Locking Down the Data Center of Tomorrow By Kevin Beaver, CISSP Founder and principal consultant - Principle Logic, LLC 4430 Wade Green Rd., Suite 180

Locking Down the Data Center of Tomorrow

By Kevin Beaver, CISSPFounder and principal consultant - Principle Logic, LLC

4430 Wade Green Rd., Suite 180Kennesaw, GA 30144

[email protected]

Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

Kevin Beaver• Information security consultant, author and trainer• 15+ years of IT/security experience• Specialize in security incident response, security assessments,

network security, and security policy and strategy development• Author of the upcoming book Ethical Hacking for Dummies by John

Wiley and Sons• Co-author of the new book The Practical Guide to HIPAA Privacy

and Security Compliance by Auerbach Publications• Author of the new book The Definitive Guide to E-mail Management

and Security by Realtimepublishers.com• Regular columnist and information security/HIPAA advisor for

SearchSecurity.com, SearchMobileComputing.com, ITSecurity.com, and HCPro’s Briefings on HIPAA newsletter

• Hold CISSP, MCSE, MCNE and IT Project+ certifications• Bachelor’s in Computer Engineering Technology from Southern

Polytechnic State University and Master’s in Management of Technology from Georgia Tech


• Current state of data center security• The convergence of information and

physical security• Security technologies and practices

required for the successful convergence of physical and information security

• Skills required of security professionals• What to expect in the coming years• Resources


What We’ll Cover

• Where everything security related comes together– Network, applications, physical

• Enable consolidation of information systems management and security within a controlled environment

• Heightened sense of criticality since 9/11• There’s a lot of good security, but there’s also a lot

of bad– Not necessarily as secure as they claim to be


Current State of Data Center Security

• Protection of people and physical property • Traditional physical security involved guards,

locks, keys, etc. – this is changing• Physical security in buildings, including data

centers, is becoming increasingly dependent on technical systems for control and monitoring


What is Physical Security?

• Increase of insider threats• Someone walking off with a laptop, server,

software installation disks, etc.• Malicious outsider gaining access to the data

center– To obtain passwords– To install a network analyzer

• Malicious insider gaining access to CDs, tapes, hard copies of network diagrams or password lists


Physical and InformationSecurity Risks

• Security to protect corporate assets is technology based– Firewalls– Intrusion detection

• Security systems typically found in discrete areas – Not across the organization

• Different security departments doing different things– Has resulted in various inconsistencies in meeting

security policy requirements


Past Paradigm

• Security has been seen as a roadblock to overall organization effectiveness in the past– Both physical and information security can be combined

and now seen as a business enabler supporting the organization’s mission and goals


…Past Paradigm

• Data center security is more than just protecting IT assets– We’re now moving towards protecting enterprise assets

• The most valuable corporate assets are virtual– Electronically and in the minds of employees

• Many corporate assets are housed in critical data centers

• Physical security is established and mature for the most part– Information security is still in its infancy


Physical Security, meet Information Security

• There are emerging governmental requirements forcing the collaboration of physical and information security

• Security management of the data center continues to be fragmented

• After many years of separation and strife, the two practices are coming together – especially in the data center environment


…Physical Security, meet Information Security

• The goal of both is to keep the bad guys out and the “good” guys honest

• Each one uniquely contributes to the organization’s bottom line

• Both require:– Identification of assets– Classification of assets– Assessment of risks– Implementation of countermeasures– Incident response expertise


Similarities

• An ever increasing skill set required for security leaders, managers and doers– Keeping up with the latest technologies– Understanding how to effectively respond to incidents

• Money• Technology and computers• Effective policies and procedures• Layered protection – defense-in-depth


Demands of Physical and Information Security

• Authorization – need to know basis• Authentication• Accountability• Audit• Destruction policies and procedures• Ongoing awareness• A good balance of security vs. convenience• Both (especially infosec) are requiring stronger

ties with law enforcement than ever before


…Demands of Physical and Information Security

You Must Find a Balance

• If you have a network that’s secure but a data center building that’s not

OR• If you have a data center building that’s secure

and a network that’s not– They will defeat the purpose of each other


The Simple Truth• Need more than just a guard and locked doors• Need more than just firewalls and IDSs• Security must be tightly integrated with every

organizational function• You can’t force the two different departments to

work well together – must give business reasons and incentives

• Must balance the requirements of both physical and information security


Where We’re Headed

• Decentralization of data centers and corporate assets

• Tighter integration between physical and information security equipment

• The design goals of newer technologies will help support convergence of physical and information security

