Eterprise Security & Risk Maagemet White Paper Securig the Future with Next-Geeratio Data Ceter Security
About the Author Prikshit Goel Prikshit Goel heads the Ceter of Excellece (CoE) for Maaged Security Services withi the Eterprise Security ad Risk Maagemet busiess uit at Tata Cosultacy Services (TCS). He focuses o providig security ad IT ifrastructure solutios to cliets. Goel has 15 years of experiece i the IT space with a focus o Iformatio Security ad Networks. He has a B.E i Electroics ad Commuicatio Egieerig (Hoors). He also holds may idustry certificatios such as PMP, Cisco CCNP ad CCNA, ITIL, BAC, CEH, ad ACS ad has traied i security products such as RSA, Symatec, Palo Alto, ad Cisco across various layers. Kamal Dhamija Kamal Dhamija is a Security Solutio Architect i the Maaged Security Services Ceter of Excellece (CoE) at Tata Cosultacy Services (TCS). The CoE is part of the Eterprise Security ad Risk Maagemet busiess uit ad is resposible for providig security solutios to customers. Dhamija has over seve years of experiece i etwork security, iformatio security, pre-sales, ad techical support for complex heterogeeous eviromets. He has a Bachelor's degree i Egieerig, with a specializatio i Computer Sciece. He also holds umerous techical certificatios such as ISO 27001 LA, ITIL, ad RSA Archer.
Abstract Data ceter security is crucial for every moder busiess i this digital iformatio age. Whe used carefully ad appropriately, such iformatio ca be trasformed ito kowledge for developig strategy, facilitatig key busiess decisios, ad ruig day-to-day operatios. The data ceter, which forms the core compoet through which almost all data flows, must therefore be resiliet ad secure. Data ceter security etails maitaiig the cofidetiality, itegrity, ad availability of data. With data ceters havig udergoe sigificat trasformatio over time, data ceter security is very differet from what it was years ago. For istace, while the traditioal data ceter provided raw computig cotrols, ext-geeratio data ceters eed to be resposive ad service orieted providers of IT utility. Today, orgaizatios also use a tiered approach to categorize data ceter services, based o the availability of data. Additioally, i the case of a traditioal data ceter, there were limited iteret breakout poits. Hece, data comig from outside could oly move iside the data ceter through those limited iteret breakout poits. Today, however, the orgaizatio's data resides at various locatios, sites, ad locatios, makig it imperative for data ceters to be available 24x7x365 to support employees, parters, ad vedors. This makes the resposibility of securig the data eve more difficult. I fact, data ceter security has become similar to defedig a castle or securig a airport from exteral threats. This paper offers a high-level overview of the key treds ad techologies that are shapig today's data ceters, ad their impact o data ceter security. It also provides a framework to achieve ext-geeratio data ceter security.
Cotets 1. Rampig up data ceter security: key techology treds ad challeges 5 2. A framework for ext-ge data ceter security 5 3. A hybrid approach to data ceter security 9 4. Gearig up for a more secure future 10
Rampig up data ceter security: key techology treds ad challeges May orgaizatios have merged their data ceters i order to reduce the overall cost of data ceter implemetatio ad maiteace. This has helped alleviate IT ad process desity, ehace resource utilizatio ad productivity, ad improve process performace ad cosistecy, while pruig costs. Such cosolidatio cetralizes iformatio i fewer locatios, which gives orgaizatios the opportuity to address security more efficietly ad build a sturdier IT security posture. Emergig techologies also have a fudametal impact o how security is desiged ad deployed withi the data ceter. While virtualizatio helps reduce costs, optimize resources, ad speed up busiess operatios, it also itroduces ew security threats. Similarly, cloud services may offer faster provisioig ad deploymet but require stroger security cotrols to protect the orgaizatio from exteral threats. It also becomes challegig to achieve visibility ito the commuicatio betwee virtual machies hosted over physical machies, makig it harder to moitor ad secure the eviromet. With orgaizatios geeratig huge volumes of data, Big Data aalytics is also puttig icreasig pressure o data ceters ad their security. The emergece of mobility has allowed employees to access ad use data across devices to perform daily operatioal tasks, compellig orgaizatios to rethik their approach to data ceter security. I such a eviromet, merely implemetig security cotrols is ot eough to meet the eed for heighteed data ceter security. Orgaizatios eed to address challeges such as icreased etwork complexity ad access cotrol through proper authorizatio. Esurig regulatory ad security compliace with respect to specific busiess security eeds ad prevetig data leaks due to the icreased umber of data exit poits is also critical. Maagig logs is aother importat area of focus, especially with respect to cosolidated, hosted data ceters that receive logs from various geographies. A framework for ext-ge data ceter security A orgaizatio s data ceter security approach must be tailored to meet its eeds. Customized security tools should be implemeted to support decisio makig. The ideal security team should comprise experieced security aalysts, risk ad compliace maagers, ad dedicated service delivery maagers for esurig smooth service delivery. Figure 1 depicts a framework for ext-ge data ceter security. 5
