Securing today s data centre

Transcription

1 white paper Securing today s data centre The intelligent use of data is core to achieving business success. There is, therefore, an indisputable need to safeguard the data centre, where most data in its various forms is processed and transited. This can be an onerous responsibility, and increasingly so with the continual evolution of business models and new technology, the proliferation of threats, and increased pressure around compliance. Traditional data centre approaches that worked before have no place in this new scheme of things. We need to use new technologies like virtualisation and cloud solutions, and establish the right ecosystem of controls, processes and policies. When properly crafted and applied to form a cohesive whole, and guided by a well thought-out information governance framework with a matching architecture, these approaches can offer robust protection for the modern data centre.

2 Contents Executive Summary 01 Data centre imperatives 01 Information governance framework 02 Security architecture 03 Layering 03

3 In this paper, Dimension Data provides insight on how to deal with this new challenge and lays out an approach for establishing a secure ecosystem of controls in the modern data centre. Data centre imperatives Digital information is the lifeblood of every modern organisation. Used properly, it can be transformed into knowledge for guiding strategy, making key business decisions and managing day-to-day operations. For data to be used in these ways, it has to be untainted, kept safe, and made available. This means that the data centre, the heart through which almost all data flows, has to be kept healthy and secure. Data centre today is vastly different from what it was, say, a decade ago. Firstly, the data centre has undergone a huge transformation. While the traditional big iron data centre was tasked with providing raw computing power, the new-generation data centre acts as a fast, agile and serviceoriented provider of IT utility. Furthermore, while the traditional data centre served mostly internal users, the new-generation one caters to a broader constituency comprising increasingly mobile employees, customers, suppliers, and business partners across the globe. This makes the responsibility of securing the data centre even more onerous. Many enterprises have consolidated their data centres in order to mitigate IT and process complexity, increase resource utilisation and efficiency, improve performance, and raise service levels and consistency all while trimming costs. Such consolidation centralises information in a smaller number of locations. While this makes the responsibility for keeping information secure more exacting as it should, it also gives organisations the opportunity to address in a proper manner, with the outcome being a sturdier overall IT posture. New technologies, too, impact in today s data centres. While virtualisation and cloud technologies help reduce costs, boost efficiencies, and speed up business operations, they also introduce new risks. For example, in a virtualised environment it can be difficult to separate or gain visibility into communication between virtual machines on the same host, or locate all critical servers to check if they have been properly patched and configured. The use of cloud offerings brings challenges around data sovereignty, and dependencies on service level agreements (SLAs) and controls outside of the company. In addition, the threat landscape is increasingly ominous. Hackers have evolved from hobbyists out to cause mischief, to professional criminals and for-hire outfits engaged by states and corporations eyeing sensitive information and commercial secrets. Hackers deploy very targeted attacks and have more advanced means than ever before. Digital information is the lifeblood of every modern organisation. Used properly, it can be transformed into knowledge for guiding strategy, making key business decisions and managing day-to-day operations. 04

