Optimizing data center security: Overhaul or incremental changes?

Moderated by Larry Dignan | June 23, 2014 -- 07:00 GMT (00:00 PDT)

Summary: Our experts take a hard look at the state of data center security.

Ken Hess

Ken Hess

Overhaul

or

Bit by bit

David Chernicoff

David Chernicoff

Best Argument: Overhaul

38%
62%

Audience Favored: Bit by bit (62%)

The moderator has delivered a final verdict.

Opening Statements

Desperate times call for desperate measures

Ken Hess: Things in IT change in one of two ways: evolution or revolution. One might believe that a logical, methodical, incremental pace is the way to fix data center security, but it isn't. Malevolent hackers, social engineers, and other data criminals don't use those techniques, so why should we do so as defenders?

But it isn't only 'over the network' attacks that need a revolutionary overhaul, it's also our data center's physical security that requires us to rethink and rebuild. For example, in multitenant data centers, external security is near military grade, but once you're allowed inside the chilly, raised floor server sanctuary, there are no such measures. Company A and Company B share those same spaces with dozens, or even hundreds, of other tenants. Shared data space isn't that uncommon and isn't necessarily a problem. The problem is that you're inside the data center, you have access to physical servers from a variety of customers, whether or not they know it.

Only a revolutionary overhaul of data center security can fix these two basic problems. An incremental approach is the wrong answer when facing these desperate times.

Don't jump into major upgrades with both feet

David Chernicoff: When security issues in your datacenter are identified the temptation is great to rip out the offending application or system and replace it with the latest and greatest solution from your vendor of choice. But if you’re getting that urge, sit down and have a cup of coffee while you think about it. The nature of the datacenter is one of an intimate ecosystem involving multiple vendors, different classes of hardware and software, and a significant effort to get everything into homeostasis.

The wholesale replacement of even a single component of that datacenter architecture means that in many ways you are starting from scratch, especially when you are dealing with the issue of security; one that touches on so many different pieces of the environment, and where a small error in configuration can cause cascading problems that shut down users or open up your systems to attack, or potentially both. Effectively dealing with a current security problem means evaluating the impact of your changes not only on addressing existing issues but how it will impact future growth.

A careful examination of the current problems and how they can be addressed while keeping an eye on the future means not jumping into major upgrades with both feet. A careful, considered approach of well-planned upgrades and efficient modifications to your security model will allow you to maintain a flexible and effective security infrastructure with minimal negative impact on your users.

Talkback

14 comments
Log in or register to join the discussion
  • Too vague / situational . . .

    "Optimizing data center security: Overhaul or incremental changes?"

    The question as stated seems too vague and general to be answered.

    Whether you need to overhaul things or just make incremental changes tends to be situational. Was the system built with security in mind to begin with? Is the system modular enough for the desired changes? Is there a lot of legacy code that may need to be rewritten? How large of a rewrite would we be talking about, and how expensive would it be?

    To me, the very nature of this question tends to be highly situational. I don't think it's something that can really be answered in a generalized context.

    I guess we'll see where the conversation goes.
    CobraA1
    Reply 274 Votes I'm Undecided
    • "The cloud" is data centers

      "Should we just end this debate...

      ... and tell everyone to go cloud and forget about it?"

      "The cloud" is data centers too, lest we forget. For all I know, when you say "data center," you could very well be talking about Amazon's or Microsoft's or Google's or any number of "cloud" providers. They have to be concerned about this stuff as much as anybody else who runs a data center.

      No, "the cloud" is not a magical collection of fairy dust. It too runs on actual machines at actual data centers, and is subject to the same questions.
      CobraA1
      Reply 249 Votes I'm Undecided
      • Correct

        Pushing your data to the cloud just means you're delegating management to an outside firm, which probably doesn't care nearly as much about the security of your data as you do.
        John L. Ries
        Reply 259 Votes I'm Undecided
      • the cloud ???? LOL

        the biggest (at least one of them) misconceptions out there !!!!! you are right..."cloud" = "data center" !!!!!! no difference
        neal tech
        Reply Vote I'm Undecided
  • Have a Cup of Coffee?

    While David is having his cup of coffee (just to think about it), his datacenter is probably being torn apart. We had monitored the network interfaces and hackers are attempting to gain access at the rate of 100s of attempted attacks per hour. True, you have to be careful but, if your system is not secure, you might as well shut down your applications. That way, at least the fines won't cost you tens of millions of dollars (depending on governance of your data).
    hforman@...
    Reply 243 Votes I'm for Overhaul
  • Strictly situational.

    I'm pretty sure Target is going through an overhaul.

    How much of that overhaul gets watered down by the time it gets to the grunts is the question. From their point of view, it might actually be a bit-by-bit change, whereas from the management point of view things are being radically changed.

    For most things, I believe an overhaul is needed.

    The problem starts with acquisition... If security is not considered a primary function, there will only be a patchwork security available. Not reliable, not secure, and just as vulnerable as most sites are now.
    jessepollard
    Reply 250 Votes I'm for Overhaul
  • Depending on your situation.

    If your data center security is good to great than step-by-step is good. But if your data center is stuck in dial up era then you will need a overhaul of the security. Each one of these methods has it advantages & drawbacks and you will need to determined either one or an mix of the two helps your security situation.
    As for a overhaul of the security it make long longer time to implement since it will require compatibility and testing for a period of time to get work properly before it get implemented and that is where bit-by-bit parts comes in, you implement most crucial parts first and then implement other parts later. For the budget conscious, the bit-by-bit method is best way as to to have large budget outlay as in the overhaul method. However, overhaul method is good if have the budget & could implement all of the systems all at once.
    Again, it depends on your situation.
    phatkat
    Reply 266 Votes I'm Undecided
  • In the end...

    ...the system has to serve the needs of users who need to get their work done; thus if you tear everything out and start all over again, you force people to learn a whole new way of computing which can be highly damaging to productivity in the short term and may even prompt a rash of "do it yourself" (the inevitable result of a loss of confidence in the computing staff), which will make security worse, not better.

    The other problem is that overhauls tend to be put off until an opportune moment, which might never come; incremental things can be done quickly and they tend to add up.

    There is occasionally a good reason for a complete overhaul of the system, but not very often.
    John L. Ries
    Reply 245 Votes I'm for Bit by bit
  • the issue goes into the roots of o/s design

    one should go back to the Tannenbaum/Torvalds debate to understand the roots of the issue. Read Bruse Schneier: "Complexity os the Enemy of Security". study history: what were these systems designed to do? read the news: 2014 is on track to be the Biggest Year yet for Hackers. if you are already running an o/s with better security then turn to your CMS and DB software: does this stuff only run programs you have set up and checked out or will it run anything a hacker throws at it ? remember: a hacker is going to put the CMS or DB on a de-bugger and step through it, examining every crack in the fence... ...

    a band-aid ain't gonna help.
    Mike~Acker
    Reply 264 Votes I'm Undecided
    • Nobody was suggesting band-aids

      And making sure the security is right on the programs being run suggests the incremental approach rather than the overhaul. There may be times when a radical reworking is necessary, but most of the time, all that is required is to make sure proper protocols exist and are followed; and that security measures be properly tested (to include penetration testing) and fixed when they fail.

      An overhaul probably isn't necessary. A proactive staff working to properly secure the data and educating their users on safe computing practices definitely is.
      John L. Ries
      Reply 226 Votes I'm Undecided