Securing the Future with Next-Generation
Data Center Security
White Paper
Prikshit Goel
Prikshit Goel heads the Center of Excellence (CoE) for Managed Security Services within the Enterprise Security and Risk Management business unit at Tata Consultancy Services (TCS). He focuses on providing security and IT infrastructure solutions to clients. Goel has 15 years of experience in the IT space with a focus on Information Security and
Networks. He has a B.E in Electronics and Communication Engineering (Honors). He also holds many industry certifications such as PMP, Cisco CCNP and CCNA, ITIL, BAC, CEH, and ACS and has trained in security products such as RSA, Symantec, Palo Alto, and Cisco across various layers.
Kamal Dhamija
Kamal Dhamija is a Security Solution Architect in the Managed Security Services Center of Excellence (CoE) at Tata Consultancy Services (TCS). The CoE is part of the Enterprise Security and Risk Management business unit and is responsible for providing security solutions to customers. Dhamija has over seven years of experience in network security, information security, pre-sales, and technical support for complex heterogeneous environments. He has a Bachelor's degree in Engineering, with a specialization in
Computer Science. He also holds numerous technical certifications such as ISO 27001 LA, ITIL, and RSA Archer.
Data center security is crucial for every modern business in this digital information age.
When used carefully and appropriately, such information can be transformed into knowledge
for developing strategy, facilitating key business decisions, and running day-to-day
operations. The data center, which forms the core component through which almost all data
flows, must therefore be resilient and secure. Data center security entails maintaining the
confidentiality, integrity, and availability of data.
With data centers having undergone significant transformation over time, data center
security is very different from what it was years ago. For instance, while the traditional data
center provided raw computing controls, next-generation data centers need to be responsive
and service oriented providers of IT utility. Today, organizations also use a tiered approach to
categorize data center services, based on the availability of data.
Additionally, in the case of a traditional data center, there were limited internet breakout
points. Hence, data coming from outside could only move inside the data center through
those limited internet breakout points. Today, however, the organization's data resides at
various locations, sites, and locations, making it imperative for data centers to be available
24x7x365 to support employees, partners, and vendors. This makes the responsibility of
securing the data even more difficult. In fact, data center security has become similar to
defending a castle or securing an airport from external threats.
This paper offers a high-level overview of the key trends and technologies that are shaping
today's data centers, and their impact on data center security. It also provides a framework to
achieve next-generation data center security.
Contents
1. Ramping up data center security: key technology trends and challenges 5
2. A framework for next-gen data center security 5
3. A hybrid approach to data center security 9
Ramping up data center security: key technology
trends and challenges
Many organizations have merged their data centers in order to reduce the overall cost of data center
implementation and maintenance. This has helped alleviate IT and process density, enhance resource utilization and productivity, and improve process performance and consistency, while pruning costs. Such consolidation centralizes information in fewer locations, which gives organizations the opportunity to address security more efficiently and build a sturdier IT security posture.
Emerging technologies also have a fundamental impact on how security is designed and deployed within the data center. While virtualization helps reduce costs, optimize resources, and speed up business operations, it also introduces new security threats. Similarly, cloud services may offer faster provisioning and deployment but require stronger security controls to protect the organization from external threats. It also becomes challenging to achieve visibility into the communication between virtual machines hosted over physical machines, making it harder to monitor and secure the environment.
With organizations generating huge volumes of data, Big Data analytics is also putting increasing pressure on data centers and their security. The emergence of mobility has allowed employees to access and use data across devices to perform daily operational tasks, compelling organizations to rethink their approach to data center security. In such an environment, merely implementing security controls is not enough to meet the need for heightened data center security. Organizations need to address challenges such as increased network complexity and access control through proper authorization. Ensuring regulatory and security compliance with respect to specific business security needs and preventing data leaks due to the increased number of data exit points is also critical. Managing logs is another important area of focus, especially with respect to consolidated, hosted data centers that receive logs from various geographies.
