Can $40 overalls crack the best security?
But to protect against a determined and well informed attacker, identity management technologies have a long way to go, according to Pure Hacking penetration tester Chris Gatford.
During a social engineering penetration test, Gatford bought some AU$40 overalls, rang the datacentre manager and pretended to be the CEO of a company whose servers were located there.
"Feigning to be the CEO, I said, 'We have people coming into work on the electricity in rack four. As soon as they come in, do not let them slack off — they charge a lot of money for this work, so show them directly to the rack and ensure they get to work straight away," he said.
"We didn't even get asked for ID and were just wearing our $40 overalls and it was quite a successful test — we got to the server. And if you're ever standing in front a box, it's as good as owned. Physical access means you can reset passwords and do all sorts of attacks, such as auto run CDs to install trojans. It only takes one minute to reset a Cisco switch or router to change the password and restore it back."
According to datacentre consultant David Cowell, cage design is symptomatic of security being "token" at the datacentre.
"Most security I've seen is token. People put cages around their infrastructure but the cage only goes from the floor to the ceiling. But then there is a false floor and false ceiling between two concrete slabs. You hardly ever see one where the cage goes under computer room floors. It's not done properly," he said.
But how, with virtualisation driving shared hardware, will businesses keep data separated when sharing physical server space?
"That's the big concern — how to apply security from one physical device to another," David Endler, director of security research at TippingPoint DVLabs told ZDNet.com.au.
Pure Hacking's Gatford agreed. "When a shared system is compromised, which is usually connected to a shared switch, it doesn't affect just that customer. There's no dedicated switch for them. So you have to really hope that the host is up on their game on securing the Internet connectivity because if you compromise one box, you've got full access and can then start launching network layer attacks which affects customers connecting to that switch," he said.
But a bigger problem is looming on the horizon in the form of wireless-enabled devices, which Mikko HyppÃƒÂ¶nen, F-Secure's chief research officer, reckons will become integral to the datacentre.
And if you're ever standing in front a box, it's as good as owned.
Chris Gatford, Pure Hacking penetration tester
"By 2020, any device — car, a switch, fridges, phones — will automatically assume that it needs to find an IP address to go online," HyppÃƒÂ¶nen told ZDNet.com.au.
"Devices can get connected too easily and it will be harder and harder to restrict. Now, you might put in a firewall, but in the future, when you're building a datacentre, there will be plenty of hardware in there," he said.
"Many of these devices might get online alone, not via switches, but wireless. These might become a problem for those who are security conscious. I can easily see a scenario where you plug in some cheap modem switch to do something simple and it will go online alone, not using cables. That would open up risk and you might see rooms being built which is shielded against radio traffic."
However, as 2020 draws closer, it looks like information will hold a higher burden of risk to organisations that host it and successive reviews of the Privacy Act will continue to keep data security at the front of businesses' minds. With the threat of ever tighter legislation around e-discovery and data loss hanging over them, 2020 could perhaps see datacentre security hitting the top of CIOs must-do lists.