When ensuring information security of data centers, the most “protected” objects are:
- information resources (data);
- processes of information collection, processing, storage and transfer;
- system users and maintenance personnel;
- information infrastructure, including technical and software means of information processing, transmission and display, including
- information exchange channels, information protection systems and premises.
The most important part of development of an information security policy is construction of model of threats and violators.
What can become threat to the datacenter?
- Unfavorable events of natural, technogenic and social character
- Terrorists, criminal elements, etc.
- Dependence on suppliers, providers, partners, customers
- Malfunctions, failures, destruction, software and hardware damage
- DPC staff implementing threats to IS using legally granted rights and powers (internal IS violators)
- Datacenter staff implementing threats to IS outside of legally granted rights and authorities, as well as subjects not related to Datacenter staff, but making attempts of unauthorized access and unauthorized actions (external IS violators).
- Non-compliance with the requirements of supervisory and regulatory authorities, current legislation
Risk analysis – revealing of potential threats and estimation of scale of consequences of their realization – will help to choose correctly priority tasks which should be solved by experts in information security of the data center, to plan budgets for purchase of hardware and software means.
Ensuring security is a continuous process that includes stages of planning, implementation and operation, monitoring, analysis and improvement of the IS system. For creation of information security management systems the so called “Demining cycle” is used.
An important part of security policies is the distribution of roles and responsibilities of staff for their implementation. It is necessary to constantly reconsider policies taking into account changes of the legislation, new threats and arising protection frames. And, certainly, to bring requirements to information safety to the personnel and to carry out its training.
Some experts are sceptical about “paper” security, considering the main practical skills to resist an attempt at hacking. Real experience of work on provision of information security in banks says the opposite. IS specialists can have excellent expertise in identifying and reducing risks, but if data center personnel do not follow their instructions, everything will be in vain.
Security usually does not bring money, but only minimizes risks. Therefore, it is often treated as something disruptive and secondary. And when safety experts start to be indignant (having on that the full right), often there are conflicts with the personnel and heads of operational divisions.
Availability of industry standards and regulatory requirements helps safety personnel defend their positions in negotiations with management, and approved IS policies, regulations and rules allow them to ensure that staff meet the requirements set out there, bringing the base for often unpopular decisions.
The weakest link is human.
“Smart” CCTV systems, volume tracking sensors (acoustic, infrared, ultrasonic, microwave), RCDS reduced the risks, but did not solve all problems. These tools will not help, for example, when people with the right tools brought into the data center will “catch” something. And, as it often happens, a random hitch will bring maximum problems.
The staff also needs protection, as the person is often called the most vulnerable link in the protection system. Targeted attacks by professional criminals most often start with social engineering techniques. Such risks can be minimized by training personnel and implementing the best international practices in the field of information security.
Protecting engineering infrastructure
Traditional threats to data center operations are power failures and cooling system failures. They are already used to such threats and have learned how to deal with them.
A new trend is the widespread introduction of networked smart equipment: managed UPS, intelligent cooling and ventilation systems, a variety of controllers and sensors connected to monitoring systems.
If the data center provides services not only on the colocation model, you will have to protect the clouds. According to Check Point, last year alone, 51% of organizations around the world faced attacks on cloud structures. DDoS attacks stop business, encryption viruses demand ransom, and targeted attacks on banking systems lead to the theft of corrupt funds.
Attention to virtual environments
It is necessary to take into account the specifics of the protected object – use of virtualization means, dynamics of IT infrastructure change, interconnection of services, when a successful attack on one client can threaten neighbors’ security.
The products provided by the service model have a high degree of automation. In order not to interfere with business, no less degree of automation and horizontal scaling must have superimposed data protection means. Scaling must be provided at all levels of IS, including automation of access control and rotation of access keys. A special task is to scale the functional modules that inspect network traffic.
Data protection levels in the data center
The general approach to protection is the use of integrated, multi-layer IS systems, which include macro-segmentation at the firewall level (separating segments for different functional areas of business), micro-segmentation based on virtual firewalls or marking of traffic groups (user roles or services) defined by access policies.
The next level is to identify anomalies within and between segments. Traffic dynamics are analyzed that may indicate the presence of malicious activities such as network scans, DDoS attempts, data downloads, for example, by slicing up database files and displaying them in periodic sessions over long periods of time.
There are huge volumes of traffic inside the data center, so you need to use advanced search algorithms to detect anomalies, and without batch analysis. It’s important that not only are malware and anomalous activity signs detected, but the malware even works in encrypted traffic without decryption.
There, analysis is performed using Big Data algorithms, machine logic trees are built and anomalies are detected. The algorithms learn by themselves from the huge amount of data supplied by the global network of sensors. It is also possible to do without installing agents. Modern information security tools must be agentless and integrated into hypervisor-level operating systems.
These measures significantly reduce information security risks, but they may not be sufficient for data centers that automate high-risk production processes such as nuclear power plants.
Requirements of the regulators
Depending on the information being processed, the physical and virtualized data center infrastructures must meet different security requirements set forth in laws and industry standards.
Over the past 30 years, data center security systems have come a long way: from simple physical protection systems and organizational measures that have not lost, however, its relevance, to complex intelligent systems, which are increasingly using elements of artificial intelligence. But the essence of the approach has not changed.
The most modern technologies will not save without organizational measures and personnel training, and paper – without program and technical decisions. Safety of DPC cannot be provided once and for all, it is constant daily work on revealing of prime threats and the complex decision of arising problems.