A framework for next-gen data center security
An organization’s data center security approach must be tailored to meet its needs. Customized security tools should be implemented to support decision making. The ideal security team should comprise experienced security analysts, risk and compliance managers, and dedicated service delivery managers for ensuring smooth service delivery. Figure 1 depicts a framework for ‘next-gen’ data center security.
6
Let’s take a look at the components that make up this next gen-data security framework. Security governance, the operations center, and architecture envelope all the security layers of the Open System Interconnection (OSI) model. They provide security assurance for the next-generation data center by ensuring the confidentiality and availability of organization, employee, and customer information.
Security governance – improving compliance and mitigating risks
Compliance and security standards are one of the top priorities, and at the same time, the hardest to implement and maintain with respect to data center operations. Neglecting security governance could expose the
organization to operational, financial, and reputational risks. Security governance ensures that the information security approach supports business objectives and risk management, while adhering to applicable compliance standards. Effective security governance needs to be real-time and part of the overall corporate governance model. Sponsorship from management is also important, since it facilitates role assignment, division of responsibilities, and the allocation of ownership. Senior management from the IT function must be included as part of the organizational sub-structure to oversee the security mandate.
Figure 1: A framework for next-gen data center security
Network Security Host Security Application & Data
Security Security Events Monitoring Incident Management Log Management Vulnerability Management Malware Forensics
Security Operation Center
Security Strategy Security Policy Risk Management Audit & Compliance Security Governance Penetration Testing Private Cloud Public Cloud Hosted Data Center ISO 27000 Framework Best of Breed Technologies Certified Resources ITIL Based Delivery Integrated Delivery Model Security Enablers Ÿ Firewall/VPN/OTP Ÿ IPS Ÿ PKI Ÿ Proxy/Reverse Proxy Ÿ Email Security Ÿ Anti-Malware Ÿ FIM Ÿ HIPS Ÿ WAF/App Whitelisting Ÿ Endpoint DLP Ÿ Virtualization Security Ÿ IAM/SSO Ÿ Encryption Ÿ DLP Ÿ DRM Ÿ DAM
7
Security operations center – leveraging the right expertise and tools
Many organizations today lack a security operations center due to limited access to skilled IT security staff and tools. In addition, several diverse security technologies exist, and as a result, a significant amount of time is spent on operational tasks such as patch management and firewall rule changes.
Designing and implementing an effective security operations center requires the support of certified professionals who are experienced in operating and managing security tools and technologies on a regular basis. As shown in Figure 1, the security operations center encompasses incident management and remediation, vulnerability and log management, security event monitoring, malware forensic analysis, and troubleshooting of security devices.
Security architecture design – aligning business strategy with the security plan
Designing the security architecture is a multi-phased endeavor. The security architecture is heavily influenced by what an organization is trying to achieve. Hence, the ideal first step is to understand the organization’s business strategy for a specific duration. For example, whether an organization is expanding its cloud based solutions, extending its mobile based applications across multiple geographies, or modifying its existing application
deployment model, these impact the IT infrastructure deployment. This, in turn, impacts the security architecture. The next step involves evaluating the data center’s current security posture. This can be achieved by gathering and analyzing information about network and security devices to identify vulnerabilities within the operating system, network, and device configuration. Vulnerability assessments are generally performed manually by in-house security experts or external security consultants. Such assessments should include penetration testing as well as internal and external audits of policy compliance.
A detailed analysis of the data center’s current security posture and infrastructure is likely to expose possible gaps. These gaps can be filled either by using security solutions to make changes within the existing IT infrastructure or modifying the security deployment architecture. With the improved security posture as a base, organizations can remap their upcoming projects to align business strategy with the data center security plan.
Security enablers – supporting the security architecture
Security enablers provide various mechanisms that need to be adhered to while providing security to next-generation data centers. Organizations should follow the ISO 27000 framework and deploy best-of-breed technologies for designing their security architecture. Personnel certified in data center security can provide insights into potential security threats and how to mitigate them. ITIL based delivery along with an integrated delivery for providing the right compliance information is also important. Additionally, these enablers help maintain the balance between security controls and operating expenses, while taking into account existing IT infrastructure and deployment architecture.
