Improving Data Center Security... Simply

SHARE
Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
Email  
Are you looking to improve the security of your data center, but area little confused? Don't know what to do exactly? Don't know whatsecurity products to purchase?

Then start by looking no further than the tools you already have.

Chances are there are quite a few security enhancements that you canmake simply by making better use of what's almost certainly already onyour system.

I have spent a significant amount of time over the years assessing thesecurity of business applications, and one of the consistent problemsthat I've seen is that the security capabilities of the network,operating system, and/or the applications themselves are not beingexploited to their fullest extent. For example, operating system fileaccess controls are often either overlooked or not adequately fine-tunedto the needs of the application when installing the application.

I call this operations security because it generally is done within thedata center operations, and it supports all of the other networksecurity, system security, and application security efforts that alreadygo into designing and implementing a business application. As such, itis the final link between an otherwise secure application and the datacenter environment that it will operate in.

Mistakes made at the operations security phase can completely underminethe application's security. But the converse also is true: improvementsmade in operations security can very much enhance the overall securityof the environment. Start by protecting the application and its data,and proceed all the way through the operational aspects of effectivelyresponding to security events.

Starting down at the network level, the key principles arecompartmentalization and access control. Here's where most data centersgenerally do a pretty good job already, but it's likely that you canstill find plenty of room for improvement. For example, consider furtherseparating your applications on isolated network segments (or VLANs) andtightly configuring the network components to enforce the network-levelpolicies concerning which network services are permitted both in and outof each segment.

Another high-value, low-cost tip is to provide a separate networksegment for administrative traffic, such as system monitoring, actualsystem administration tasks, and event logging. This benefits both theperformance of the production data segments, as well as the security ofthe environment, since administrative traffic is kept isolated fromproduction, requiring an intruder to break through another layer ofprotection before he can compromise your application.

High-quality event logging and monitoring is the lifeblood of incidentresponse operations. Many organizations have implemented pretty goodevent logging at the network and operating system level, but very rarelyat the application level. There are opportunities here, as well, toenhance the overall security of the application for relatively littlemoney.

The reason it's so important to log events all the way up to theapplication level is because, to the incident response analyst, eachlayer of logging brings its own perspective on a security event. And afull complement of those perspectives is necessary to really understandwhat took place at the time of an attack.

For example, when trying to forensically determine how a site wascompromised, the network logs show the date, time, protocol, source,etc., of the attack. The operating system logs show what the intruderdid and accessed on the host's operating system. The application logsprovide insight into what data the intruder accessed, modified, deleted,etc., within the compromised application. Without that ''big picture''view, it is exceedingly difficult to provide company executives with anaccurate damage assessment so they can make the appropriate businessdecisions on how to proceed. It also is exceedingly difficult todistinguish between an IDS false alarm and a real, potentiallycompany-threatening incident.

Next, the operating systems that are generally found in today's datacenters almost always include security capabilities that go unused inthe integration of the applications that are running on them. Principalamong these are file access control and targeted event logging. Accesscontrol that is precisely tuned to the needs of the application takestime and it takes a deep understanding of the application and theoperating system's capabilities, but the rewards are well worth it, fora multitude of good and valuable reasons.

The following is a checklist of a few things you can consider doing inyour data center to improve both the protection mechanisms, as well asthe tools available to support the incident response posture:

  • If you don't have one already, add a separate network segment thatis exclusively for administrative traffic, including event logging.Configure the network and the servers such that no administrativetraffic is allowed on the production segments;
  • Compartmentalize each major business application onto its ownnetwork, so production data on each segment is unique to that segment'sapplication;
  • If the application is able to run within a compartment of its ownon the application server, enable that capability;
  • Finely tune the application servers themselves by removing anythingand everything on the server that is not absolutely required by theapplication;
  • Tune the file access control of each application server to theneeds of the application itself;
  • Enable event logging that is specifically tuned to eachapplication. If your operating systems allow granular control of eventlogs down to the file/folder level, log accesses to files, folders,etc., that are specific to each application;
  • Centralize event logging (over the administrative network only) toone dedicated server or group of dedicated servers, and
  • Carefully monitor the event logs to a level that is commensuratewith the value of the business process(es).

    Most of these tips are not overly expensive to implement. Almost all ofthem, though, require a deep knowledge of each business application andhow it functions. That will no doubt involve close collaboration betweenyour application development and integration staff, networking staff,and security staff.

    All of this is time well spent, as I see it.

    Kenneth van Wyk, a 19-year veteran of IT security, is the prinicpalconsultant for KRvW Associates, LLC. The co-author of twosecurity-related books, he has worked at CERT, as well as at the U.S.Department of Defense.

  • Submit a Comment

    Loading Comments...