About what measures are taken to ensure information security (IS), you have read more than once. Any self-respecting IT person can easily name 5-10 IS rules. Cloud4Y also offers to talk about the information security of data centers.
When ensuring data center information security, the most “protected” objects are:
- information resources (data);
- processes for the collection, processing, storage and transmission of information;
- system users and maintenance staff;
- information infrastructure, including hardware and software for processing, transmitting and displaying information, including information exchange channels, information protection systems and premises.
The area of responsibility of the data center depends on the model of services provided (IaaS / PaaS / SaaS). How it looks, see the picture below:
Scope of the data center security policy depending on the model of services provided
The most important part of developing an information security policy is building a model of threats and violators. What could become a threat to the data center?
- Adverse events of a natural, technogenic and social nature
- Terrorists, criminal elements, etc.
- Dependence on suppliers, providers, partners, customers
- Failures, failures, destruction, damage to software and hardware
- Data center employees realizing IS threats using the rights and powers legally granted to them (internal IS violators)
- Data center employees who realize IS threats outside of the rights and authority legally granted to them, as well as entities that are not members of the data center but who attempt unauthorized access and unauthorized actions (external IS violators)
- Non-compliance with the requirements of supervisory and regulatory bodies, applicable law
Risk analysis – identifying potential threats and assessing the magnitude of the consequences of their implementation – will help to choose the priority tasks that should be solved by data center information security experts, plan budgets for the purchase of hardware and software.
Security is a continuous process that includes the stages of planning, implementation and operation, monitoring, analysis and improvement of the information security system. To create information security management systems, the so-called "Deming cycle" is used.
An important part of security policies is the distribution of roles and responsibilities of personnel for their implementation. Policies should be constantly reviewed to take into account legislative changes, new threats and emerging remedies. And, of course, bring information security requirements to the staff and conduct their training.
Some experts are skeptical of "paper" security, considering the main practical skills to resist an attempt to hack. Real experience in ensuring information security in banks suggests the opposite. Information security experts can have excellent expertise in identifying and mitigating risks, but if the data center staff does not follow their instructions, everything will be in vain.
Security, as a rule, does not bring money, but only minimizes risks. Therefore, it is often treated as something interfering and secondary. And when security specialists begin to be indignant (having the full right to do so), conflicts often arise with personnel and managers of operational units.
The presence of industry standards and requirements of regulators helps security guards to defend their positions in negotiations with management, and approved IS policies, regulations and rules allow us to get staff to fulfill the requirements outlined there, summing up the basis for often unpopular decisions.
When providing a data center with the colocation model, physical security and access control to client equipment come to the fore. For this, partitions (fenced parts of the hall) are used, which are under video surveillance of the client and to which the access of the data center personnel is limited.
In state computer centers with physical security, at the end of the last century, things were not bad. There was access control, access control to rooms, albeit without computers and video cameras, fire extinguishing systems – in case of fire, freon was automatically launched into the machine room.
Nowadays, physical security is even better. Access control and management systems (ACS) have become intelligent; biometric access restriction methods are being introduced.
Fire extinguishing systems have become safer for personnel and equipment, among which are installations for inhibiting, isolating, cooling and hypoxic effects on the fire zone. Along with mandatory fire protection systems in data centers, an early fire detection system of an aspiration type is often used.
To protect data centers from external threats – fires, explosions, collapse of building structures, flooding, corrosive gases – rooms and safety safes began to be used, in which server equipment is protected from almost all external damaging factors.
Weak Link – Man
“Smart” CCTV systems, volumetric tracking sensors (acoustic, infrared, ultrasonic, microwave), ACS reduced risks, but did not solve all the problems. These funds will not help, for example, when people correctly admitted to the data center with a properly carried tool “hook” something. And, as often happens, a random hook will bring maximum problems.
The work of the data center can be affected by the misuse of personnel by its resources, such as illegal mining. Data Center Infrastructure Management Systems (DCIM) can help in these cases.
Personnel also require protection, as a person is often called the most vulnerable link in the protection system. Targeted attacks by professional criminals most often begin with the use of social engineering methods. Often, the most protected systems fall or are compromised after someone somewhere clicked / downloaded / done. Such risks can be minimized by training personnel and introducing world best practices in the field of information security.
Engineering infrastructure protection
Traditional threats to the functioning of the data center are power failures and cooling system failures. We have become accustomed to such threats and have learned to deal with them.
A new trend has been the widespread introduction of “smart” equipment, networked: controlled UPSs, intelligent cooling and ventilation systems, a variety of controllers and sensors connected to monitoring systems. When building a data center threat model, one should not forget about the likelihood of an attack on the infrastructure network (and, possibly, on the data center IT network associated with it). The situation is complicated by the fact that part of the equipment (for example, chillers) can be moved outside the data center, say, on the roof of a rented building.
Communication Channel Protection
If the data center provides services not only according to the colocation model, then you will have to deal with cloud protection. According to Check Point, only last year, 51% of organizations around the world encountered attacks on cloud structures. DDoS attacks stop the business, ransomware viruses require a ransom, targeted attacks on banking systems lead to the theft of funds from correspondent accounts.
