Data center security explained

Data center security is the set of policies, precautions and practices adopted at a data center to avoid unauthorized access and manipulation of its resources.[1] The data center houses the enterprise applications and data, hence why providing a proper security system is critical. Denial of service (DoS), theft of confidential information, data alteration, and data loss are some of the common security problems afflicting data center environments.[2]

Data security issues can be harmful to many companies sometimes, so it is very important to know what are the issues and find useful solutions for them. The purpose of data security is to protect digital information from unauthorized access. It is also important to note that data security is different from data privacy. There are many situations where data center security would be threatened on, especially for cloud-based data.

Overview

According to the Cost of a Data Breach Survey,[3] in which 49 U.S. companies in 14 different industry sectors participated, they noticed that:

Many big companies nowadays are using the cloud to store their and their customers' data, but the risks of saving data in the cloud can be enormous. Cyber attacks can be very harmful to many companies. There were 64% of companies worldwide that had troubles with cyber attacks in the year 2020 alone.[4] Some cyber attacks targeted personal information such as identity theft can hurt someone's credits with life-changing influences.

The need for a secure data center

Physical security is needed to protect the value of the hardware therein.[5]

Data protection

The cost of a breach of security can have severe consequences on both the company managing the data center and on the customers whose data are copied. The 2012 breach at Global Payments, a processing vendor for Visa, where 1.5 million credit card numbers were stolen, highlights the risks of storing and managing valuable and confidential data.[6] As a result, Global Payments' partnership with Visa was terminated;[7] it was estimated that they lost over $100 million.

Insider attacks

Defenses against exploitable software vulnerabilities are often built on the assumption that "insiders" can be trusted.[8] Studies show that internal attacks tend to be more damaging because of the variety and amount of information available inside organizations.

Vulnerabilities and common attacks

The quantity of data stored in data centers has increased, partly due to the concentrations created by cloud-computing[3]

Threats

Some of the most common threats to data centers:

Vulnerabilities

Common vulnerabilities include:

Exploitation of out-of-date software

Many "worm" attacks on data centers exploited well-known vulnerabilities:

Exploitation of software defaults

Many systems are shipped with default accounts and passwords, which are exploited for unauthorized access and theft of information.

Common attacks

Common attacks include:

Network security infrastructure

The network security infrastructure includes the security tools used in data centers to enforce security policies. The tools include packet-filtering technologies such as ACLs, firewalls and intrusion detection systems (IDSs) both network-based and host-based.

ACLs (Access Control List)

ACLs are filtering mechanisms explicitly defined based on packet header information to permit or deny traffic on specific interfaces. ACLs are used in multiple locations within the Data Center such as the Internet Edge and the intranet server farm. The following describes standard and extended access lists:

Standard ACLs: the simplest type of ACL filtering traffic solely based on source IP addresses. Standard ACLs are typically deployed to control access to network devices for network management or remote access. For example, one can configure a standard ACL in a router to specify which systems are allowed to Telnet to it. Standard ACLs are not recommended option for traffic filtering due to their lack of granularity. Standard ACLSs are configured with a number between 1 and 99 in Cisco routers.

Extended ACLs: Extended ACL filtering decisions are based on the source and destination IP addresses, Layer 4 protocols, Layer 4 ports, ICMP message type and code, type of service, and precedence. In Cisco routers, one can define extended ACLs by name or by a number in the 100 to 199 range.

Firewalls

A firewall is a sophisticated filtering device that separates LAN segments, giving each segment a different security level and establishing a security perimeter that controls the traffic flow between segments. Firewalls are most commonly deployed at the Internet Edge where they act as boundary to the internal networks. They are expected to have the following characteristics: Performance: the main goal of a firewall is to separate the secured and the unsecured areas of a network. Firewalls are then post in the primary traffic path potentially exposed to large volumes of data. Hence, performance becomes a natural design factor to ensure that the firewall meets the particular requirements.

Application support: Another important aspect is the ability of a firewall to control and protect a particular application or protocol, such as Telnet, FTP, and HTTP. The firewall is expected to understand application-level packet exchanges to determine whether packets do follow the application behavior and, if they do not, do deny the traffic.

There are different types of firewalls based on their packet-processing capabilities and their awareness of application-level information:

  1. Packet-filtering firewalls
  2. Proxy firewalls
  3. Stateful firewalls
  4. Hybrid firewalls[2]

IDSs

IDSs are real-time systems that can detect intruders and suspicious activities and report them to a monitoring system. They are configured to block or mitigate intrusions in progress and eventually immunize the systems from future attacks. They have two fundamental components:

Layer 2 security

Cisco Layer 2 switches provide tools to prevent the common Layer 2 attacks (Scanning or Probing, DoS, DDoS, etc.). The following are some security features covered by the Layer 2 Security:

Security measures

The process of securing a data center requires both a comprehensive system-analysis approach and an ongoing process that improves the security levels as the Data Center evolves. The data center is constantly evolving as new applications or services become available. Attacks are becoming more sophisticated and more frequent. These trends require a steady evaluation of security readiness.

