The Great Debate this week, "Optimizing data center security: Overhaul or incremental changes?", between David Chernicoff and myself covered some interesting territory. I have great respect for David and his many years of experience in this area. He put forth some formidable arguments for incremental data center security changes. Understandably so. Small changes over a period of time is the standard method of transforming a data center—there's absolutely no arguing that. That point made me uneasy about the debate—that and the fact that David knows encyclopedia volumes more about data centers than I do. But, from my vantage point, a complete network security renovation is in order for many data centers.
Data centers have solid physical security. Anyone who's ever tried to go into one know this. Locked gates, badged access, man traps, retina scanners, and thumbprint scanners all contribute to a very serious physical security scenario. That said, I did point out that internal threats from those who have access, or from those who have temporary access, are an ongoing problem. There's little that you can do about internal threats from people who have legitimate access. You have to hope that they're honest, mature, and savory enough to do the right thing. We know that isn't always the case.
The other weak points of data center physical security are cleaning/janitorial staff and delivery people. Data center managers and staff have longed lamented the accidents and mishaps associated with cleaning staff. Generally speaking, these folks are technically untrained and can be careless around production equipment. Electric cords mysteriously come unplugged, network cables get bumped or ripped out of socket, and systems powered off. Yes, these things have all happened under my watch.
Delivery people should be escorted into a data center complex and constantly monitored during their stay. No non-employee personnel should ever be allowed to wander or drive around the facility without escort and supervision.
But the bigger problem for data centers is network security.
As I stated in the debate, single tenant data centers can enforce umbrella security policies that include patching, BIOS updates, security measures, and proper decommissioning of legacy systems. Multi-tenant data centers don't have this same capability.
For example, do data centers have a policy in place that states that legacy operating systems that are no longer supported won't be allowed on premises? Probably not. Think Windows 2000 Server, Windows 2003 Server, old Linux distributions, and any old non-supported UNIX variants here. They're vulnerable to security threats and their vulnerability creates vulnerabilities for other customers.
In the debate, I stated that most data centers are vulnerable to DDoS (Distributed Denial of Service) attacks. That is not an assertion that I invented; it's a known thing. In the report, you'll find that 71 percent of respondents to a survey stated that they've experienced DDoS attacks in the current year. There are preventative measures that can be taken, but that requires an overhaul in many cases because 36 percent of the attacks that occurred exceeded the network capacity of the entire data center.
The report also confirms my assertion that BYOD is a huge source of new threats and attacks. BYOD isn't a bad thing, but like anything that has a potential threat to business continuity, it has to be controlled and monitored.
The report compiled by Arbor Networks is an eye-opener. And if the statistics presented in it don't scare you, you don't work in or near a data center, nor do you have any stake in one. I suppose that another possibility is that you're an attacker and you're happy that data centers are exposed and vulnerable.
I didn't base all of my arguments on this single report, but it is a concrete example and well constructed report that clearly illustrates the glaring issues facing data centers.
My conclusion that data center vulnerability to DDoS, BYOD, and other attacks can only be mitigated by a rip-and-replace security overhaul seems a bit extreme, and possibly unrealistic, until you look at the data. I feel that it bears repeating that, yes, security is expensive, and yes, overhauling it is also very expensive, but business disruption, loss of data, data compromises, and brand damage are more costly.