Are you looking to improve the security of your data center, but are a little confused? Don't know what to do exactly? Don't know what security products to purchase?

Then start by looking no further than the tools you already have.

Chances are there are quite a few security enhancements that you can make simply by making better use of what's almost certainly already on your system.


I have spent a significant amount of time over the years assessing the security of business applications, and one of the consistent problems that I've seen is that the security capabilities of the network, operating system, and/or the applications themselves are not being exploited to their fullest extent. For example, operating system file access controls are often either overlooked or not adequately fine-tuned to the needs of the application when installing the application.

I call this operations security because it generally is done within the data center operations, and it supports all of the other network security, system security, and application security efforts that already go into designing and implementing a business application. As such, it is the final link between an otherwise secure application and the data center environment that it will operate in.

Mistakes made at the operations security phase can completely undermine the application's security. But the converse also is true: improvements made in operations security can very much enhance the overall security of the environment. Start by protecting the application and its data, and proceed all the way through the operational aspects of effectively responding to security events.

Starting down at the network level, the key principles are compartmentalization and access control. Here's where most data centers generally do a pretty good job already, but it's likely that you can still find plenty of room for improvement. For example, consider further separating your applications on isolated network segments (or VLANs) and tightly configuring the network components to enforce the network-level policies concerning which network services are permitted both in and out of each segment.

Another high-value, low-cost tip is to provide a separate network segment for administrative traffic, such as system monitoring, actual system administration tasks, and event logging. This benefits both the performance of the production data segments, as well as the security of the environment, since administrative traffic is kept isolated from production, requiring an intruder to break through another layer of protection before he can compromise your application.

High-quality event logging and monitoring is the lifeblood of incident response operations. Many organizations have implemented pretty good event logging at the network and operating system level, but very rarely at the application level. There are opportunities here, as well, to enhance the overall security of the application for relatively little money.

The reason it's so important to log events all the way up to the application level is because, to the incident response analyst, each layer of logging brings its own perspective on a security event. And a full complement of those perspectives is necessary to really understand what took place at the time of an attack.

For example, when trying to forensically determine how a site was compromised, the network logs show the date, time, protocol, source, etc., of the attack. The operating system logs show what the intruder did and accessed on the host's operating system. The application logs provide insight into what data the intruder accessed, modified, deleted, etc., within the compromised application. Without that ''big picture'' view, it is exceedingly difficult to provide company executives with an accurate damage assessment so they can make the appropriate business decisions on how to proceed. It also is exceedingly difficult to distinguish between an IDS false alarm and a real, potentially company-threatening incident.

Next, the operating systems that are generally found in today's data centers almost always include security capabilities that go unused in the integration of the applications that are running on them. Principal among these are file access control and targeted event logging. Access control that is precisely tuned to the needs of the application takes time and it takes a deep understanding of the application and the operating system's capabilities, but the rewards are well worth it, for a multitude of good and valuable reasons.

The following is a checklist of a few things you can consider doing in your data center to improve both the protection mechanisms, as well as the tools available to support the incident response posture:

  • If you don't have one already, add a separate network segment that is exclusively for administrative traffic, including event logging. Configure the network and the servers such that no administrative traffic is allowed on the production segments;
  • Compartmentalize each major business application onto its own network, so production data on each segment is unique to that segment's application;
  • If the application is able to run within a compartment of its own on the application server, enable that capability;
  • Finely tune the application servers themselves by removing anything and everything on the server that is not absolutely required by the application;
  • Tune the file access control of each application server to the needs of the application itself;
  • Enable event logging that is specifically tuned to each application. If your operating systems allow granular control of event logs down to the file/folder level, log accesses to files, folders, etc., that are specific to each application;
  • Centralize event logging (over the administrative network only) to one dedicated server or group of dedicated servers, and
  • Carefully monitor the event logs to a level that is commensurate with the value of the business process(es).

    Most of these tips are not overly expensive to implement. Almost all of them, though, require a deep knowledge of each business application and how it functions. That will no doubt involve close collaboration between your application development and integration staff, networking staff, and security staff.

    All of this is time well spent, as I see it.

    Kenneth van Wyk, a 19-year veteran of IT security, is the prinicpal consultant for KRvW Associates, LLC. The co-author of two security-related books, he has worked at CERT, as well as at the U.S. Department of Defense.