Feeds

Just when you thought it was safe to enter the data centre

Always assume the horse has bolted

High performance access to file storage

It is surprising that thieves don’t target data centres more often. All that expensive kit and copper is worth a pretty penny, not to mention all the data that’s on it.

Several BT exchanges have been hit, along with facilities owned by C&W. But of course, thieves don’t always need to get in to wreak havoc: data centres can be hacked.

So how can we secure our data centres against theft, and how can we maintain reliability by avoiding denial-of-service attacks?

Let’s start by assuming that security is an illusion. This idea seems to work well for the National Security Agency (NSA), one of the most secretive spook agencies in the US.

To catch a thief

Last year, Deborah Plunkett, director of the NSA’s Information Assurance Directorate, said the organisation works on the basis that its systems are already compromised. Accordingly it makes constant adjustments to its many internal components.

So whether you are talking physical or digital security, you should assume that your data centre has already been infiltrated. That means building security from the inside out.

For physical security, it means taking precautions to protect specific components, while also addressing issues such as the location and architecture of the building.

How tall are the cages holding your critical racks? Could an intruder get inside or do they go right to the ceiling? How easy is it to monitor who comes in and out? Is tailgating likely?

As for the building’s design and location, you want to be sure that no one can simply drive up and ram their way into the data centre.

Cause for alarm

Then consider your building policies. Does setting off a fire alarm cause all the security doors in the building to open? Could an attacker hide in the toilets and raid the place during a fire drill?

Outside the building, think about your telco and electrical links. Apart from reliability (you should have two connections to electrical and telco providers, preferably on either side of the building), what about access to critical cables? If your fibre-channel or copper lines run through a duct accessible through metal covers on the street, then you could be subject to a denial-of-service attack – or even interception.

Processes too are important. If you put your backup tapes unencrypted in a hallway for a courier to pick up, then you are placing your data at risk. Also, consider how people entering the building are identified. Are staff taught to question anyone who isn’t wearing a pass?

Many penetration testers would have been stopped from placing their business card on a server as proof of intrusion by this simple procedural measure. And how thoroughly are you vetting your staff? What about your third-party suppliers’ staff, such as security guards?

Logical data protection is a key issue. Protecting data from theft is always a challenge, but treating your data like your building can help. The Jericho Forum’s approach of deperimeritisation does away with the usual “ring of iron”, where a single, hardened security layer protects the computing infrastructure from the outside world.

Instead, it protects individual assets within the organisation’s architecture. That way, even if attackers make it past the first set of defences, they still have to crack further layers of protection.

The placing of sensors inside the logical infrastructure (probably an intrusion detection or prevention system) is something the NSA openly recommends as a means of picking up on suspicious activity within the system. Like most logical security measures, this can be mirrored by, say, CCTV cameras that watch for unauthorised entry.

“Security in the cloud is not good enough”

Virtualisation can complicate the issue by mixing lots of people’s data on one system. Simon Neal, services director at data centre firm The Bunker, says he would never propose multi-tenanted hosting services for the firm’s clients.

“Security in the cloud is not good enough,” he insists.

Standards such as ISO 27001 can provide some guidance to data centre security, although they are broader in scope and focus on more generic organisational security. TIA 942 focuses mainly on redundancy but has some relevance to security.

Evenin' all

SAS 70, which was often used as a means of evaluating data centre security, is gradually being phased out in favour of the American Institute of Certified Public Accountants’ Service Organisation Control audits.

In the end, data centre security is a mixture of technology and process. Throwing firewalls and anti-intrusion devices at the problem won’t be enough to solve it. Good old-fashioned service governance (think ITIL or Cobit), along with commonsense security measures (don’t just let any caller in who claims to be a police officer) are crucial to keeping things locked down.

Even then, don’t count on 100 per cent security. If the NSA doesn’t, why should you? ®

High performance access to file storage

More from The Register

next story
Report: Apple seeking to raise iPhone 6 price by a HUNDRED BUCKS
'Well, that 5c experiment didn't go so well – let's try the other direction'
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Nvidia gamers hit trifecta with driver, optimizer, and mobile upgrades
Li'l Shield moves up to Android 4.4.2 KitKat, GameStream comes to notebooks
AMD unveils Godzilla's graphics card – 'the world's fastest, period'
The Radeon R9 295X2: Water-cooled, 5,632 stream processors, 11.5TFLOPS
Sony battery recall as VAIO goes out with a bang, not a whimper
The perils of having Panasonic as a partner
NORKS' own smartmobe pegged as Chinese landfill Android
Fake kit in the hermit kingdom? That's just Kim Jong-un-believable!
Gimme a high S5: Samsung Galaxy S5 puts substance over style
Biometrics and kid-friendly mode in back-to-basics blockbuster
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.