A holistic security strategy with layered security controls
In order to secure their data centers, organizations can no longer depend on a traditional security approach that focuses on protection at the network level. Once the network is breached, hackers can easily access systems and data within the compromised network. Organizations therefore need a holistic strategy that secures all the
8
components of the IT environment at each layer of the OSI, and if one layer is compromised, there are other layers that continue to protect corporate data. With organizational data residing in various locations, data centers, and devices, multiple security technologies need to be deployed to cover every possible vulnerability. The different security layers are explained further in the following sections.
Network security
A layered approach for data center security starts with the network. This is because almost every physical appliance in today’s world has an IP address and is connected to a network. Moreover, most security attacks either start at the network layer or eventually touch the network layer at some given point during an attack.
A network identity solution improves security at the network layer and provides user or role based access and device based profiling. The default password should be changed for every asset: servers, laptops, network and security appliances, and so on. Any default user account created during server initialization or installation must be deleted. Services that are not required should be disabled, and unused ports should be blocked on every system and network appliance. Putting servers with sensitive data behind the Demilitarized Zone (DMZ) further enhances security. These zones are secure segments of the corporate network for which access can be controlled through tiered firewalls.
Here are seven other best practices for enhancing the security of network devices:
n Maintain detailed records on every network device including device name type, owner, installed location, serial
number, and service tag.
n Manage static IP assignment to all management interfaces of the network devices. This includes adding their
records to the domain name server, and monitoring everything within the IP address management solution.
n Ensure regular application of patches and security updates on firmware across all network devices.
n Perform regular backups of every network configuration and confirmation, and ensure that data can be restored
using these backups.
n Include every network device in regular vulnerability scans to identify potential threats to the network.
n Implement port restrictions to prevent users from running any network device under a promiscuous mode.
n Perform proactive analysis of all security violations.
Host security
Host level security generally includes malware protection or anti-virus solutions, host intrusion prevention, device control, and end-point Data Loss Prevention (DLP). These are application control software for blocking
unauthorized applications and preventing users from making modifications within the operating system registry.
End-point security: In most organizations, employees often access the internet from outside the office. Therefore, a host based content filtering solution should be deployed on every laptop and desktop to minimize the security risk. Updating all end-point security servers and client applications regularly is also critical. End-point control and compliance solutions secure end-point devices to uncover, analyze, and remediate abnormalities that lead to failed audits and faulty intelligence on security threats.
9
File integrity monitoring: This involves validating the integrity of critical files on the operating system, business applications, and so on.
Virtualization security: This is another important component that monitors the communication taking place between all virtual machines hosted over a common bare metal machine. Agent-less security services increase the performance of end-user machines or servers. A special team, which could be a part of the security operations center unit, should perform malware forensics on all machines affected by an end-point breach. This helps with root cause analysis and offers a timely remediation solution.
Application security
Generally, organizations implement a mix of open source, internally developed, and commercially available applications. Some applications might not be written to strict secure code guidelines, thereby making them
vulnerable, especially over the internet. As more organizations engage customers, partners, and regulators over the internet, they are also expected to protect data by complying with regulations such as PCI, HIPAA, SOX, SSAE16, and so on.
Organizations can minimize risks by having a dedicated web server for internet facing applications in a multi-tier environment, reviewing application code, and running vulnerability scans against hosted applications on a regular basis. Addressing identified vulnerabilities throughout the vulnerability management lifecycle and storing data in a protected data warehouse are also imperative to maintaining security.
Identity and access management, as well as privileged identity management, and single sign-on technologies should also be implemented to ensure that only authorized users can log in and access applications. Encryption software, database activity monitoring (DAM) solutions, and digital rights management (DRM) systems should also be used. A Web Application Firewall (WAF) is also an important security control, since most cyber-attacks exploit the inherent vulnerability of web applications.
