Secure Data Center Operations Gilbert Held Payoff

Transcription

1 Secure Data Center Operations Gilbert Held Payoff The data center stores information necessary for the effective and efficient operation of the entire organization. Loss of this data, conveyance of it to a competitor, or unauthorized alteration of it can harm or even destroy the organization. Therefore, the data security manager should employ data center security measures that do more than just protect equipment. This article outlines such measures. Problems Addressed This article examines a core set of methods, procedures, equipment, and techniques to help secure data center operations. No measures can completely secure these operations. However, by appropriate planning and the implementation of methods, procedures, and techniques to increase the level of security and security awareness within an organization, the data security manager can minimize the number and severity of security breaches. The data security manager must provide three types of security: Physical security. Personnel security. Communications security. To provide physical security, the data security manager must have the personnel, equipment, and procedures necessary to bar unauthorized personnel from the data center. To provide personnel security, the manager must ensure that the organization hires suitable applicants and periodically reviews their eligibility for employment. To provide communications security, the data security manager must enforce procedures and techniques that control the use of communications equipment or line facilities to access the organization's information systems. This article focuses on each of the three categories of data center security and their components, as illustrated in Exhibit 1. Data Center Security and Major Security Components Physical Security In many organizations, the data center is divided into two or more secure areas. One area houses processing equipment, including processors and disk drives, printers, and other peripheral devices. A second area houses communications equipment, including modems, multiplexers, Data Service Unit, channel bank, and the physical line terminals from the communications carrier or carriers serving the organization. The personnel working in these two areas perform very different functions, and these areas have disparate security requirements. Building Access In most organizations, building access is controlled. Personnel must pass a guard station at the main entrance, where they show the guard the badge or other type of

2 identification to prove they are eligible to enter the building. In small organizations, building access may be controlled by a badge reader, cipher lock, or simple door key. Many, if not most, of an organization's visitors never require access to its data center, nor do many of its employees, and many buildings house more than one firm's processing or communications equipment. The data security managers of such organizations must employ methods to limit access to their organizations' data center facilities. Data Center Access One of the most common methods of controlling access to a data center is the use of a cipher key-controlled door. By pressing a valid numeric key combination, usually a fourdigit code, the visitor transmits a signal that activates a door release. Access to most data centers is restricted to operations and support personnel. Programmers, system analysts, and other employees usually do not enjoy uninhibited access to the center. However, these employees, as well as visitors, periodically require access. The data security manager should therefore formulate a policy and procedure for providing access to the data center for personnel who do not work in the computer operations department. Many data centers use a television monitor connected to a TV camera mounted outside the main data center door. The monitor is located within the data center in a control area that also contains a sign-in/out visitor book and badges. A person who does not know the cipher key code and who needs to enter the data center presses a buzzer to alert data center personnel. A designated person sees the visitor on the monitor in the control area before releasing the door lock. Many organizations require that visitors wear an identifying badge and that they be escorted during their visits to the data center. Enhancing Physical Security Data security managers can do several things to enhance the physical security of their centers. First and foremost, they can develop a policy that specifies which employees can enter the data center, the manner in which they gain access, and who is responsible for their supervision. Visitors who are not performing repairs or tests should never be allowed near data center equipment. Another important task for enhancing the center's physical security is changing the cipher lock key combination. When data security managers do not change the combination, former employees, who can gain access to the building, can also enter the data center. Cipher key combinations should therefore be changed periodically; the frequency should be based on organizational turnover. The combination should also be changed whenever an incident compromises the lock security (e.g., a visitor observes an authorized employee entering the access code). To prevent unauthorized personnel from observing employees entering the code, the data security manager should instruct employees to use their bodies to block the cipher lock from view. Another item that deserves careful consideration is the control of printouts, tapes, disks, and cartridges. As the repository of corporate information, the data center generates critical information that must not be accessed by unauthorized persons. Information leaving the data center should be routed through an input/output (I/O) control facility, which, in many organizations, is located in the production control department. (This department provides the data center with magnetic media from outside sources and delivers system output and magnetic media from the data center to persons working outside the data center.) With an appropriate policy and procedure in place, I/O control personnel can ensure the delivery of data center materials to persons authorized to receive such material, minimizing the risk of critical information winding up in the hands of unauthorized personnel. The data security manager should require that all material leave the data center through I/O control.

