Optimizing data center security: Overhaul or incremental changes?

Moderated by Larry Dignan | June 23, 2014 -- 07:00 GMT (00:00 PDT)

Summary: Our experts take a hard look at the state of data center security.

Ken Hess

Ken Hess

Overhaul

or

Bit by bit

David Chernicoff

David Chernicoff

Best Argument: Overhaul

38%
62%

Audience Favored: Bit by bit (62%)

Closing Statements

Only a rip-and-replace

Ken Hess

David and I agree that data center security is a problem. Where we differ is in the approach to remedy that problem. I believe that any change you can make to a data center should be done incrementally, except for security: only a rip-and-replace overhaul of data center security. Data centers have historically had excellent physical security, but have fallen tragically behind in network security.

Over-the-network attacks, such as DDOS attacks, are but one area of vulnerability for today's data centers. To mitigate network attacks, data centers need to replace old hardware with new, smart devices and better monitoring and alerting. With individuals and businesses moving to cloud computing and cloud storage, data centers need to move quickly.

Attackers don't attack incrementally, nor do they plan their attacks over several month's time. They attack in bursts and en masse. Only an overhaul of network security and constant vigilance can combat these attacks. A methodical approach to security will only make the problem worse not better. An overhaul is expensive and labor-intensive, but you have to weigh those costs against the cost of a single data breach. The costs to customers, to a company's brand, and to the data center itself is too great to use any other approach to the problem.

Unfortunately data center customers are far too vulnerable and are far too important to incrementally protect them from existing and upcoming threats. I've heard the analogy that to eat an elephant, you have to do it one bite at a time. But that analogy doesn't work with outdated security, because attackers have already seized the elephant and have gathered a herd behind it. Only a complete data center security overhaul can stop the stampede from breaking down the door.

 

An ongoing process

David Chernicoff

One thing that Ken and I agree on, is that the root cause of many security issues is Soylent Green; that is, people. And getting people to change their behavior is almost always an incremental process. People don’t like change and the more significant the change is, the more resistant they tend to be. But this has been an issue for IT as long as there has been an IT department to complain to, and not one limited to data center issues.

While I firmly believe that careful incremental changes are the safe way to update your data center security model to provide minimal disruption to your primary task of getting business done, there will always be situations, such as a massive breach of your security or the discovery of fundamental flaws in your security protocols that require wholesale changes. But this should be the exception, rather than the rule.

Security is an ongoing process, which should constantly be under evaluation with proactive changes and adaptations being made to keep your data center ahead of those who wish you harm. Needing to do a sudden, major overhaul to your security means that, in most cases, you have failed to provide the level of security that you should have already been providing, be it IT security or physical security.

Incremental change is the norm, but...

Larry Dignan

Although I happen to think that incremental change is the norm for data centers---you're not going to easily rid yourself of legacy investments---Ken Hess had the better arguments. David Chernicoff fared well, but Ken had a more rounded argument and gets the win. 

Talkback

14 comments
Log in or register to join the discussion
  • Too vague / situational . . .

    "Optimizing data center security: Overhaul or incremental changes?"

    The question as stated seems too vague and general to be answered.

    Whether you need to overhaul things or just make incremental changes tends to be situational. Was the system built with security in mind to begin with? Is the system modular enough for the desired changes? Is there a lot of legacy code that may need to be rewritten? How large of a rewrite would we be talking about, and how expensive would it be?

    To me, the very nature of this question tends to be highly situational. I don't think it's something that can really be answered in a generalized context.

    I guess we'll see where the conversation goes.
    CobraA1
    Reply 274 Votes I'm Undecided
    • "The cloud" is data centers

      "Should we just end this debate...

      ... and tell everyone to go cloud and forget about it?"

      "The cloud" is data centers too, lest we forget. For all I know, when you say "data center," you could very well be talking about Amazon's or Microsoft's or Google's or any number of "cloud" providers. They have to be concerned about this stuff as much as anybody else who runs a data center.