A hybrid approach to data center security
As the hosted data center model gives way to cloud services, organizations will need to leverage a hybrid data center security approach. While the primary goal is achieving security at all layers of the OSI, there are some
additional factors that must be considered. Implementing a layered security approach requires the security solution hosted within a traditional data center, cloud add-on solutions, and base security services provided by the public cloud service provider. Figure 2 illustrates the approach to implementing a hybrid data center security model.
10
Gearing up for a more secure future
The modern data center is evolving constantly, with organizations embracing the cloud and virtualization at a rapid pace. This new environment demands a completely new level of security, which older platforms may no longer be able address. Operations and security will have to collaborate to respond to the growing threat of cyber-crime. Organizations will need to look beyond standard firewalls to respond to the new layers of risk and support different types of services. With the proliferation of distributed technologies, new security solutions will have to be flexible, robust, and a lot more agile so that organizations can effectively, efficiently, and continuously address their security objectives.
Figure 2: A hybrid data center security approach
Proxy
IAM
Public Cloud
Application Servers
On Premise Users & Remote Users Remote Users
Request
User Role Based Authentication & Authorization
Internet Access Request
Request DLP Cloud Add - on Solution Logs Remote VPN Gateway Security Network Security Host Security App Security Email Security Firewall Antivirus WAF WAF IPS HIPS XML Gateway Proxy PKI FIM Code Review DDOS VPN/MFA App Whitelisting Web-App Scanning Data Security Encryption DLP/DRM Tokenization DAM/DAF
Hosted DC/Private cloud
IAM & SSO
C ompliance & GRC SIEM for ensics Encryption/Tokenization Malware Forensics AV
Service Catalog Server
Email Security Firewall/VPN AV/HIPS IPS MFA Encryption
Base Security Services
Logs
Access Control Data Segregation VM
All content / information present here is the exclusive property of Tata Consultancy Services Limited (TCS). The content / information contained here is correct at the time of publishing. No material from here may be copied, modified, reproduced, republished, uploaded, transmitted, posted or distributed in any form without prior written permission from TCS. Unauthorized use of the content / information appearing here may violate copyright, trademark and other applicable laws, and could result in criminal or civil penalties. Copyright © 2015 Tata Consultancy Services Limited
IT Services
Business Solutions Consulting
Subscribe to TCS White Papers
TCS.com RSS: http://www.tcs.com/rss_feeds/Pages/feed.aspx?f=w Feedburner: http://feeds2.feedburner.com/tcswhitepapers
About Tata Consultancy Services (TCS)
Tata Consultancy Services is an IT services, consulting and business solutions organization that delivers real results to global business, ensuring a level of certainty no other firm can match. TCS offers a consulting-led, integrated portfolio of IT and IT-enabled infrastructure, engineering and
TM
assurance services. This is delivered through its unique Global Network Delivery Model , recognized as the benchmark of excellence in software development. A part of the Tata Group, India’s largest industrial conglomerate, TCS has a global footprint and is listed on the National Stock Exchange and Bombay Stock Exchange in India.
For more information, visit us at www.tcs.com
TCS Design Ser vices I M I 06 I 15
About TCS' Enterprise Security and Risk Management Unit
Leveraging our rich experience in enterprise security, TCS helps global enterprises across verticals manage risks, ensure regulatory compliance, proactively protect critical information assets against emerging threats, achieve resilience, and recover rapidly from security incidents.
TCS has a successful track record of executing numerous engagements globally, delivering domain integrated security solutions fully aligned with clients' objectives. Our global service infrastructure, including the shared services Security Operations Center (SOC) and Forensics Labs, backed by the capabilities of our certified security consultants, make TCS a strategic partner of choice for nearly half of the Fortune 500 companies.
Our Security Innovation labs foster research and innovation in the field of data privacy, and have yielded multiple patents and intellectual properties in data protection and cryptographic products. We leverage our alliances with all major security vendors, including IBM, CISCO, and Oracle, to deliver end-to-end services and solutions across the security landscape, from consulting to implementation and managed services.
Contact
For more information about TCS’ Enterprise Security and Risk Management (ESRM) Unit, visit: www.tcs.com
