacks, and other malicious network traffic. Deploying these solutions throughout the data center isolates and blocks intruders, rouge applications, and other unwanted traffic and very high speeds thru switching fabric.
b) Trust and Identity Management
Trust and Identity Management enables access to network services and data center resources by authorized users, administrators, and applications. Access control, Security posture assessment of the end device and AAA are critical architectural components which are needed in the solution.
c) Secure Connectivity
Securing connections within and between data centers, these solutions offer standards based VPN and encryption techniques to ensure data integrity. SSL services for web-enabled application and content security, Virtualized and routed virtual SAN networks are the essential component of the security architecture at this stage.
d) Data Center Security Management
Security Management is essential for spotting and blocking violations before damage occurs. Monitoring is the heart of security management, and administrators need tools that digest the massive amount of data generated by security components, identify suspicious activity, and proactively respond to threats. Device configuration management, change management, policy management are some essential components at this stage.