Never, ever believe your data centre perimeter is secure because it isn't. Hackers will be probing every nook and cranny of your system, so putting gold-standard security in place is pragmatic rather than a sign of paranoia.
Today's cyber-criminals don't attack for fun. They have a strong financial motive for trying to breach your defences because people will pay them handsomely to do so, and that makes them ever more innovative. They won't even necessarily have a specific end goal in mind when they start poking at your barricades. Getting in is an end in itself – from there, they will figure out if the target is worthwhile and how they can profit from it.
The best advice any cyber-security professional can give you is to assume everyone is out to get you, recognise that your people are your weakest link, and mitigate accordingly. In a nutshell, that means moving from a perimeter-based cyber-security strategy to layered defences, which combine multiple controls, and learning how to read data patterns that will alert you to danger. Just because something is secure today does not mean it will still be secure tomorrow.
The problem with perimeters
Perimeter-based security relies on keeping all potential harm outside, but what if something penetrates the outer defence? Only a layered strategy offers protection in that scenario. You may not even know your perimeter has been breached: Yahoo was hacked in 2013 and a billion accounts were compromised, but the breach only came to light three years later.
It is a mistake to concentrate solely on technical solutions and fail to consider the vulnerability of employees and the mistakes they might make. Phishing can be a highly successful ploy for cyber-criminals. If you don't constantly monitor what is going on inside the data centre, you will not pick up warning signs. Watch carefully for patterns that suggest unusual activity, which could be the first indication of a hacking attempt. The credit card industry is especially good at this, heading off fraud by blocking cards the instant their algorithms pick up a hint of unusual financial behaviour. The same kind of pattern analysis approach applied to your systems can do the same – but only if you capture the data and then proactively analyse it.
In a conventional data centre, each network node is a physical device and therefore vulnerable.
Even big companies like Cisco are finding long-established vulnerabilities in long-trusted hardware. You can never assume that something is secure: you must test it properly and regularly.
By contrast, in a software-defined data centre (SDDC), all infrastructure is virtualised and delivered as a service. Control is fully automated by software, meaning hardware configuration is maintained through intelligent software systems. Running virtual entities on a hypervisor enables you to change networking and storage stacks at will. You can tear them down and build them back up, incorporating the rules they comply with and patching software as you go – and, just as importantly, changing your security analysis processes to match. This approach offers much more protection than manually applying rules to a physical device.
Big cloud providers, like Amazon Web Services and Microsoft Azure, make enticing targets, but the flexible, software-defined architecture they have built from the ground up provides sound, layered security that makes them harder to compromise. Compare these operations with the US government which protects its data with a monolithic, perimeter-based security system and has been hacked several times in the last few years.
An SDDC also makes it much easier to move chunks of infrastructure to the cloud and back again while keeping them secure. Using the cloud is a cost-effective way to outsource parts of your IT and infrastructure because it brings operational overheads down, but businesses should be looking to reinvest these savings in better security for the data assets they still hold within the organisation. Many fail to consider this and simply add those available resources to the corporate bottom line which is not a smart thing to do.
An organisation re-architecting its IT should use the money it saves to fund layered security, in the same way a manufacturing business might invest savings derived from automation into increasing its output.
How safe is your data?
The answers to three key questions will tell the CEO how well the organisation is protected – or how vulnerable it is.
How do I know if I have been breached?
Breaches will be revealed in unusual patterns of activity. Hackers constantly scour the net looking for vulnerabilities they can exploit, so if the CEO is told there have been no attempted breaches then the systems are not being properly monitored.
Who is responsible for security in the data centre?
If the answer is IT, then there is a problem. The correct answer is either the security owner, the business owner, or the content owner.
How much security development and remediation do we do on a regular basis?
System performance and network statistics should be constantly monitored with a view to making improvements every six to 12 months.
Cyber-security planning and architecture must be part of an organisation's business planning process. They do not belong to IT.
Contributed by David Cohen, principal consultant, Mason Advisory
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.