4 Security architecture Security operation Governance Change Incident Configuration and asset Forensics investigation Event monitoring and Architecture principle & model N-tier architecture Application Application platforms Collaboration Access Internet facing web server Data warehouse Data encryption Server and endpoint Instant messaging Identity SSO Strategy Policy Service orientated architecture Antivirus & HIPS Server & endpoint Patch DLP Vulnerability Perimeter and infrastructure Wireless Authentication DLP Role & responsibility Risk Virtualised Network Virtualised F/W and IPS Network admission control Web gateway solutions Network antivirus Wireless DLP Legal & regulatory SaaS Private cloud Public cloud Hybrid cloud Virtualised IT platform Compliance Figure 1: The total secure data centre domain Information governance framework While most organisations understand the importance of keeping data secure, and compliance remain one of the most challenging disciplines to comprehend, implement and maintain. Security in a data centre is a very broad domain that requires an understanding of complex challenges. Without a proper information governance framework, many businesses are simply unaware of their risk exposure and could be vulnerable to operational, financial and reputational damage. Information governance ensures that information strategies support business objectives, manage risks appropriately, use organisational resources responsibly, and are consistent with applicable laws and regulations. For it to be effective, information governance needs to be real time and an integral subset of the overall corporate governance model. Board-level sponsorship is thus vital as this facilitates the assignment of roles, the division of responsibilities, and the allocation of ownership. Top IT, of course, must be included in the organisational sub-structure holding the mandate. Effective governance requires a framework to guide the development and maintenance of a comprehensive information architecture. This framework generally consists of: an information risk methodology a strategy explicitly linked with business and IT objectives a organisational structure a assessment strategy that evaluates the value of information that is protected and delivered policies that address each aspect of strategy, control and regulation standards for each control monitoring processes to ensure compliance and provide feedback continual evaluation and updating of policies, standards, procedures and risks Once the information governance framework has been constructed, it can be used as the basis for developing a architecture that supports the organisation s objectives. 05

5 Security architecture Security architecture should link business and IT objectives, limit the impact of adverse events, and provide the right information for compliance requirements. In addition, it should strike a balance between optimal technical controls and operational expenses, as well as take into account the existing IT infrastructure and deployment models. The development of such an architecture is a multi-phase endeavour. The first step is to gain an understanding of the organisation s business strategy for, say, the next three years. What the organisation aims to do or become has an influence on the architecture. For example, if the plan is to expand the business geographically or make additions to the application deployment model, this will impact not just the IT architecture in the data centre but also its. The current state of the data centre is then determined. The best way to do this is to gather and analyse information on the network and devices to identify vulnerabilities related to the internetwork operating system, and network and device configuration. Such vulnerability assessments are usually conducted manually by specialists, either from within the organisation or from a third party that can provide the proverbial extra pair of hands and eyes. This assessment should include penetration tests, and internal and external audits of policy and controls compliance. A similar assessment of the infrastructure then follows, covering the network, systems, end points, applications, and compliance, policies and rules. The evaluation of the current state of the data centre and of the infrastructure will reveal areas where the effectiveness of measures can be improved. These gaps need to be filled using the necessary solutions and technologies, and changes to the existing IT infrastructure and deployment models may be required. Using the improved architecture as a base, the business can then map out the actions and projects that will eventually align its business strategy with its IT master plan. Technology: layering controls As previously mentioned, organisations can no longer depend on traditional approaches to secure their data centres. Other than physical protection, these approaches focus mostly on protection at the network perimeter. This method has one major flaw: once the network has been breached, intruders have relatively easy access to systems and data within the network. Network perimeter defences also fail to counter threats from internal sources. To defend corporate systems and data assets in today s data centres, organisations need a strategy that encompasses all the components of their IT environment, from the network to the perimeter, data, applications, servers and end points, thus minimising and managing all the weak points and vulnerabilities that expose the organisation to risk. Data centre Physical Figure 2: Layered defence Field level Obviously no single technology can protect against all threats. Multiple technologies have to be deployed. These technologies are most effective when applied as layers. This way, should one defensive layer be breached, the other layers continue to provide. A multi-layered strategy for today s data centre should include elements for protecting the infrastructure (corporate network, servers and end points) and applications, with an additional layer comprising operations. Application Access level Network Encryption 06

