Back To Data Center Security Basics
Mind your cyber hygiene.
The rise of edge computing is shifting data centers once again. Centralized data centers continue to ramp up, with many service provider construction projects focused on facilities. Edge computing is evolving to a more distributed placement of computations that are closer to the enduser. Users are consuming data in new ways, and developers are engaged and listening.
For those of us working within a data center, maintaining a secure environment has — and always will be — a top priority. We must maintain good “cyber hygiene” to ensure that our infrastructures remain secure. Continually adhering to the best practices that enable us to maintain secure environments, particularly as we implement new technologies and shift our focus to the needs of the business, is paramount to our success. Let’s walk through a few of these foundational frameworks as they are easy to put on the backburner.
Regularly reviewing the Center for Internet Security (CIS) Controls is important for ensuring that frameworks are kept up-to-date. We all know that foundational framework is never “fun,” but it is rudimentary to avoid becoming low-hanging fruit for attackers.
While inventory and control of hardware assets is a big job, it can enable SecOps to better understand what is within the data center’s infrastructure. Asset management is often treated as mere acknowledgement that we own the device, but it really refers to the need to truly understand the device, track its usage, and update it as rapidly and fluidly as needed. This provides insight into what the device is authorized to do, and to whom it is authorized. From there, we can create a better security plan by knowing what access levels are needed and helping to prevent others from gaining access to our network devices.
Similar to hardware, inventory and control of software assets requires careful tracking and continual updating. Remember this: even if you are not doing inventory, outsiders with malicious intentions may be scanning and looking for your inventory themselves. Malicious outside attackers are hoping that you are not inventorying your devices and software, as this would allow them to exploit devices that may not be patched because they’re new (or off) and online without an enterprise solution patching and maintaining them.
Bearing this in mind, we can create a wall against these young, up-and-coming attackers. They are looking for the unpatched devices, untracked inventory, and individuals that lack a deep understanding of their data center. Our response is to think two steps ahead of those with malicious mentalities — help your security team implement the controls necessary to keep these attackers far away from you and your data center.
So, what happens after you know there is a potential vulnerability within your infrastructure? The first response would be to resolve it, fast. You must have vulnerability management software (I would invest in one that is multi-vendor capable) and a solid security plan in place to effectively manage potential attacks. Without regularly inventorying all the devices, your vulnerability scans will be lacking and inaccurate. There must be a plan in place so that the steps to resolve a vulnerability are clearly laid out and easily understood. Remediation of vulnerabilities sounds easy, but without a plan, there is no clear or fast route within your teams.
Another example — this one is newer to me on a broad scale — is the controlled use of administrative privileges. This can be hard to reel in; it refers to the need to track, control, prevent, and correct the use, assignment, and configuration of administrative privileges. It’s important to do your due diligence within your team and security team to decide which controls you want to apply and manage to do this large ask.
These are a sampling of the controls I focus on to back this framework of foundational “cyber hygiene.” Please comment if you have any additional suggestions — I’m always searching for new controls to back this framework. I would be very interested to hear about known solutions that made these controls easier for your organization to implement.