2017 has been a year of data breaches and ransomware attacks as global tragedies ‘WannaCry’, ‘Petya’, ‘Equifax’, ‘CloudBleed’, ‘Bad Rabbit’ etc. forced enterprises worldwide to relook at their security programs.
Since data centers are repositories for most of the business/customer data, data security controls and most importantly securing the Data Centre becomes of utmost importance.
The first thing to do before implementing any countermeasures is to Conduct Risk Assessment of Data Center. This includes assessing the complete threat landscape and existing controls, including, but not limited to physical security, access control, business continuity planning, compliances, server security etc. This will help in gaining a clear measure of the inherent risk and security posture within the data center and help in deciding upon the right controls to be implemented. Similar to the risk assessment of data center, due diligence should be done while selecting the vendor for Data Center, wherever the services are outsourced either on premises or on cloud.
“In order to protect customer’s critical information and data assets, focus should be on implementing preventive, detective as well as corrective controls and early threat detection mechanisms.”
Risk Compliance & Security Leader
Based on the results of risk assessment, countermeasures/controls can be implemented as under –
- Physical Security
- Have a secure physical location – Ensure that the location of data center is some distance from other offices or headquarters affiliated with it. The location should be a non-seismic zone which is not prone to earthquakes.
- Surveillance cameras – Surveillance plays a vital role for monitoring daily operations of a data center. Surveillance equipment (cameras etc) should be installed throughout the building at every entrance, exit, and access point in order to ensure that all areas are functioning properly and that each area of the building is secure and protected at all times.
- Fire resistant walls& Fire safety equipment – This will ensure that the facility is protected from high-risk man-made and natural disasters like fire.
- Install Intrusion alarm systems – Just as surveillance would ensure all areas are monitored at all times, intrusion alarm system would send out alerts to the authorized personnel whenever the security of the data center is compromised
- Temperature and humidity monitoring–Maintaining the right temperature and humidity levels within the data center ensures that the server and other hardware components are protected against fluctuating weather conditions.
- Continuous Power Supply and backup – Mechanisms should be in place to ensure continuous power supply in case multiple-redundancy power supply systems fail, eg. Batteries can be in place to automatically supply electricityin case of emergency and diesel generators/UPS can be in place which can supply power supply to data center for prolonged period.
- Preventive maintenance checks – In order to ensure proper functioning of the critical equipment within the data center, regular preventive maintenance should be done. This should be well planned and monitored throughout the year as planned.
- Access Control
- Secure access to authorized personnel – Access control plays a significant role in data center security. Access to data center should be given to authorized personnel and must be role based. Such access should be monitored at all times through biometric, single-person access, mantrap systems, access logging and monitoring, to name a few. Good identity management tools can be used to achieve this.
- Two-factor authentication – This is being used widely now-a-days to ensure enhanced access control. It is generally a combination of passcode and access based ID card/biometric authentication.
- Remove default accounts – This should be done to ensure credentials are not compromised and misused.
- Isolate from parent network where required – wherever possible, layered defense should be used. In cases where the data center is within the premises, separate VLANs should be there and servers should be isolated from parent network unless critical.
- Server Security
- Monitor connections to server – Server connections should be virtual and monitored at all times to prevent any unauthorized access.
- Logs inspection – All logs (access, system etc) should be monitored to detect any suspected activities.
- Establish protective technologies –some of them include malware protection, host intrusion prevention, intrusion detection & prevention systems and data loss prevention
- Malware protection – Ensure regular protection by Anti-virus updation, patches installation, vulnerability assessment at planned intervals.
- Have backup hardware – Backup hardware should be available at all times which can be used in case of failure of primary hardware. Redundancy can be practiced which increases security by providing an extra layer of equipment, personnel, or storage in the event of the primary source’s failure
- Secure storage of backup tapes – Backup tapes must be stored in an encrypted form with proper access control.
- Separate web server and data server wherever possible to prevent complete loss of business data in case of hardware failure or external/internal hacking.
- Business Continuity Planning / Disaster Recovery (BCP/DR)
- Have a second datacenter – Just as having a backup hardware or backup tapes may sound like a good idea, enterprises that are dealing with sensitive/confidential information may also plan for a second data center as part of their business continuity planning to prevent any data loss
- Conduct backup restoration drills – Not only does the backup need to be secured and encrypted, restoration drills need to be conducted at frequent pre-defined intervals to ensure the data is reusable and can be restored easily
- Insider Threat – Since it is evident from various reports and surveys that most of the data breaches happen due to insider threats, following measures must be in place to ensure protection against insider threats :
- Regular training of personnel
- Monitoring of activities
- Conduct background checks
- Define and test Incident Management Process
- Regulatory Compliance – Although this is not mandatory, however, in today’s era, with the emerging threats, complying and getting certified in few industry best standards like ISO 27001, ISO 22301, PCI-DSS etc. gives an assurance to the customers that their data is well protected.
- Data Security- Whether the data center is located on premises or on cloud, data security is the most critical aspect to be taken into account. Any data and backup files stored ot transmitted with customers or internally must be in an encrypted format or transmitted via secure fiber-optic cables. Backup tapes should also be encrypted and as a best practice incremental as well as complete backups should be taken on defined frequency. Data backups can also be stored at a second location to minimize data loss, however, all data must be access controlled, secured and monitored at all times.
In a nutshell,
The primary objective of implementing data center security controls is to ensure that all foreseeable measures are taken to protect customer’scritical/sensitive information and data assets. Focus should be on implementing preventive, detective as well as corrective controls and early threat detection mechanisms. All key aspects related to data center security must be addressed at the beginning during the strategic planning phase and results of risk assessment must form the basis of selecting the appropriate countermeasures. Regular risk assessments and controls optimization should be made an integral part of the security framework to strengthen resilience against emerging threats.