The threats of external intrusions are also worrying for information security specialists at data centers. The most relevant for the data center are distributed attacks aimed at stopping the provision of services, as well as threats of hacking, theft or alteration of data contained in virtual infrastructure or storage systems.
To protect the external perimeter of the data center, modern systems with the functions of detecting and neutralizing malicious code, monitoring applications and the ability to import proactive defense technology Threat Intelligence are used. In some cases, deploy systems with IPS (intrusion prevention) functionality with automatic adjustment of the signature set to the parameters of the protected environment.
To protect against DDoS attacks, Russian companies, as a rule, use external specialized services that take traffic to other nodes and filter it in the cloud. Protection on the operator side is much more effective than on the client side, and data centers act as intermediaries for the sale of services.
Internal DDoS attacks are also possible in data centers: an attacker penetrates weakly protected servers of one company that hosts its equipment using the colocation model, and conducts a denial of service attack against other clients of this data center via an internal network.
Attention to virtual environments
It is necessary to take into account the specifics of the protected object – the use of virtualization, the dynamism of changing IT infrastructures, the interconnectedness of services, when a successful attack on one client can threaten the security of neighbors. For example, by hacking a frontend docker when working in KuaRnetes-based PaaS, an attacker can immediately get all the password information and even access to the orchestration system.
Products provided by the service model have a high degree of automation. In order not to interfere with the business, no less degree of automation and horizontal scaling should have imposed information protection tools. Scaling should be provided at all levels of information security, including automation of access control and rotation of access keys. A special challenge is the scaling of functional modules that inspect network traffic.
For example, filtering network traffic at the application, network and session levels in data centers with a high degree of virtualization should be performed at the level of the hypervisor network modules (for example, VMware's Distributed Firewall) or by creating service chains (virtual firewalls from Palo Alto Networks).
If there are weaknesses at the level of virtualization of computing resources, efforts to create an integrated information security system at the platform level will be ineffective.
Data Protection Levels in the Data Center
A common approach to protection is the use of integrated, multi-level IS security systems, including macro segmentation at the firewall level (segmentation for various functional areas of the business), micro segmentation based on virtual firewalls, or marking traffic groups (user roles or services) defined by access policies .
The next level is the identification of anomalies within and between segments. The traffic dynamics is analyzed, which can indicate the presence of malicious activities, such as network scanning, DDoS attacks, downloading data, for example, by slicing database files and displaying them periodically by sessions at long intervals. Gigantic traffic flows through the data center, so to identify anomalies you need to use advanced search algorithms, and without batch analysis. It is important that not only signs of malicious and abnormal activity are recognized, but also that malware works even in encrypted traffic without decrypting it, as is proposed in Cisco solutions (Stealthwatch).
The last frontier is the protection of terminal devices on a local network: servers and virtual machines, for example, using agents installed on terminal devices (virtual machines) that analyze I / O, delete, copy, and network activities, transfer data to the cloud, where and computations requiring large computational powers are carried out. There, an analysis is performed using Big Data algorithms, trees of machine logic are built, and anomalies are detected. Algorithms are self-learning on the basis of a huge amount of data supplied by a global network of sensors.
You can do without installing agents. Modern means of information protection should be agentless and integrated into operating systems at the hypervisor level.
These measures significantly reduce information security risks, but this may not be enough for data centers that provide automation of production processes of increased danger, for example, nuclear power plants.
Depending on the information being processed, the physical and virtualized infrastructure of the data center must satisfy different security requirements formulated in laws and industry standards.
These laws include the Law “On Personal Data” (152-ФЗ) and the law “On the Safety of Objects of the RF KII RF” (187-ФЗ) that entered into force this year – the prosecutor’s office has already become interested in the progress of its implementation. Disputes regarding the belonging of data centers to KII subjects are still ongoing, but most likely, data centers wishing to provide services to KII subjects will have to fulfill the requirements of the new legislation.
It will not be easy for data centers hosting state information systems. According to the Decree of the Government of the Russian Federation dated 11.05.2017 No. 555, information security issues should be resolved before the GIS is put into commercial operation. And a data center that wants to host a GIS must meet the requirements of regulators in advance.
Over the past 30 years, data center security systems have come a long way: from simple physical protection systems and organizational measures that have not lost their relevance, however, to complex intelligent systems that increasingly use elements of artificial intelligence. But the essence of the approach has not changed. The most modern technologies will not save without organizational measures and staff training, and paper – without software and technical solutions. The security of the data center cannot be ensured once and for all, it is a constant daily work to identify priority threats and a comprehensive solution to emerging problems.
What else is useful to read on the Cloud4Y blog
→ Configure top in GNU / Linux
→ Pentesters at the forefront of cybersecurity
→ The path of artificial intelligence from a fantastic idea to the scientific industry
→ 4 ways to save on backups in the cloud
→ Mutt story
Subscribe to our Telegram channel in order not to miss the next article! We write no more than twice a week and only on business. We also remind you that you can test Cloud4Y cloud solutions for free.