6 Infrastructure protection A layered strategy for data centre starts at the first line of defence the network layer. Almost all physical devices in today s business environment have an IP address and are connected to a network. Most attacks happen at the network level, and those that do turn into breaches eventually touch the network at some point. A cohesive network strategy should incorporate several distinct technologies that together protect the entire network fabric, making it resilient. These technologies include those for traffic monitoring and access control, intrusion prevention (including wireless), zero-day attack prevention, Web gateways, and end-point protection. At the server level, protective technologies include those for malware protection, host intrusion prevention, and data loss prevention. Complementing these are application control software for blocking unauthorised applications and code on servers and other assets, and for whitelisting users who are authorised to make configuration and other changes. As with all software, it s very important that these be updated with the latest patches. Default user accounts created during a server installation must be deleted. Unused modules and application extensions, and unnecessary services also need to be removed so as to minimise the number of open ports. Servers containing sensitive data should be further shielded by being isolated in dedicated, secure segments of the corporate network, with access to these segments controlled via tiered firewalls. As for end point, many of today s workers access the intranet from outside the office environment, sometimes through their own personal handheld devices. Together with the proliferation of portable media, this increases the risk of infection. To minimise this risk, end points can be secured using solutions for malware protection, access control and identity verification. Application layer Many organisations use a mix of opensource, internally developed applications and commercially available applications. Some of these may not have been written to strict secure code guidelines or not secured on a life cycle basis, making them vulnerable. The need to keep applications secure has become more critical as more organisations transact and engage customers, partners and even regulators over the internet and are expected to keep the related data safe. Having a dedicated web server for internetfacing applications and storing the data in a protected data warehouse can help ensure this. To ensure that only authorised users are allowed to access and use applications, organisations should have, at the minimum, identity and single sign-on technologies. Complementary solutions include encryption software and gateways for applications such as . Many organisations use a mix of opensource, internally developed applications and commercially available applications. 07

7 Security operations and For a architecture and technologies to be effective, they need to be supported by the people who operate and manage these tools. Security operations encompass risk and vulnerability assessment, incident and remediation, change, event monitoring, forensic investigation of attempts and intrusions, and asset and configuration. When reinforced by the right policies, procedures and processes, and managed in a cohesive and co-ordinated manner, these services can give the organisation a full view of its current risk, enabling it to make informed decisions about both its immediate priorities and future plans to improve and manage risk. However, more often than not, such big picture of operations is lacking in today s organisations. The reasons for this include a lack of IT staff with the requisite skills, disproportionate attention paid to operational tasks such as patch and firewall rule changes, having too many diverse technologies to manage, and being fixated by technology but not its operational. Another reason is not having the tools necessary for providing the services. Together, these three layers provide a protective shield for the data centre, keeping the information belonging to the organisation, its employees, its customers and its business partners confidential, uncorrupted and available. Conclusion The way businesses use data will contribute to their success in the marketplace. The consequent responsibility to secure the data centre can be burdensome but this burden can be lightened through the use of the correct technologies within a sound ecosystem. Elegantly deployed and crafted, and guided by a considered information governance framework and matching architecture, these technologies and ecosystem can shield the modern data centre from threats. Dimension Data is a global systems integrator that helps clients to create, integrate and manage their infrastructure in a way that supports their business goals. We offer a broad portfolio of services coupled with proven technologies from a select group of innovative partners including Blue Coat, Check Point, Cisco, F5, McAfee and AirWatch. Our professionals are recognised for their depth of expertise and passionate client delivery. They re globally connected to bring you the best solutions for your needs, delivered anywhere in the world. CS / DDMS-1432 / 11/13 Copyright Dimension Data

8 Middle East & Africa Asia Australia Europe Americas Algeria Angola Botswana Congo Burundi Democratic Republic of the Congo Gabon Ghana Kenya Malawi Mauritius Morocco Mozambique Namibia Nigeria Oman Rwanda Saudi Arabia South Africa Tanzania Uganda United Arab Emirates Zambia China Hong Kong India Indonesia Japan Korea Malaysia New Zealand Philippines Singapore Taiwan Thailand Vietnam Australian Capital Territory New South Wales Queensland South Australia Victoria Western Australia Belgium Czech Republic France Germany Italy Luxembourg Netherlands Spain Switzerland United Kingdom Brazil Canada Chile Mexico United States For contact details in your region please visit