A key component of the security-readiness evaluation is the policies that govern the application of security in the network including the data center. The application includes both the design best practices and the implementation details.[2] As a result, security is often considered as a key component of the main infrastructure requirement. Since a key responsibility of the data centers is to make sure of the availability of the services, data center management systems often consider how its security affects traffic flows, failures, and scalability. Due to the fact that security measures may vary depending on the data center design, the use of unique features, compliance requirements or the company's business goals, there is no set of specific measures that cover all possible scenarios.[23]

There exist in general two types of data center security: physical security and virtual security.[24]

Physical security

The physical security of a data center is the set of protocol built-in within the data center facilities in order to prevent any physical damage to the machines storing the data. Those protocols should be able to handle everything ranging from natural disasters to corporate espionage to terrorist attacks.[25] To prevent physical attacks, data centers use techniques such as:

Virtual security

Virtual security is security measures put in place by the data centers to prevent remote unauthorized access that will affect the integrity, availability or confidentiality of data stored on servers.[29]

Virtual or network security is a hard task to handle as there exist many ways it could be attacked. The worst part of it is that it is evolving years after years. For instance, an attacker could decide to use a malware (or similar exploits) in order to bypass the various firewalls to access the data. Old systems may as well put security at risk as they do not contain modern methods of data security.[24]

Virtual attacks can be prevented with techniques such as

Company security

Some possible strategies on how to upgrade data security in a company:

  1. Determine the risks. Find all the tools that may store the data such as computers and databases, and make sure everything is stored in a compliant manner.
  2. Review current data security systems. Check for any updates in the current data security system if there are one. Sometimes, the stale data should be removed and it is also helpful to have cleanup software installed to help the company delete the unused or unneeded data.
  3. Gather a data security team. Build a professional internal security team that can help the company to secure its data and save money on hiring other security teams. The security team must have a recovery plan just in case something unexpected may happen.
  4. Update data security approach. Make sure only the authorized people can access the system. Encryption software is needed because it can protect the data from people who decrypt the system. If the proper key was not provided, the software can make the data seem useless to other people. Data masking software is another software that is helpful since it can hide some sensitive information from being seen. The last software is risk assessment software, which is a tool that helps users to monitor and check their network securities.

Notes and References

  1. News: . Report Finds Fault With E.M.S. Computers . Craig Wolff . December 13, 1989 . too many E.M.S. employees have access to ....
  2. Maurizio Portolani, Mauricio Arregoces(2004). Data Center Fundamentals. Publishers, Cisco Press, 800 East 96th Street Indianapolis, IN 46240 USA, Chap.5
  3. The Four Layers of Data Center Physical Security for a comprehensive and integrated Approach https://www.anixter.com/content/dam/Anixter/White%20Papers/12F0010X00-Four-Layers-Data-Center-Security-WP-EN-US.pdf
  4. Web site: What You Need to Know About Data Security in 2021 . 2022-04-10 . Security Intelligence . en-US.
  5. News: Data center robbery leads to new thinking on security.
  6. News: . Jessica Silver-Greenberg . After a Data Breach, Visa Removes a Service Provider . April 2, 2012.
  7. News: The Wall Street Journal (WSJ) . Card Processor: Hackers Stole Account Numbers . Visa yanked its seal of approval . Robin Sidel . April 2, 2012.
  8. 2003 CSI/FBI report "Computer Crime and Security Survey."
  9. Web site: David Moore . Colleen Shannon . 2001 . The Spread of the Code-Red Worm (CRv2) . 2006-10-03.
  10. Web site: Net-Worm: W32/Nimda Description . F-secure.com (F-Secure Labs).
  11. Web site: John Leyden . February 6, 2003 . Slammer: Why security benefits from proof of concept code. .
  12. Web site: Port Scan attacks and its detection methodologies .
  13. Web site: Security Against Probe-Response Attacks in Collaborative Intrusion Detection . Vitaly Shmatikov . Ming-Hsiu Wang . The University of Texas at Austin.
  14. Web site: Understanding Denial-of-Service Attacks . US-CERT . February 6, 2013 . May 26, 2016.
  15. Khalifeh,, Soltanian, Mohammad Reza. Theoretical and experimental methods for defending against DDoS attacks. Amiri, Iraj Sadegh, 1977-. Waltham, MA. . OCLC 930795667.
  16. GIAC Certifications. Global Information Assurance Certification Paper.
  17. https://web.archive.org/web/20170811143412/https://en.oxforddictionaries.com/definition/eavesdrop "eavesdrop - Definition of eavesdrop in English by Oxford Dictionaries"
  18. Barwise, Mike. "What is an internet worm?". BBC.
  19. Stallings, William (2012). Computer security : principles and practice. Boston: Pearson. p. 182. .
  20. http://news.bbc.co.uk/2/hi/technology/6929258.stm "Warning of webmail wi-fi hijack"
  21. Web site: Modern Overflow Targets.
  22. Li. Q.. May 2019. LSTM-Based SQL Injection Detection Method for Intelligent Transportation System. IEEE Transactions on Vehicular Technology. 68. 5. 4182–4191.
  23. Cisco SAFE Reference Guide https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg/chap4.pdf chap.4
  24. Rich Banta Types of Data Center Security
  25. Sara D. Scalet 19 ways to build physical security into your data center
  26. https://www.accesscorp.com/wp-content/uploads/2016/03/AccessFileBRIDGE_SecurityDataCenterOverview.pdf Security and Data Center Overview
  27. https://cloud.google.com/security/infrastructure/design/#introduction Google Infrastructure Security Design Overview
  28. Iliad Data Center, 'Data Center Security' chap.4
  29. https://cloud.google.com/security/infrastructure/design/#introduction Securing Microsoft's Cloud Infrastructure
  30. Web site: Data Centre Management . 2018-06-30 . 2022-11-23 . https://web.archive.org/web/20221123221020/https://ito.hkbu.edu.hk/pub/is_newsletter/professional/Issue_08_DCM/JUCC%20Newsletter-IT-8%20DCM.pdf . dead .