Security Audit Compliance For Data Centers
What you don’t know can hurt you.
THE FIRST LAYER
The first layer of data security is the physical layer. This is normally handled with both a perimeter security system at the entrance to the data center as well as a local physical locking mechanism at the rack. A study of physical security systems that are common to data racks and perimeter security systems showed that most rely on a legacy communications protocol known as the Wiegand protocol. In this study, it was demonstrated that a Wiegand-based system could be easily spoofed by a simple procedure, enabling a criminal to gain full physical access to site or rack and its valuable contents without being detected.
Because the Wiegand protocol is universal, it’s unrealistic to think that it can be replaced anytime soon. That means that a secondary device must be added with the ability to detect when someone is trying to tamper with a security system via its protocol. We shall refer to this second device as a smart firewall because it continually queries the Wiegand system for anomalies (thus it has intelligence) but it also keeps any external communication from reaching the Wiegand unit (thus its also a firewall). Thus, the name: smart firewall. As we will see later in this article, that system is now available and may be considered a necessity for nearly every data center where Wiegand-based systems are used.
THE SECOND LAYER
The second layer of security is that of cybersecurity. The word cybersecurity is seen almost daily in newspapers and online features due to the incredible number of security breaches within the past few years. It’s clear from reading the headlines that the tens of billions of dollars being spent on existing firewall systems are not accomplishing the goal of protecting valuable data. The question is: What are the existing cybersecurity firewall systems missing to allow the huge number of cyber breaches?
The answer to this question can also be found in legacy protocols that are commonly used to remotely manage servers, storage systems as well as rack PDUs UPSs, and environmental monitoring systems. Simple network management protocol, or SNMP, is easily the most-used IT management protocol in the world. But, just like the Wiegand physical security protocol, its wide use has made it a favorite target of hackers.
The vast majority of SNMP implementations in the world use versions 1 or 2 of this protocol and those versions have no security and minimal security respectively. A third version of SNMP was developed in the late 1990s and launched in 2002 to address the issue of protocol security. However, in the 13 years since that time, cyber criminals have advanced rapidly in their techniques and SNMPv3 has now been compromised. That means that any SNMP-enabled system, just like any Wiegand system, is subject to exploit.
But some might say, “I have a firewall, I’m protected!” But so did Sony, Target, and Home Depot. The simple fact is; the majority of all breaches occur from inside of the perimeter firewall. This is largely the result of the rapid growth of malware infestations in mobile apps. A study just released shows that malware infection rates in Android devices have now caught up to those of Windows laptops. Once infected with malware, it only takes an unsuspecting individual to walk into to a data center and log onto their network. From that point forward, the malware has access to that network and Pandora’s box has been opened.
Malware has its ultimate purpose to hide in unsuspecting devices that sit in close proximity to SNMP-enabled data storage devices like servers and storage data for the purposes of stealing data. It turns out that few devices make a better malware host than SNMP-enabled rack PDU, UPS, or environmental monitoring systems. This is not mere speculation, studies by Neo Prime Solutions found that sophisticated malware now actively targets and infects UPS and PDU systems. This malware is able to pivot to discover data in the nearby servers and storage systems and then send that data offsite to servers controlled by cyber criminals. This all happens under the radar screen of most all perimeter firewall systems.
Fortunately, just as a smart firewall system can protect a Wiegand physical security system, so too, a smart firewall can provide cybersecurity protection to vulnerable SNMP. The system protects SNMP devices in the exact same manner as it does so with a Wiegand system. That is, it continually monitors each SNMP device for any system anomalies while it continually refuses any outside attempt to gain access to that SNMP-based system.
THE THIRD LAYER
There is one final layer of security in the rack, which is the operational layer. While some might argue that operations and security are distinct, the fact is, an operational failure of a system is every bit as much a security audit concern as a physical and cybersecurity breach. Because the smart firewall that we have discussed gathers live management data from Wiegand and SNMP devices, this system is already performing operational management. In fact, the system that we are discussing has operational analytics onboard so that it can learn the normal operating parameters of anything that it is monitoring. This allows the smart firewall to discover anomalies long before a human-set high and low alarm limit would catch them. This also ensures that you will not get a flood of alarms when trouble occurs and you can be assured that any alarm that you do receive is a statistically significant event.
As we can see, all three layers of security: physical, cyber, and operational can be protected with a single smart firewall system, something that heretofore has not existed. This system securely manages and protects any power, environmental, and security system that use unsecure protocols such as Wiegand and SNMP. It repels any outside connections that try to reach these devices and pushes information to a central server for administration. It incorporates all three levels of security: physical, cyber, and operational in a single unified solution. We encourage everyone to discuss the use of such a system to meet their security audit challenges within a data center.
CRITICAL FACILITIES ROUNDTABLE
The Critical Facilities RoundTable (CFRT) is a non-profit organization based in Silicon Valley that is dedicated to the discussion and resolution of industry issues regarding mission-critical facilities, their engineering and design, and their maintenance. We provide an open forum for our members and their guests to share information and to learn about new mission-critical technologies, with the intention of helping our members improve in technical expertise and to develop solutions for the challenges of their day-to-day critical facilities operations. Please visit our website at www.cfroundtable.org or contact us at 415-748-0515 for more information.