Overhauling data center security for the good of all

Overhauling data center security for the good of all

Summary: This week's Great Debate put David Chernicoff and me into the virtual ring to discuss optimizing data center security either with an overhaul or with incremental changes. I took the overhaul side, but not without reservation.

SHARE:

The Great Debate this week, "Optimizing data center security: Overhaul or incremental changes?", between David Chernicoff and myself covered some interesting territory. I have great respect for David and his many years of experience in this area. He put forth some formidable arguments for incremental data center security changes. Understandably so. Small changes over a period of time is the standard method of transforming a data center—there's absolutely no arguing that. That point made me uneasy about the debate—that and the fact that David knows encyclopedia volumes more about data centers than I do. But, from my vantage point, a complete network security renovation is in order for many data centers. 

Data centers have solid physical security. Anyone who's ever tried to go into one know this. Locked gates, badged access, man traps, retina scanners, and thumbprint scanners all contribute to a very serious physical security scenario. That said, I did point out that internal threats from those who have access, or from those who have temporary access, are an ongoing problem. There's little that you can do about internal threats from people who have legitimate access. You have to hope that they're honest, mature, and savory enough to do the right thing. We know that isn't always the case.

The other weak points of data center physical security are cleaning/janitorial staff and delivery people. Data center managers and staff have longed lamented the accidents and mishaps associated with cleaning staff. Generally speaking, these folks are technically untrained and can be careless around production equipment. Electric cords mysteriously come unplugged, network cables get bumped or ripped out of socket, and systems powered off. Yes, these things have all happened under my watch.

Delivery people should be escorted into a data center complex and constantly monitored during their stay. No non-employee personnel should ever be allowed to wander or drive around the facility without escort and supervision.

But the bigger problem for data centers is network security.

As I stated in the debate, single tenant data centers can enforce umbrella security policies that include patching, BIOS updates, security measures, and proper decommissioning of legacy systems. Multi-tenant data centers don't have this same capability.

For example, do data centers have a policy in place that states that legacy operating systems that are no longer supported won't be allowed on premises? Probably not. Think Windows 2000 Server, Windows 2003 Server, old Linux distributions, and any old non-supported UNIX variants here. They're vulnerable to security threats and their vulnerability creates vulnerabilities for other customers.

In the debate, I stated that most data centers are vulnerable to DDoS (Distributed Denial of Service) attacks. That is not an assertion that I invented; it's a known thing. In the report, you'll find that 71 percent of respondents to a survey stated that they've experienced DDoS attacks in the current year. There are preventative measures that can be taken, but that requires an overhaul in many cases because 36 percent of the attacks that occurred exceeded the network capacity of the entire data center.

Special Feature

The 21st Century Data Center

The 21st Century Data Center

More than ever, data centers run the world, but many of them need a 21st century reboot. Today’s data centers have to be more efficient, redundant, and flexible than ever. We examine when and how to best run your own data center versus when to outsource to the cloud or a service provider, and when to take a hybrid approach.

The report also confirms my assertion that BYOD is a huge source of new threats and attacks. BYOD isn't a bad thing, but like anything that has a potential threat to business continuity, it has to be controlled and monitored.

The report compiled by Arbor Networks is an eye-opener. And if the statistics presented in it don't scare you, you don't work in or near a data center, nor do you have any stake in one. I suppose that another possibility is that you're an attacker and you're happy that data centers are exposed and vulnerable.

I didn't base all of my arguments on this single report, but it is a concrete example and well constructed report that clearly illustrates the glaring issues facing data centers.

My conclusion that data center vulnerability to DDoS, BYOD, and other attacks can only be mitigated by a rip-and-replace security overhaul seems a bit extreme, and possibly unrealistic, until you look at the data. I feel that it bears repeating that, yes, security is expensive, and yes, overhauling it is also very expensive, but business disruption, loss of data, data compromises, and brand damage are more costly.

Topics: Security, Data Centers, Data Management

About

Kenneth 'Ken' Hess is a full-time Windows and Linux system administrator with 20 years of experience with Mac, Linux, UNIX, and Windows systems in large multi-data center environments.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • What exactly are you proposing?

    Chest thumping doesn't convey solutions. The security flaws outlined exist throughout the tech industry and are not exclusive to data centers. Some of the best propeller-heads in the world couldn't stop data from becoming compromised over at the NSA. What makes you think non-tech corporate giants even have a chance at security nirvana? They have to be forced kick and screaming just to implement current best practices.

    What needs overhauling are the insecure network protocols and standards. We're in the "modern age" and still relying on legacy standards to connect devices to remote servers. You can't force people to upgrade their servers or follow best practices, so you need to attack the security problems before they even hit the Internet. It's the inherent insecurity of the peer-to-peer network paradigm which is aged, broken and leads to the never ending security breeches.
    Tired Tech
    • nonesense.

