How many
times did you leave your wallet at a park bench or public transport and slept
soundly knowing your money is in public domain? I guess not a lot of times. Why
is that when our most important health records, personal information and
financial information reside in an un-named data center we do not care and
assume it is safe secured by security experts?
The true picture is far more dire and
perilous. Data center operators are struggling with rapidly changing data
center architecture, declining budgets to hire security experts, ancient
perimeter firewall security and non-existent micro-segmentation inside the data
center network. DC operators need to
protect the high volume east-west traffic using virtual firewalls while
protecting the north-south traffic and intra-dc traffic via non-virtual, high
end perimeter firewalls.
Given below
are some methods we can use to secure our data within a data center;
1. Redundant data links within a
data-center which is fully covered by virtual firewalls.
2. Traffic between tenants should not
hit edge gateway routers. But should be directed internally from tenant to
tenant. Used by VMware NSX and Cisco ACI micro-segmentation solutions
3. Virtual firewalls should be scale up
and down depending upon amount of traffic.
4. Use traditional security like VLAN’s
to segment workloads according to job function.
5. There should be limited or no traffic
between different tenants within a data center.
6. Firewall rules for both edge and tenant
firewalls need to be intelligent and integrated with real time threat feeds.
The age of static signature based firewalls is almost at an end.
7. Compliance and Security policies
should be set on who can connect and have access to the data center.
8. The data center should have a one
pane view on all attacks successful or unsuccessful on the data center.
9. The data center should have separate
data paths for backup and continuity of operations solutions.
10. The data center should have
remediation policies in place.
11. The data center operator should
enable data encryption both per workload and on data residing at rest.
12. Workloads should always be encrypted
while they are moved from one city to another or from one continent to another.
13. Hard drives should remain encrypted
and non-useable in case of physical access and theft by insiders.
14. Servers should need to have TPM
secured startups preventing supply chain attacks.
15. Data centers need to be located in
secure locations and access granted to valid small list of employees.
16. Vendors and non-employees should not be
granted access and escorted at all times in case of need.
17. Regular scans to detect rogue
wireless access points and no photography and cell use should be permitted
within a data center.
18. Data center personal should be vetted
and have continuous monitoring to prevent against exploitation by criminal
gangs.
The items detailed above are just a starting
point of looking at how we can ensure our personal life data and information is
secured in the cloud. As our personal lives become more digital, the dangers of
our identity being stolen becomes more real as we have no control on how fast
our personal information moves around the world travelling from one data center
to another. Data center operators typically move virtualized work-loads to
various data centers around the world in matter of seconds. A virtualized
server with all our credit card information is routinely moved from Singapore
data center to Northern California data center while we sleep. It is important to
understand how our data is stored and what kind of security safeguards are
being taken to protect our data. Ignorance is bliss is not an option
anymore.
No comments:
Post a Comment