This is how the monitoring center of the NORD-2 data center located in Moscow looks like
You have read more than once about what measures are being taken to ensure information security (IS). Any self-respecting IT specialist can easily name 5-10 IS rules. Cloud4Y offers to talk about the information security of data centers.
When ensuring the information security of the data center, the most “protected” objects are:
- information resources (data);
- processes of collection, processing, storage and transmission of information;
- system users and maintenance personnel;
- information infrastructure, including hardware and software for processing, transmitting and displaying information, including information exchange channels, information security systems and premises.
The area of responsibility of the data center depends on the model of services provided (IaaS/PaaS/SaaS). How it looks, see the picture below:
The scope of the data center security policy depending on the model of services provided
The most important part of developing an information security policy is building a model of threats and violators. What can become a threat to the data center?
- Adverse natural, man-made and social events
- Terrorists, criminal elements, etc.
- Dependence on suppliers, providers, partners, customers
- Failures, failures, destruction, damage to software and hardware
- Data center employees who implement IS threats using the rights and powers legally granted to them (internal IS violators)
- Data center employees who implement IS threats outside the rights and powers legally granted to them, as well as entities not related to the data center personnel, but attempting unauthorized access and unauthorized actions (external IS violators)
- Non-compliance with the requirements of supervisory and regulatory authorities, current legislation
Risk analysis - identifying potential threats and assessing the extent of the consequences of their implementation - will help you choose the right priorities that data center information security specialists should solve, plan budgets for the purchase of hardware and software.
Ensuring security is a continuous process that includes the stages of planning, implementation and operation, monitoring, analysis and improvement of the information security system. To create information security management systems, the so-called "».
An important part of security policies is the distribution of roles and responsibilities of personnel for their implementation. Policies should be constantly reviewed to reflect changes in legislation, new threats, and emerging defenses. And, of course, to bring information security requirements to the staff and conduct their training.
Organizational arrangements
Some experts are skeptical about "paper" security, considering the main practical ability to resist a hacking attempt. The real experience of work on ensuring information security in banks suggests the opposite. Information security specialists may have excellent expertise in identifying and mitigating risks, but if data center personnel do not follow their instructions, everything will be in vain.
Security, as a rule, does not bring money, but only minimizes risks. Therefore, it is often treated as something interfering and secondary. And when security specialists begin to resent (with every right to do so), conflicts often arise with personnel and heads of operational departments.
The presence of industry standards and regulatory requirements helps security professionals to defend their positions in negotiations with management, and approved information security policies, regulations and regulations allow employees to comply with the requirements set out there, laying the foundation for often unpopular decisions.
Protection of premises
When a data center provides services according to the colocation model, ensuring physical security and access control to the client's equipment comes to the fore. For this, enclosures (fenced parts of the hall) are used, which are under video surveillance of the client and to which the access of the data center personnel is limited.
At the end of the last century, things were not bad in state computer centers with physical security. There was access control, access control to the premises, albeit without computers and video cameras, fire extinguishing systems - in the event of a fire, freon was automatically released into the engine room.
Nowadays, physical security is even better. Access control and management systems (ACS) have become intelligent, biometric methods of access restriction are being introduced.
Fire extinguishing systems have become safer for personnel and equipment, among which are installations for inhibition, isolation, cooling and hypoxic effects on the fire zone. Along with the mandatory fire protection systems in data centers, an aspiration-type early fire detection system is often used.
To protect data centers from external threats - fires, explosions, collapse of building structures, flooding, corrosive gases - security rooms and safes began to be used, in which server equipment is protected from almost all external damaging factors.
The weak link is the human
"Smart" video surveillance systems, volumetric tracking sensors (acoustic, infrared, ultrasonic, microwave), access control systems reduced risks, but did not solve all problems. These funds will not help, for example, when people correctly admitted to the data center with a correctly carried tool “hook” something. And, as is often the case, a random hook will bring maximum problems.
The work of the data center may be affected by the misuse of its resources by personnel, such as illegal mining. Data center infrastructure management systems (DCIM) can help in these cases.
Personnel also require protection, as a person is often called the most vulnerable link in the protection system. Targeted attacks by professional criminals most often begin with the use of social engineering techniques. It is not uncommon for the most secure systems to crash or be compromised after someone clicked/downloaded/made somewhere. Such risks can be minimized by training personnel and implementing the best world practices in the field of information security.
Protection of engineering infrastructure
Traditional threats to the functioning of the data center are power failures and cooling system failures. We have already become accustomed to such threats and have learned to deal with them.
A new trend has been the widespread introduction of “smart” networked equipment: managed UPSs, intelligent cooling and ventilation systems, various controllers and sensors connected to monitoring systems. When building a data center threat model, do not forget about the likelihood of an attack on the infrastructure network (and, possibly, on the data center IT network associated with it). Complicating the situation is the fact that some of the equipment (for example, chillers) can be taken out of the data center, say, on the roof of a rented building.
