TEN YEARS AGO, few could have predicted that by 2014 the world would generate data on today’s colossal scale, that a new social media environment would emerge, or that the “Internet of Things” would integrate intelligent devices with intelligent IT.
However, this data growth brings with it an ever growing responsibility to protect this information. In recent years we have seen an evolution in infrastructure and storage to support these new trends, both for the business community and for consumers, which has driven innovation in how the data can and should be protected. Companies and individuals are responsible for securing and protecting all this data, and whilst great strides have been made to ensure that information is protected from external threats, it’s often humans who continue to be the weakest link in the security chain. Whether through malicious intent or inadvertent carelessness, even the most sophisticated technology can be rendered useless if sensitive information gets into the wrong hands due to human error; so data centre providers must take a multi-step approach to security.
If you are looking to a third party provider to host your data, it is essential to seek absolute clarity on what measures of security are in place at the logical and physical level. World class data centres have a number of sophisticated controls to ensure systems remain protected, including physical security controls like cameras and biometric access systems and may then offer managed services to deliver logical controls at the network level like firewalls, intrusion detection or DoS mitigation. At the OS level, operating systems have become more secure and more sophisticated anti-virus software is now available; whilst threats at the applications level can be mitigated in a number of ways; for example, intelligent web application firewalls can be implemented. These are clever enough to understand what the normal traffic patterns are for an application and if they encounter traffic patterns outside the defined “normal” parameters, the firewall can automatically block the problem traffic averting a problem before it happens.
Sitting on top of these tools and systems are defined processes and best-practice, including specific industry compliance standards such as PCI, HIPPA, FISMA, and others which define broader measures to protect data like ISO, SSAE16 and ISMS. But despite development in tools, systems and process; new threats continue to emerge and organisations need to be on alert to stay one step ahead of those external threats.
Much of the focus on the human link in the data centre security chain is on protecting networks from outsiders, but the “insider threat” continues to pose a significant risk. “Rogue insiders” already have access to systems and can often avoid tripping alarms that might otherwise signal some form of attack. In a 2013 survey by Forrester research, 25 percent of respondents said that abuse by a malicious insider was the most common cause of data breaches. Recognising the sources of these threats is one thing, but it is quite another to be able to deal with them. However there are several practical steps data centre managers can take to enable this.
Many data centre providers take advantage of the new levels of sophistication in algorithms for encryption, which can provide another layer of protection, should outsiders gain access to data. However, appropriate measures need to be in place in order to ensure that rogue insiders do not get access to encryption keys – which would invalidate even the most sophisticated encryption systems.
As well as encrypting data for both storage and transmission, it is important to capture all the information about data access attempts – both legal and illegal. This allows privileged users to do their jobs in a climate of transparency, whilst also acting as a deterrent for unauthorised access.
Multiple factor authentication is now more apparent, where multiple checks take place at a physical level; for example, passwords, together with finger print or retinal scans and personal data, can be incorporated as an additional measure. In some instances a phone factor is used where a message is sent to a phone to ensure that the password is received by the correct individual. This can be strengthened further by authorisation based on least privilege, intrusion detection and notification and restrictive access controls; measures which are of paramount importance when securing data.
Another way in which data centres can reduce the risk of rogue insiders is to eliminate a generic visitor pass. Although this can seem a low tech safety measure, it is key that safety measures are equally stringent at the physical level and not ignored, or viewed as less important. With the unique visitor pass, all personnel entering the data centre are uniquely identified with a photograph which is placed on their visitor badge. This is supplemented with key information relating to the individual and their role and the badge is also time stamped, so the visitor is unable to reuse the badge at another time or pass the badge onto someone else or to stay beyond their permitted time slot.
Ultimately, data centres must take a multi-level approach to security. The goal of this approach is to meet compliance and specific legal requirements as well as to stay one step ahead of the risk posed by rogue employees, as well as external threats. With the right tools and approach, data centre employees will be able to perform their tasks to maintain, repair and protect systems, to satisfy real security needs. Whilst it’s essential that the industry continues to develop technologies to hold up to external threats, companies must insure against the threats of insider damage.
Using the multi-level security approach, we can create numerous opportunities to proactively detect, deter, and effectively deal with potential insider threats.
