Security Experts:

Securing the Modern Data Center

Datacenter Security Information

What steps can data center architects take to help protect the modern data center in the face of new risks?

Modern data centers are undergoing a transformation. Driven by familiar trends—such as virtualization, green IT, endpoint growth and externalization, as well as increased resource requirements—today’s data centers support more services, users, and data than ever before.

As a result, modern data centers are exposed to new risks that demand renewed attention to data center security. Proper security controls, policies, and processes are a must to ensure your organization’s data center is equipped to mitigate these new risks.

Below is a closer look at three main data center trends and the associated risks that data center architects need to address:

1. Green IT Requirements and Virtualization: According to estimates provided by the ABB Group, global data centers consume almost 1.5 times the amount of power used by all of New York City, with each data center requiring as much power as 25,000 US homes. Furthermore, organizations often oversize servers to cope with peak demand, meaning that they only run at 20 percent capacity during normal operations—adding to the energy waste.

The ABB Group also finds that virtualization is an important strategy to reduce idle capacity and to cut power consumption by as much as 27 percent. But virtualization introduces new security risks, including:

Blind Spots: Virtualization causes security analysts to lose visibility into communication between virtual machines (VMs) on the same host.

Lack of Separation of Duties: Virtualization makes it easy to move VMs to any host or establish connectivity between any VMs on the same host. Misconfiguration or lack of policy enforcement makes it possible to combine VMs containing sensitive data with other VMs on the same host or bridge two different networks that should never communicate with one another.

VM Sprawl: The propagation of VMs without adequate coordination or oversight can make it difficult to locate critical servers and determine their state of patching and configuration. Security risks become more tangible because a VM that is not properly tracked and managed may not have updated patches or proper configuration control, leading to vulnerabilities that hackers can exploit.

2. Endpoint Proliferation and Externalization: Personal and professional devices for today’s mobile workforce are converging. This trend, often referred to as IT consumerization, forces IT to support an increasing variety of endpoints. A 2010 survey by IDC and Unisys entitled Unisys Consumerization of IT Benchmark Study found that 95 percent of workers have used technology purchased themselves (smartphones, personal laptops, iPads and other devices) for work.

Collaboration with partners and other third parties adds to the explosive growth of endpoints and access networks. According to a May 14, 2010, Gartner research note entitled The Future of Information Security is Context Aware and Adaptive, by 2015 more external users will access internal systems than employees in most enterprises.

All of this means that IT staff must protect the data center against an even greater number of threats. Data centers must be accessible from the Internet, typically via VPN connectivity. If employees and third parties are using their own personal devices to connect, data center IT staff has minimal visibility into these devices accessing the network and no control over the security practices in place on these devices. The potential for increased attacks is undeniable.

3. Increased Resource Requirements: Networks must grow as data centers connect to an increased number of users and partners from different networks. The trick is keeping pace with increased throughput needs without compromising performance of large-scale, high-bandwidth applications. Plus, these large networks often require significant human resources to help manage and maintain.

There simply aren't enough hours in the day and most organizations can't afford a large enough staff to continuously track everything on the network. And even if they could, this wouldn’t be the best use of highly trained IT security resources.

If the traffic can't be monitored effectively, then threats can potentially infiltrate the network.

So what steps can data center architects take to help protect the modern data center in the face of these risks?

1. Securing virtualized infrastructure: With respect to technology, consider solutions that provide the ability to inspect virtual networks, eliminate the blind spots that occur in virtual environments, and centralize management and control of all physical and virtual infrastructure. These solutions can include network monitoring tools, virtual intrusion detection and prevention systems, virtual firewalls, and solutions for file integrity monitoring and vulnerability scanning. On the organizational side, establish roles, responsibilities, and policies to enforce the segregation of duties.

2. Gaining real-time network visibility: Look for context-aware technologies that help identify different types of endpoints (such as a Blackberry, iPad, Android phone, etc.) entering the network, as well as new applications, operating systems, and users on the network. When coupled with the ability to automatically flag prohibited applications and link security and compliance events to specific users, these technologies become powerful tools to increase security despite the proliferation of endpoints and external users.

3. Securing bigger and faster networks: A combination of high-performance technology and automation capabilities is essential to effectively managing the growing scale and complexity of networks. Data center staff should review all security solutions to ensure they can keep up with the exploding bandwidth and throughput requirements of today’s growing networks. Additionally, automation capabilities that can maintain a real-time inventory of all assets on the network, detect any changes, and enforce network security policies eliminate time-consuming manual processes that bog down security procedures.

As data center architects respond to business demands to reduce costs, go green, offer more services, and support more users and growing amounts of data, they need to carefully consider the emerging security risks and how they can be addressed and mitigated. Organizations can transform their data centers with confidence by understanding potential new risks and addressing them accordingly.

Subscribe to the SecurityWeek Email Briefing
view counter
Marc Solomon, Cisco's VP of Security Marketing, has over 15 years of experience defining and managing software and software-as-a-service platforms for IT Operations and Security. He was previously responsible for the product strategy, roadmap, and leadership of Fiberlink’s MaaS360 on-demand IT Operations software and managed security services. Prior to Fiberlink, Marc was Director of Product Management at McAfee, responsible for leading a $650M product portfolio. Before McAfee, Marc held various senior roles at Everdream (acquired by Dell), Deloitte Consulting and HP. Marc has a Bachelor's degree from the University of Maryland, and an MBA from Stanford University.