Protection of communication channels
If the data center provides services not only on the colocation model, then you will have to deal with the protection of the clouds. According to Check Point, in the past year alone, 51% of organizations around the world have experienced attacks on cloud structures. DDoS attacks stop businesses, encryption viruses demand a ransom, targeted attacks on banking systems lead to the theft of funds from correspondent accounts.
Threats of external intrusions are also a concern for data center information security specialists. The most relevant for the data center are distributed attacks aimed at terminating the provision of services, as well as threats of hacking, theft or modification of data contained in virtual infrastructure or storage systems.
To protect the external perimeter of the data center, modern systems with the functions of detecting and neutralizing malicious code, application control and the ability to import Threat Intelligence proactive protection technology are used. In some cases, systems with IPS functionality (intrusion prevention) are deployed with automatic adjustment of the signature set to the parameters of the protected environment.
To protect against DDoS attacks, Russian companies, as a rule, use external specialized services that divert traffic to other nodes and filter it in the cloud. Protection on the operator's side is much more effective than on the client's side, and data centers act as intermediaries for the sale of services.
In data centers, internal DDoS attacks are also possible: an attacker penetrates the weakly protected servers of one company that hosts its equipment according to the colocation model, and from them, through the internal network, conducts a denial of service attack on other clients of this data center.
Attention to virtual environments
It is necessary to take into account the specifics of the protected object - the use of virtualization tools, the dynamism of changes in IT infrastructures, the interconnectedness of services, when a successful attack on one client can threaten the security of neighbors. For example, by hacking the frontend docker while working in PaaS based on Kubernetes, an attacker can immediately get all the password information and even access to the orchestration system.
Products provided under the service model have a high degree of automation. In order not to interfere with business, no less degree of automation and horizontal scaling should have imposed information protection tools. Scaling should be provided at all levels of information security, including access control automation and access key rotation. The task of scaling the functional modules that inspect network traffic is especially important.
For example, network traffic filtering at the application, network and session levels in data centers with a high degree of virtualization should be performed at the level of hypervisor network modules (for example, VMware's Distributed Firewall) or by creating chains of services (virtual firewalls from Palo Alto Networks).
If there are weaknesses at the level of virtualization of computing resources, efforts to create an integrated information security system at the platform level will be ineffective.
Levels of information protection in the data center
The general approach to protection is the use of integrated, multi-level information security systems, including macro-segmentation at the firewall level (allocation of segments for various functional areas of business), micro-segmentation based on virtual firewalls or labeling of traffic groups (user roles or services) defined by access policies .
The next level is the detection of anomalies within and between segments. The traffic dynamics is analyzed, which may indicate the presence of malicious activities, such as network scanning, attempts at DDoS attacks, downloading data, for example, by cutting database files and displaying them in periodically appearing sessions at long intervals. Gigantic volumes of traffic pass inside the data center, so advanced search algorithms must be used to detect anomalies, and without packet analysis. It is important that not only signs of malicious and anomalous activity are recognized, but also the operation of malware even in encrypted traffic without decrypting it, as proposed in Cisco (Stealthwatch) solutions.
The last frontier is the protection of local network end devices: servers and virtual machines, for example, with the help of agents installed on end devices (virtual machines) that analyze I / O, delete, copy and network activities, transfer data to , where calculations requiring large computing power are carried out. There, analysis is carried out using Big Data algorithms, machine logic trees are built and anomalies are detected. Algorithms self-learn based on a huge amount of data supplied by a global network of sensors.
You can do without installing agents. Modern information security tools should be agentless and integrated into operating systems at the hypervisor level.
These measures significantly reduce information security risks, but this may not be enough for data centers that automate high-risk production processes, such as nuclear power plants.
Regulatory requirements
Depending on the information being processed, the physical and virtualized infrastructures of the data center must meet different security requirements formulated in laws and industry standards.
These laws include the law “On Personal Data” (152-FZ) and the law “On the Security of Objects of the CIS RF” (187-FZ), which came into force this year — the prosecutor’s office has already become interested in the progress of its implementation. Disputes about the belonging of data centers to CII subjects are still ongoing, but, most likely, data centers wishing to provide services to CII subjects will have to comply with the requirements of the new legislation.
It will not be easy for data centers that host state information systems. According to the Decree of the Government of the Russian Federation of May 11.05.2017, 555 No. XNUMX, information security issues should be resolved before the GIS is put into commercial operation. And a data center that wants to host a GIS must comply with the requirements of regulators in advance.
Over the past 30 years, data center security systems have come a long way: from simple physical protection systems and organizational measures, which, however, have not lost their relevance, to complex intelligent systems that increasingly use elements of artificial intelligence. But the essence of the approach has not changed. The most modern technologies will not save without organizational measures and staff training, and paperwork - without software and technical solutions. Data center security cannot be ensured once and for all, it is a constant daily work to identify top-priority threats and comprehensively solve emerging problems.
What else can you read on the blog?
→
→
→
→
→
Subscribe to our -channel, so as not to miss the next article! We write no more than twice a week and only on business. We also remind you that you can cloud solutions Cloud4Y.
Source: habr.com