Security Goverace Security Strategy Security Policy Risk Maagemet Audit & Compliace Peetratio Testig Security Operatio Ceter Security Evets Moitorig Icidet Maagemet Log Maagemet Vulerability Maagemet Malware Foresics Private Cloud Public Cloud Hosted Data Ceter Network Security Host Security Applicatio & Data Security Firewall/VPN/OTP IPS PKI Proxy/Reverse Proxy Email Security Ati-Malware FIM HIPS WAF/App Whitelistig Edpoit DLP Virtualizatio Security IAM/SSO Ecryptio DLP DRM DAM Security Eablers ISO 27000 Framework Best of Breed Techologies Certified Resources ITIL Based Delivery Itegrated Delivery Model Figure 1: A framework for ext-ge data ceter security Let s take a look at the compoets that make up this ext ge-data security framework. Security goverace, the operatios ceter, ad architecture evelope all the security layers of the Ope System Itercoectio (OSI) model. They provide security assurace for the ext-geeratio data ceter by esurig the cofidetiality ad availability of orgaizatio, employee, ad customer iformatio. Security goverace improvig compliace ad mitigatig risks Compliace ad security stadards are oe of the top priorities, ad at the same time, the hardest to implemet ad maitai with respect to data ceter operatios. Neglectig security goverace could expose the orgaizatio to operatioal, fiacial, ad reputatioal risks. Security goverace esures that the iformatio security approach supports busiess objectives ad risk maagemet, while adherig to applicable compliace stadards. Effective security goverace eeds to be real-time ad part of the overall corporate goverace model. Sposorship from maagemet is also importat, sice it facilitates role assigmet, divisio of resposibilities, ad the allocatio of owership. Seior maagemet from the IT fuctio must be icluded as part of the orgaizatioal sub-structure to oversee the security madate. 6
Security operatios ceter leveragig the right expertise ad tools May orgaizatios today lack a security operatios ceter due to limited access to skilled IT security staff ad tools. I additio, several diverse security techologies exist, ad as a result, a sigificat amout of time is spet o operatioal tasks such as patch maagemet ad firewall rule chages. Desigig ad implemetig a effective security operatios ceter requires the support of certified professioals who are experieced i operatig ad maagig security tools ad techologies o a regular basis. As show i Figure 1, the security operatios ceter ecompasses icidet maagemet ad remediatio, vulerability ad log maagemet, security evet moitorig, malware foresic aalysis, ad troubleshootig of security devices. Security architecture desig aligig busiess strategy with the security pla Desigig the security architecture is a multi-phased edeavor. The security architecture is heavily iflueced by what a orgaizatio is tryig to achieve. Hece, the ideal first step is to uderstad the orgaizatio s busiess strategy for a specific duratio. For example, whether a orgaizatio is expadig its cloud based solutios, extedig its mobile based applicatios across multiple geographies, or modifyig its existig applicatio deploymet model, these impact the IT ifrastructure deploymet. This, i tur, impacts the security architecture. The ext step ivolves evaluatig the data ceter s curret security posture. This ca be achieved by gatherig ad aalyzig iformatio about etwork ad security devices to idetify vulerabilities withi the operatig system, etwork, ad device cofiguratio. Vulerability assessmets are geerally performed maually by i-house security experts or exteral security cosultats. Such assessmets should iclude peetratio testig as well as iteral ad exteral audits of policy compliace. A detailed aalysis of the data ceter s curret security posture ad ifrastructure is likely to expose possible gaps. These gaps ca be filled either by usig security solutios to make chages withi the existig IT ifrastructure or modifyig the security deploymet architecture. With the improved security posture as a base, orgaizatios ca remap their upcomig projects to alig busiess strategy with the data ceter security pla. Security eablers supportig the security architecture Security eablers provide various mechaisms that eed to be adhered to while providig security to extgeeratio data ceters. Orgaizatios should follow the ISO 27000 framework ad deploy best-of-breed techologies for desigig their security architecture. Persoel certified i data ceter security ca provide isights ito potetial security threats ad how to mitigate them. ITIL based delivery alog with a itegrated delivery for providig the right compliace iformatio is also importat. Additioally, these eablers help maitai the balace betwee security cotrols ad operatig expeses, while takig ito accout existig IT ifrastructure ad deploymet architecture. A holistic security strategy with layered security cotrols I order to secure their data ceters, orgaizatios ca o loger deped o a traditioal security approach that focuses o protectio at the etwork level. Oce the etwork is breached, hackers ca easily access systems ad data withi the compromised etwork. Orgaizatios therefore eed a holistic strategy that secures all the 7
