In a recent Q&A session, Joe Clapp and I were asked to address the security risks that the continuing technological change in cloud data center poses. Following are our responses to the most common risks associated with cloud data center change and our recommendations how to safeguard data given these considerations.
Data and data handling needs created by emerging technologies
I would encourage IT managers and executives not to shy away from emerging big data technologies as long as their organization adheres to basic data handling tenants such as:
- Keep up-to-date inventories of the data they are responsible for. Know where the data exists, who owns the data, who has access and what type of data it is stored (Financial, Health, or Corporate Confidential).
- Follow regulations regarding data disposal. If no regulatory requirement exists, make a corporate policy and follow it. By disposing of the data you no longer need you will lower your corporate exposure.
- Mandate access controls to all data and keep access logs in a separate data warehouse.
Big data growth itself, which makes data centers an ever more attractive target
As evidenced by the Office of Personnel Management (OPM) breach, large data aggregations are an attractive target for both state sponsored attackers and cybercriminals. High profile breaches are helping to drive organizations to encrypt data at rest.
As organizations develop an understanding of how easy it can be to re-identify data when someone has access to multiple disparate data sets, it is clear that it is important to encrypt not only critical ID numbers, but data that has been traditionally been considered less sensitive.
On the other hand, big data analysts would like to avoid encrypting data at rest. The decryption required to perform analysis becomes a big performance impact when dealing with very large data sets. To optimize performance it is also important to understand how the data will be queried in order to understand what data has to be indexed. That requirement is counter to some big data projects that are trying to discover new correlations.
The Agile Data Center
The biggest security challenge for organizations adopting the agile data center approach is to establish and maintain good IT governance. While delivering an elastic infrastructure, or more despairingly known as instant gratification, organizations still need to maintain good security controls. The controls are not new. For example, organizations need to have governance in place to decide when changes warrant additional penetration testing before deploying to production.
There are also challenges in establishing proper baselines to ensure SIEMs, IDS, and IPS systems are functioning correctly. Ensuring that all real incidents are reported and that false positive are kept to a minimum is a challenge when resources can be dialed-up and down on demand.
Adapting to IoT
Many IoT devices are typically designed initially for the consumer market, but IT departments need to be prepared for users demanding or deploying the devices in the enterprise. So far, IoT has a poor security record. Few companies creating the devices appear to have thought through all the threats or considered the risks to customers faced with determined attackers.
For IT departments, IoT devices can’t be required to conform to existing secure build standards. IT departments are unable to install inventory agents on the devices, and have difficulty in learning what known vulnerabilities may be present on the device. For example, does the device contain a bash vulnerability? Does it contain an outdated version of OpenSSL?
IoT should cause more organizations to deploy Network Access Control (NAC), and will also likely motivate more organizations to perform frequent internal vulnerability scans using products like Nessus and QualysGuard.
Paul Hill has worked with SystemExperts as a principal project consultant for more than twelve years assisting on a wide range of challenging projects across a variety of industries including higher education, legal, and financial services. He joined SystemExperts full time in March 2012 and coordinates the SMARTday practice.