• Systems will be easier to use, making data center technology implementation, collaboration and change management simpler


…Where We’re Headed• The convergence of the two types of security will

help further the information security cause– Management has always bought into physical security– It’s now becoming more apparent that information

security is a critical element as well

• Smaller computing devices such as PDAs, 1U servers, cell phones and laptops are just getting smaller leading to more physical security issues– Nanotechnology devices both inside and associated

with data centers are increasing the demand for physical and information security convergence


…Where We’re Headed• Prevention vs. protection• Increased responsibilities on everyone’s part• Reduced costs, but possible increase in risks


Emerging Trends

• Enhanced biometric systems• Increase in the number of uses of biometrics to

facilitate both physical and information security in the data center

• Increased usage of identity management solutions

• Perimeter control has been – and will be even more so – the job of both physical and information security professionals


…Emerging Trends• Need for greater physical and information

security of wireless components within data centers

• Storage and management issues associated with RFID data

• Defense-in-depth will be even more important


…Emerging Trends• Enhanced monitoring

– Power, air and server conditions– Access controls

• Will require more human involvement– In the form of awareness, policies and procedures

• Increased use in temp/contract workers– Need to include these people in security policies

and procedures


…Emerging Trends• Open Security Exchange (OSE)• OSE-compliant products from vendors• More data center involvement from large vendors• Development of data center education initiatives

by the Association for Computer Operations Managers (AFCOM) and Marist College

• Overall the merger of the two will have a huge impact on organizations, employees, users and the industry as a whole


CSOs of the Future• CSOs manage data centers among other things• Role is still being defined• Need a strong leader in this role• Business and technical expertise• Must build relationships with business managers• Has authority within the organization to create and

enforce security policies


…CSOs of the Future• Ability to influence security-aware culture in and

around the data center• See CSO Magazine’s State of the CSO report for

more insight – www.csoonline.com/csoresearch/report56.html


A Few More Tips

• A security-aware culture will buy your data center more protection than all other efforts combined

• Policies and procedures should be integrated between physical and information security systems for the data center whenever possible– With management support of course


…A Few More Tips

• CISO and IT-only types may only be interested in information security– If so, s/he might not be the best fit for a CSO

or director of data center security position• A wise security officer (physical or information)

will stay abreast of both• If you’re not sure about the physical security,

contact some experts on it


Resources

• Open Security Exchange – www.opensecurityexchange.com/info/summary.htm– Physical Security Bridge to IT Security (PHYSBITS) Framework

• www.opensecurityexchange.com/downloads/white_paper.pdf

• AFCOM – www.afcom.com

• ISC2 Certified Information Systems Security Professional (CISSP) and ISSAP concentration– www.isc2.org

• ASIS Certified Protection Professional (CPP)– www.asisonline.org/certification/cpp/index.xml

• CSO job description– www.csoonline.com/research/executive/description.html


http://www.isc2.org/

Resources

• CSO job description– www.csoonline.com/research/executive/description.html

• Physical security tips– www.techarch.state.ar.us/indexes/publications/physical.pdf


• The physical security market is very strong now and it will take time for the two areas of security to successfully merge

• It will be impossible to ensure solid information security of the data center without the proper physical security controls – and vice versa

• It’s essential to ensure that data is available after a disaster – This can only be possible when information and

physical security systems and personnel work together


Closing Thoughts

• Security initiatives driven from the bottom up usually aren’t effective

• Haphazard combination of physical and information security can cause more problems than it solves

• A more secure data center can increase customer comfort level helping to maintain customers and even drive more business

• =


…Closing Thoughts

Questions?


You can submit your questions to Kevin

by clicking on the Ask a Question link

on the lower left corner of your screen.

Thank you


Thank you for participating in this SearchSecurity.com webcast. If you have comments or suggestions for future webcasts, please e-mail the

moderator at [email protected]

Documents

Locking Down the Data Center of Tomorrow By Kevin Beaver, CISSP Founder and principal consultant - Principle Logic, LLC 4430 Wade Green Rd., Suite 180