      No, "the cloud" is not a magical collection of fairy dust. It too runs on actual machines at actual data centers, and is subject to the same questions.
      CobraA1
      Reply 249 Votes I'm Undecided
      • Correct

        Pushing your data to the cloud just means you're delegating management to an outside firm, which probably doesn't care nearly as much about the security of your data as you do.
        John L. Ries
        Reply 259 Votes I'm Undecided
      • the cloud ???? LOL

        the biggest (at least one of them) misconceptions out there !!!!! you are right..."cloud" = "data center" !!!!!! no difference
        neal tech
        Reply Vote I'm Undecided
  • Have a Cup of Coffee?

    While David is having his cup of coffee (just to think about it), his datacenter is probably being torn apart. We had monitored the network interfaces and hackers are attempting to gain access at the rate of 100s of attempted attacks per hour. True, you have to be careful but, if your system is not secure, you might as well shut down your applications. That way, at least the fines won't cost you tens of millions of dollars (depending on governance of your data).
    hforman@...
    Reply 243 Votes I'm for Overhaul
  • Strictly situational.

    I'm pretty sure Target is going through an overhaul.

    How much of that overhaul gets watered down by the time it gets to the grunts is the question. From their point of view, it might actually be a bit-by-bit change, whereas from the management point of view things are being radically changed.

    For most things, I believe an overhaul is needed.

    The problem starts with acquisition... If security is not considered a primary function, there will only be a patchwork security available. Not reliable, not secure, and just as vulnerable as most sites are now.
    jessepollard
    Reply 250 Votes I'm for Overhaul
  • Depending on your situation.

    If your data center security is good to great than step-by-step is good. But if your data center is stuck in dial up era then you will need a overhaul of the security. Each one of these methods has it advantages & drawbacks and you will need to determined either one or an mix of the two helps your security situation.
    As for a overhaul of the security it make long longer time to implement since it will require compatibility and testing for a period of time to get work properly before it get implemented and that is where bit-by-bit parts comes in, you implement most crucial parts first and then implement other parts later. For the budget conscious, the bit-by-bit method is best way as to to have large budget outlay as in the overhaul method. However, overhaul method is good if have the budget & could implement all of the systems all at once.
    Again, it depends on your situation.
    phatkat
    Reply 266 Votes I'm Undecided
  • In the end...

    ...the system has to serve the needs of users who need to get their work done; thus if you tear everything out and start all over again, you force people to learn a whole new way of computing which can be highly damaging to productivity in the short term and may even prompt a rash of "do it yourself" (the inevitable result of a loss of confidence in the computing staff), which will make security worse, not better.

    The other problem is that overhauls tend to be put off until an opportune moment, which might never come; incremental things can be done quickly and they tend to add up.

    There is occasionally a good reason for a complete overhaul of the system, but not very often.
    John L. Ries
    Reply 245 Votes I'm for Bit by bit
  • the issue goes into the roots of o/s design

    one should go back to the Tannenbaum/Torvalds debate to understand the roots of the issue. Read Bruse Schneier: "Complexity os the Enemy of Security". study history: what were these systems designed to do? read the news: 2014 is on track to be the Biggest Year yet for Hackers. if you are already running an o/s with better security then turn to your CMS and DB software: does this stuff only run programs you have set up and checked out or will it run anything a hacker throws at it ? remember: a hacker is going to put the CMS or DB on a de-bugger and step through it, examining every crack in the fence... ...

    a band-aid ain't gonna help.
    Mike~Acker
    Reply 264 Votes I'm Undecided
    • Nobody was suggesting band-aids

      And making sure the security is right on the programs being run suggests the incremental approach rather than the overhaul. There may be times when a radical reworking is necessary, but most of the time, all that is required is to make sure proper protocols exist and are followed; and that security measures be properly tested (to include penetration testing) and fixed when they fail.

      An overhaul probably isn't necessary. A proactive staff working to properly secure the data and educating their users on safe computing practices definitely is.
      John L. Ries
      Reply 226 Votes I'm Undecided