3 One often overlooked security mechanism is the physical placement of equipment. Within a data center are terminals and consoles that continuously monitor production jobs or that control job scheduling, the dispatching of jobs, and related processes. Those terminals and consoles control computers and communications facilities within the data center, and some of these devices can be used to initiate computer shutdown. These terminals and consoles usually operate throughout the day, and a group taking a tour of the data center or employees with time on their hands could inadvertently cause havoc by experimenting with them. To minimize this possibility, the data center operations manager should consider relocating monitor and control terminals within the operations area of the data center and away from corridors where they can be easily accessed by unauthorized persons. Because one or more members of the operations staff are usually on duty, the manager should consider delegating control of access to those terminals and consoles to the operations branch or department. Personnel Security Although the use of some personnel security procedures, such as drug testing and lie detectors, is determined by corporate policy, the data security manager or other IS managers can still implement a basic personnel security policy. To do so, the data security manager should check job applicant references, possibly asking the corporate legal department for a release form that applicants can sign to allow the organization to obtain their transcripts, proof of college degrees, and other verification of attendance at schools. One of the frequently overlooked aspects of personnel security is controlling contractor personnel. Data security managers should exercise as much care in reviewing backgrounds of full- or part-time contractors as they do for permanent employees. Personnel Review Once an employee or contractor passes an initial screening or investigation, most organizations forget an important characteristic of life things rarely remain the same! An employee's personal circumstances can change through marriage, divorce, bankruptcy, or other factors (e.g., chemical dependence or another form of substance abuse). People who were hired a few years ago might not be eligible for employment if an updated screening or investigation were periodically performed. Therefore, a key to avoiding personnel problems is periodically updating personnel investigations. Doing so alerts managers to the need to refer employees to a counseling service or to the fact that an employee or contractor has become a potential threat instead of a valuable resource. Communications Security Communications security involves the use of hardware, software, policies, and procedures to control the use of communications facilities to access the organization's information systems. Although passwords, which govern this type of access, are generally considered the primary component of communications security, their use is only a small part of an effective communications security effort. Other aspects of communications security that the data security manager should consider include: Packet filtering. The use of callback modems and data encryption devices. The manner in which telephone rotary numbers are ordered and changed.

4 Policies and procedures that govern the duration of unattended access to online application programs. Packet Filtering The growth in the number of corporate connections to the Internet involves both an opportunity and a threat. With access to a network of networks containing more than 25 million computers, an organization's employees can send electronic mail messages to users throughout the world. Employees with Internet access can use thefile Transfer Protocol to download files from tens of thousands of file transfer protocol (FTP) servers with programs and data bases on a wide variety of topics. Employees can use Telnet to obtain a remote connection to other computers on the Internet, and they can use such Internet applications as Archie and Gopher to perform information searches. However, Internet access is a two-way street, and Internet organizations that do not implement packet filtering expose themselves to the good or bad intentions of millions of Internet users. Exhibit 2 suggests some of the security exposures of a LAN connected to the Internet. In this example, a bus-based Ethernet LAN links 50 workstation users to a mainframe and, through a router, to an Internet service provider. Without implementing packet filtering, the organization's data flow is bidirectional. Any person connected to the Internet can try to access the organization's computational facilities on the Ethernet LAN, including its mainframe and LAN workstations. Typical Nonprotected Internet Connection For example, a hacker could develop a script program to probe different Internet addresses until he or she located the organization's. Then, the hacker could create a second script to attempt to log into one or more of the computers connected to the Ethernet LAN. Once access was obtained, the hacker could plant a virus, alter files, or otherwise compromise the well-being of the organization. Packet filtering, a technique used to control the routing of packets to LANs, can eliminate this security exposure. Packet filtering is usually implemented in a router. However, some routers offered by Internet service providers as part of an Internet access package provide only a limited packet filtering capability. An organization that uses these routers usually purchases a standalone router that is used only for its packet filtering capability. When used in this manner, the router is commonly called a firewall, because it provides a barrier between an organization's network computational resources and the rest of the world. Exhibit 3 illustrates the use of a firewall to protect network resources. Data flow in this network could be restricted in several ways because packet filtering permits either bidirectional or one-way data flows in either direction. However, with some applications, such as simple mail transport protocol (SMTP), an organization probably would not wish to filter in either direction because it would want to support the bidirectional flow of carried by Simple Mail Transfer Protocol. With other Internet applications, such as the file transfer protocol (FTP), which allows users to transfer files, and Telnet, which is used to obtain a remote computer connection, an organization may prefer to allow only outbound access. It may not want outside users to download files onto the LAN or to obtain remote access into the network's computers. Using a Firewall to Protect a Network