      Such centralized control is a single point of failure.

      "attack the security problems before they even hit the Internet"

      GOOD idea. So get rid of your Windows systems and get a SECURE PLATFORM to start with.

      "inherent insecurity of the peer-to-peer network"....

      So you would prefer the single point of failure? Without peer-to-peer you get no throughput at all.

      Your actual thinking is based in the 60's. Get into the 21st century.
      jessepollard
      • Awaiting Solutions

        Just like the author, indignation with no solutions put forward.

        "So get rid of your Windows systems and get a SECURE PLATFORM.."

        Red herring which is indeed nonsense. Not applying best practices for any OS makes them inherently insecure. Kernels can't save administrators from their own inherent stupidity.

        "Your actual thinking is based in the 60's"

        My point exactly. The Internet we use today is based on trust models from the 60's and 70's which have been broken for the past two decades.
        Tired Tech
        • No.

          Your "trust models" are platforms ATTACHED to the internet.

          Has nothing to do with the internet itself.

          And the only broken platform has been windows

          Even applying "best practices" doesn't cure the problem. It helps, but doesn't fix. It has been inherently insecure for the last 3 decades.

          BTW, the Internet has existed far longer than two decades - and with little security problems (not none, though) until Windows was added.
          jessepollard
          • In addition...

            You cannot "secure the internet".

            Only the hosts that you choose to connect to the internet can be secured.

            The trust model cannot go beyond what you yourself can trust and control. And that cannot include the connections between machines, unless you also can control the wires...

            Unfortunately, MS (like many proprietary vendors) makes it impossible to trust Windows to be secure.
            jessepollard
    • Work at home special report.........www.Works23.us

      $9­­­­­­­­­7­­­­­­­­­/­­­­­­­­­h­­­­­­­­­r­­­­­­­­­ ­­­­­­­­­p­­­­­­­­­av­­­­­­­­­iv­­­­­­­­­d­­­­­­­­­v­­­­­­­­­ b­­­­­­­­­y G­­­­­­­­­oog­­­­­­­­­le­­­­­­­­­, I­­­­­­­­­ am ­­­­­­­­­making ­­­­­­­­­a ­­­­­­­­­good ­­­­­­­­­salary ­­­­­­­­­from ­­­­­­­­­home ­­­­­­­­­$5500­­­­­­­­­-­­­­­­­­­$7000/week , which ­­­­­­­­­is ­­­­­­­­­amazing, ­­­­­­­­­under ­­­­­­­­­a ­­­­­­­­­year ­­­­­­­­­ago ­­­­­­­­­I ­­­­­­­­­was ­­­­­­­­­jobless ­­­­­­­­­in ­­­­­­­­­a ­­­­­­­­­horrible ­­­­­­­­­economy. ­­­­­­­­­I ­­­­­­­­­thank ­­­­­­­­­­­­­­­­­­God every ­­­­­­­­­day ­­­­­­­­­I ­­­­­­­­­was ­­­­­­­­­blessed ­­­­­­­­­with ­­­­­­­­­these ­­­­­­­­­instructions ­­­­­­­­­and ­­­­­­­­­now ­­­­­­­­­it's ­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­my ­­­­­­­­­­­­­­­­­­duty ­­­­­­­­­to ­­­­­­­­­pay ­­­­­­­­­it ­­­­­­­­­forward ­­­­­­­­­and ­­­­­­­­­share ­­­­­­­­­it with ­­­­­­­­­Everyone, ­­­­­­­­­Here ­­­­­­­­­is ­­­­­­­­­I ­­­­­­­­­started.......................http://x.co/4wGHM
      Froys1980
  • security starts in the kernel

    you must protect the operating software from un-authorized modification FIRST.

    tweeking won't help. you must use an o/s that does not allow un-authorized programming changes.

    SECOND: the pen & ink procedures we used on paper based systems are inadequate in a digital network. we must learn to AUTHENTICATE all critical communications which includes anything dealing with money or software.

    Solutions are available and have been now for some time.
    Mike~Acker
    • DNSSec and HTTPS

      Both around, it seems forever, yet not mandatory. Politics for one and they other is financially based. Heck, HTTPS could be done tomorrow if the industry would just stop charging for it. Upfront revenue on the balance sheet looks sweet, yet no one takes into account the amount of people hours lost by supporting all their other customer to don't have it. ISP might actually save money by making HTTPS free.
      Tired Tech
      • And IPSec has been around since about 1995

        Yet it still isn't being used.

        Strictly politics and money... the only things that have stopped security.
        jessepollard