Security checks can sometimes leave your jaw dropped and your budget flying out the window. Data centers have a high concern and risk for security for obvious reasons, and are pretty big targets to evil doers. My goal today is to establish some gut-checks you should be aware of before you start planning your next year budgets for security and that awesome list of wants.
Data centers, cooling plants, or clusters of servers have large footprints, and there are a lot of holes that can be found at a larger scale if we are not practicing good security hygiene. I say security hygiene instead of cyber hygiene because there are natural security habits we should have in place and teach before we even touch a technical device.
High-profile breaches of corporate and governmental IT infrastructures have resulted in hundreds of millions of dollars in lost revenue. This caused high-profile, let’s just say, forced exits from companies at high levels in the C-stack. My goal is to help make you aware of, not paranoid over, common things within data centers that will hopefully help you to not become easy, low-hanging fruit.
Start thinking about security as a whole: the wonderful triad of confidentiality, integrity, and availability (CIA). When any of these three are interrupted or compromised, it could potentially have you in the news. I’m going to break these out to showcase the three security pillars and some potential ways they might be breached.
With the implementation of the new General Data Protection Regulation (GDPR) back in May, any business with European customers or users now has stringent data protection and privacy guidelines it must follow. GDPR has also brought these security regulations full circle in the United States. The right to be forgotten is very valid. However, that means data has to be scrubbed and guarded like never before for most businesses.
Training your employees, at any level, should be focused on explaining the terms and conditions your data center has in its security policy and how it relates to breaches and their everyday functions within the organization. This means explaining to them that if they download an Excel® sheet with personally identifiable information on it, they can’t just leave this on their desktop or sitting in their recycle bins.
Employees generally try not to break the rules. I see the most errors occur when employees do not understand the rules within their area of expertise or role at the company. Businesses must do better in educating workers and not assume everyone has a background in IT or even security terminology.
When discussing integrity, you have to understand its usage within a data center. Integrity covers maintenance and assurance of the accuracy and consistency of data over its entire life-cycle. Let that sink in. This means understanding the entire life-cycle of data, from the start all the way to when it is destroyed and how it has been destroyed and verified.
Verifying and practicing your procedures of backups is key. If the data is not usable or accessible, then it is not a backup plan nor able to be assured as accurate and available. My famous, annoying to some, line is, “If you did not physically failover and verify it never happened, I don’t care if it’s written down with a checkbox cleared!” This is a hard lesson to face when maintenance windows and IT crews are limited. This verification must be done and fought for, so you’re able to recognize any issues before they happen. If not verified, this may leave you with incorrect or inaccessible data that takes your data center down, which can be considered a breach. Downtime is when customers or users of the data start to think about how their applications and data are being maintained by the data center.
I like how integrity flows right into availability. This was, and is, a huge reason why businesses wanted to use data centers on- or off-premises to host their applications and databases. As I noted earlier, availability can take away a lot of your integrity while creating concern and downtime for users of any portion of the data center that is now down. Next thing you know, you’re tackling and trying to get everything back up and running while users might be searching the internet and finding answers that strike up concern.
Security hygiene focuses on users of the data and how they access their daily applications. This will allow you to create a training that can help them be more security aware. If they use their personal mobile phones, you should implement two-factor authentication for e-mail accounts and shares. You should also explain the importance of passcodes on their phones and deleting data, where possible, if their phone has been compromised.
Emphasizing the need for physical controls to the data center is a must as well. There should be consequences for sharing badges or allowing the doors to be held open to let people in. Security controls are any way you are controlling an entity.
Explaining to different levels and users within your organization the cost of data and their responsibility to help maintain the data center’s integrity is vital to not only convey to the masses the importance but allow them to be a part of the solution. This can give people a sense of awareness they never had before. From the CEO to the janitorial staff, IT security should be recognized and addressed by everyone.