5 Because Internet applications occur on well-defined port numbers that represent logical connections, an effective firewall filters by source and destination address, as well as by port number. For example, if a data security manager wanted to permit bidirectional by means of SMTP, he or she, because the SMTP application used port 25, would set the following filter: Action Inbound Outbound Port allow yes yes 25 A filter should be set to allow both inbound and outbound communications for an Internet application because, with most firewalls, all that is not expressly permitted is prohibited. Thus, if the manager does not specify the prior filter, most firewalls will preclude in both directions. If the data security manager wants to permit network users to use file transfer protocol (FTP) to download files from servers on the Internet but preclude Internet users using file transfer protocol (FTP) from accessing network facilities, he or she would establish the following filters: Action Inbound Outbound Port allow no yes 21 allow yes no 20 These filters permit network users making control file transfer protocol (FTP) requests to access the Internet, but they accept only files transferred due to those requests as inbound traffic. Callback Modems If an organization has a network that supports dial-in calls from terminals and microcomputers, anyone who can access the switched telephone network can intentionally or unintentionally dial a number that accesses the organization's computer. To reduce this threat, the data security manager can install callback modems instead of conventional modems at dial-in ports, which are connected to the communications equipment that provides access to the network's information systems facilities. A callback modem is programmed to contain a table of user names or user code and corresponding telephone numbers. A dial-in user who calls a callback modem is initially prompted to enter the user name or user code. The modem then displays a message instructing the user to hang up and wait for a callback. The modem then disconnects and dials the telephone number associated with the caller. The callback modem thus restricts calls to those originating from known telephone numbers. Unfortunately, a callback modem cannot be effectively used when an organization's employees travel and must access the organization's central communications facilities from numerous locations. In additon, the cost of the second telephone call constitutes the greater part of the cost of billed communications. Charging these costs to the departments of those employees who originated the long-distance calls is usually difficult. Encryption Devices Several communications vendors manufacture encryption devices that are compatible with the National Institute of Standards and TechnologyData Encryption Standard algorithm. Although the use of encryptors provides secure communications, the data security manager must develop a policy to govern both the generation and distribution of encryption keys. The policy should address the need to change these keys periodically. However, unless the organization transfers funds or very critical information, the use of

6 encryptors may not be justified because of the cost of the equipment and the labor required to change keys. Telephone Rotary Numbers When an organization orders a group of telephone lines on a rotary switch to provide access to communications equipment, the data security manager usually ensures that the telephone numbers will not be listed. The appearance of these numbers in a telephone directory can tip off hackers. If the organization wishes to provide some segment of the public with easy access to its computer facilities, the data security manager should assess the advantages and disadvantages of listing the organization's communications access telephone numbers only in brochures distributed to customers instead of in a public directory. On occasion, a hacker may stumble across one or more of the organization's telephone rotary groups. Unfortunately, under current law, it is not illegal for the hacker to continuously attempt to gain access to an organization's computer and, in doing so, tie up a portion of its communications resources. Under the laws of most states, a legal violation occurs only if the hacker actually penetrates the system. Changing the numbers usually corrects the problem and is generally a practical remedy to an attempted computer penetration. Policy and Procedures One communications security vulnerability that organizations ofter overlook is the terminal user who, after signing onto an application, leaves to get coffee, go to lunch, or take a break. Anyone walking by that terminal can access the application currently being used. To avoid this situation, the data security manager should consider using software that automatically logs a user off if no activity accurs within a predefined time interval. In addition to enhancing security, these activity monitors support the effective use of communications and computer resources because they make those resources available to other users. Recommended Course of Action There are three key components to data center security: physical security, personnel security, and communications security. By carefully considering the elements associated with each component; developing plans, policies, and procedures; and obtaining appropriate hardware and software, the data security manager can minimize potential risks. Careful consideration of these issues both increases the safety of personnel and equipment in the data center and minimizes the intentional or unintentional removal of information from the data center. Therefore, the data security manager should carefully review the elements of the security program against elements discussed in this article. The data security manager should then initiate appropriate action to eliminate any deficiencies that could adversely affect security, working within the constraints of the data center's budget and available personnel. Author Biographies Gilbert Held Gilbert Held, an internationally known author and lecturer, is the author of more than 25 books and 200technical articles on computer systems and communications. He is the director of 4-Degree Consulting in Macon GA.

7

8

9