compoets of the IT eviromet at each layer of the OSI, ad if oe layer is compromised, there are other layers that cotiue to protect corporate data. With orgaizatioal data residig i various locatios, data ceters, ad devices, multiple security techologies eed to be deployed to cover every possible vulerability. The differet security layers are explaied further i the followig sectios. Network security A layered approach for data ceter security starts with the etwork. This is because almost every physical appliace i today s world has a IP address ad is coected to a etwork. Moreover, most security attacks either start at the etwork layer or evetually touch the etwork layer at some give poit durig a attack. A etwork idetity solutio improves security at the etwork layer ad provides user or role based access ad device based profilig. The default password should be chaged for every asset: servers, laptops, etwork ad security appliaces, ad so o. Ay default user accout created durig server iitializatio or istallatio must be deleted. Services that are ot required should be disabled, ad uused ports should be blocked o every system ad etwork appliace. Puttig servers with sesitive data behid the Demilitarized Zoe (DMZ) further ehaces security. These zoes are secure segmets of the corporate etwork for which access ca be cotrolled through tiered firewalls. Here are seve other best practices for ehacig the security of etwork devices: Maitai detailed records o every etwork device icludig device ame type, ower, istalled locatio, serial umber, ad service tag. Maage static IP assigmet to all maagemet iterfaces of the etwork devices. This icludes addig their records to the domai ame server, ad moitorig everythig withi the IP address maagemet solutio. Esure regular applicatio of patches ad security updates o firmware across all etwork devices. Perform regular backups of every etwork cofiguratio ad cofirmatio, ad esure that data ca be restored usig these backups. Iclude every etwork device i regular vulerability scas to idetify potetial threats to the etwork. Implemet port restrictios to prevet users from ruig ay etwork device uder a promiscuous mode. Perform proactive aalysis of all security violatios. Host security Host level security geerally icludes malware protectio or ati-virus solutios, host itrusio prevetio, device cotrol, ad ed-poit Data Loss Prevetio (DLP). These are applicatio cotrol software for blockig uauthorized applicatios ad prevetig users from makig modificatios withi the operatig system registry. Ed-poit security: I most orgaizatios, employees ofte access the iteret from outside the office. Therefore, a host based cotet filterig solutio should be deployed o every laptop ad desktop to miimize the security risk. Updatig all ed-poit security servers ad cliet applicatios regularly is also critical. Ed-poit cotrol ad compliace solutios secure ed-poit devices to ucover, aalyze, ad remediate abormalities that lead to failed audits ad faulty itelligece o security threats. 8
File itegrity moitorig: This ivolves validatig the itegrity of critical files o the operatig system, busiess applicatios, ad so o. Virtualizatio security: This is aother importat compoet that moitors the commuicatio takig place betwee all virtual machies hosted over a commo bare metal machie. Aget-less security services icrease the performace of ed-user machies or servers. A special team, which could be a part of the security operatios ceter uit, should perform malware foresics o all machies affected by a ed-poit breach. This helps with root cause aalysis ad offers a timely remediatio solutio. Applicatio security Geerally, orgaizatios implemet a mix of ope source, iterally developed, ad commercially available applicatios. Some applicatios might ot be writte to strict secure code guidelies, thereby makig them vulerable, especially over the iteret. As more orgaizatios egage customers, parters, ad regulators over the iteret, they are also expected to protect data by complyig with regulatios such as PCI, HIPAA, SOX, SSAE16, ad so o. Orgaizatios ca miimize risks by havig a dedicated web server for iteret facig applicatios i a multi-tier eviromet, reviewig applicatio code, ad ruig vulerability scas agaist hosted applicatios o a regular basis. Addressig idetified vulerabilities throughout the vulerability maagemet lifecycle ad storig data i a protected data warehouse are also imperative to maitaiig security. Idetity ad access maagemet, as well as privileged idetity maagemet, ad sigle