Sunday, July 31, 2016
It is personal: When your life resides in a data center
How many times did you leave your wallet at a park bench or public transport and slept soundly knowing your money is in public domain? I guess not a lot of times. Why is that when our most important health records, personal information and financial information reside in an un-named data center we do not care and assume it is safe secured by security experts?
The true picture is far more dire and perilous. Data center operators are struggling with rapidly changing data center architecture, declining budgets to hire security experts, ancient perimeter firewall security and non-existent micro-segmentation inside the data center network. DC operators need to protect the high volume east-west traffic using virtual firewalls while protecting the north-south traffic and intra-dc traffic via non-virtual, high end perimeter firewalls.
Given below are some methods we can use to secure our data within a data center;
1. Redundant data links within a data-center which is fully covered by virtual firewalls.
2. Traffic between tenants should not hit edge gateway routers. But should be directed internally from tenant to tenant. Used by VMware NSX and Cisco ACI micro-segmentation solutions
3. Virtual firewalls should be scale up and down depending upon amount of traffic.
4. Use traditional security like VLAN’s to segment workloads according to job function.
5. There should be limited or no traffic between different tenants within a data center.
6. Firewall rules for both edge and tenant firewalls need to be intelligent and integrated with real time threat feeds. The age of static signature based firewalls is almost at an end.
7. Compliance and Security policies should be set on who can connect and have access to the data center.
8. The data center should have a one pane view on all attacks successful or unsuccessful on the data center.
9. The data center should have separate data paths for backup and continuity of operations solutions.
10. The data center should have remediation policies in place.
11. The data center operator should enable data encryption both per workload and on data residing at rest.
12. Workloads should always be encrypted while they are moved from one city to another or from one continent to another.
13. Hard drives should remain encrypted and non-useable in case of physical access and theft by insiders.
14. Servers should need to have TPM secured startups preventing supply chain attacks.
15. Data centers need to be located in secure locations and access granted to valid small list of employees.
16. Vendors and non-employees should not be granted access and escorted at all times in case of need.
17. Regular scans to detect rogue wireless access points and no photography and cell use should be permitted within a data center.
18. Data center personal should be vetted and have continuous monitoring to prevent against exploitation by criminal gangs.The items detailed above are just a starting point of looking at how we can ensure our personal life data and information is secured in the cloud. As our personal lives become more digital, the dangers of our identity being stolen becomes more real as we have no control on how fast our personal information moves around the world travelling from one data center to another. Data center operators typically move virtualized work-loads to various data centers around the world in matter of seconds. A virtualized server with all our credit card information is routinely moved from Singapore data center to Northern California data center while we sleep. It is important to understand how our data is stored and what kind of security safeguards are being taken to protect our data. Ignorance is bliss is not an option anymore.