sig-o techologies should also be implemeted to esure that oly authorized users ca log i ad access applicatios. Ecryptio software, database activity moitorig (DAM) solutios, ad digital rights maagemet (DRM) systems should also be used. A Web Applicatio Firewall (WAF) is also a importat security cotrol, sice most cyber-attacks exploit the iheret vulerability of web applicatios. A hybrid approach to data ceter security As the hosted data ceter model gives way to cloud services, orgaizatios will eed to leverage a hybrid data ceter security approach. While the primary goal is achievig security at all layers of the OSI, there are some additioal factors that must be cosidered. Implemetig a layered security approach requires the security solutio hosted withi a traditioal data ceter, cloud add-o solutios, ad base security services provided by the public cloud service provider. Figure 2 illustrates the approach to implemetig a hybrid data ceter security model. 9
Cloud Add - o Solutio Remote Users VM Iteret Access Request AV DLP Malware Foresics Request Remote VPN Public Cloud Ecryptio/Tokeizatio Proxy IAM Logs Gateway Security Email Security User Role Based Autheticatio & Authorizatio Hosted DC/Private cloud Proxy WAF DDOS Applicatio Servers Service Catalog Server Base Security Services Email Security Ecryptio Access Cotrol Firewall/VPN IPS Data Segregatio AV/HIPS MFA Network Security Host Security App Security Firewall Ativirus WAF IPS HIPS XML Gateway PKI FIM Code Review VPN/MFA App Whitelistig Web-App Scaig IAM & SSO Compliace & GRC foresics SIEM Request Logs O Premise Users & Remote Users Data Security Ecryptio DLP/DRM Tokeizatio DAM/DAF Figure 2: A hybrid data ceter security approach Gearig up for a more secure future The moder data ceter is evolvig costatly, with orgaizatios embracig the cloud ad virtualizatio at a rapid pace. This ew eviromet demads a completely ew level of security, which older platforms may o loger be able address. Operatios ad security will have to collaborate to respod to the growig threat of cyber-crime. Orgaizatios will eed to look beyod stadard firewalls to respod to the ew layers of risk ad support differet types of services. With the proliferatio of distributed techologies, ew security solutios will have to be flexible, robust, ad a lot more agile so that orgaizatios ca effectively, efficietly, ad cotiuously address their security objectives. 10
About TCS' Eterprise Security ad Risk Maagemet Uit Leveragig our rich experiece i eterprise security, TCS helps global eterprises across verticals maage risks, esure regulatory compliace, proactively protect critical iformatio assets agaist emergig threats, achieve resiliece, ad recover rapidly from security icidets. TCS has a successful track record of executig umerous egagemets globally, deliverig domai itegrated security solutios fully aliged with cliets' objectives. Our global service ifrastructure, icludig the shared services Security Operatios Ceter (SOC) ad Foresics Labs, backed by the capabilities of our certified security cosultats, make TCS a strategic parter of choice for early half of the Fortue 500 compaies. Our Security Iovatio labs foster research ad iovatio i the field of data privacy, ad have yielded multiple patets ad itellectual properties i data protectio ad cryptographic products. We leverage our alliaces with all major security vedors, icludig IBM, CISCO, ad Oracle, to deliver ed-to-ed services ad solutios across the security ladscape, from cosultig to implemetatio ad maaged services. Cotact For more iformatio about TCS Eterprise Security ad Risk Maagemet (ESRM) Uit, visit: www.tcs.com Email: Global.esrm@tcs.com Subscribe to TCS White Papers TCS.com RSS: http://www.tcs.com/rss_feeds/pages/feed.aspx?f=w Feedburer: http://feeds2.feedburer.com/tcswhitepapers About Tata Cosultacy Services (TCS) Tata Cosultacy Services is a IT services, cosultig ad busiess solutios orgaizatio that delivers real results to global busiess, esurig a level of certaity o other firm ca match. TCS offers a cosultig-led, itegrated portfolio of IT ad IT-eabled ifrastructure, egieerig ad TM assurace services. This is delivered through its uique Global Network Delivery Model, recogized as the bechmark of excellece i software developmet. A part of the Tata Group, Idia s largest idustrial coglomerate, TCS has a global footprit ad is listed o the Natioal Stock Exchage ad Bombay Stock Exchage i Idia. For more iformatio, visit us at www.tcs.com IT Services Busiess Solutios Cosultig All cotet / iformatio preset here is the exclusive property of Tata Cosultacy Services Limited (TCS). The cotet / iformatio cotaied here is correct at the time of publishig. No material from here may be copied, modified, reproduced, republished, uploaded, trasmitted, posted or distributed i ay form without prior writte permissio from TCS. Uauthorized use of the cotet / iformatio appearig here may violate copyright, trademark ad other applicable laws, ad could result i crimial or civil pealties. Copyright 2015 Tata Cosultacy Services Limited TCS Desig Services I M I 06 I 15