Ensuring the data centre is secure should be a top priority for CISOs as the consequences of a breach are catastrophic. Industry experts from Vectra and Red Seal outline some of the biggest cyber-risks to data centres and offer their advice on how to ensure this critical infrastructure is protected.
What are some of the key cyber-risks to data centres?
Ammar Enaya, Regional Director – Middle East, Turkey and North Africa (METNA) at Vectra
Attackers are increasingly recognising that the keys to the kingdom can be found deeper in the physical devices used to build the data centre infrastructure. As a consequence, security practitioners need to secure their low-level data centre management protocols, such as Intelligent Platform Management Interfaces (IPMI).
These protocols are increasingly targeted by attackers because they create a backdoor into the virtualised data centre environment, access to the sub-OS environment and control over hardware resources.
In spite of these risks, these protocols are rarely effectively monitored by the security solutions in place.
In fact, 32% of IPMI servers have been found to run decades-old insecure versions, 5% were ‘secured’ by the default password, 30% had easily guessable passwords and only 72% had authenticate access. Today there are over 100,000 hosts responding to IPMI queries made across the public Internet, making it an attractive target for cybercriminals.
We’ll continue to see lower level architectural layers inside the data centre becoming increasingly targeted by cyberattacks.
This exposure represents an untapped opportunity for the channel to create long term, strategic engagements and create value inside their clients’ organisations.
What best practice approach should data centre owners take to ensure the infrastructure is well protected against cyberattacks?
With cloud and VM mobility, it’s hard for security teams to even keep a track of what workloads are where, never mind securing them. Having security detection and response tools that integrate directly with the hypervisor and/or cloud service can bridge that gap. The question then becomes how quickly and effectively can you detect and respond to developing attacks in your infrastructure?
Automation in cybersecurity can take some of the heavy load off the shoulders of human analysts and can make a considerable contribution to securing infrastructure.
AI has an increasingly important role in this respect, not to replace, but to augment humans and to make it easier for them to operate by providing them with security analysis and insights at a speed and scale impossible for humans to achieve.
This provides the opportunity to spot and respond to attacks that gain a foothold inside an organisation, before they can move, escalate privileges, and meet their nefarious end game goals.
All defences are imperfect and you increasingly achieve diminishing returns for additional layers of defence.
Security leaders must adopt a healthy paranoia of ‘I’m already compromised, where and how?’ and it is imperative to take an early detection and response approach to active attacks.
Mike Lloyd, CTO, RedSeal, outlines why, when it comes to resilience, it’s crucial to have the basics covered.
When thinking about risks to data centres, I’m reminded of an old bank robber story – when asked why he robbed banks, he replied ‘because that’s where the money is’. It’s always good to think like an attacker.
The people who build applications inside data centres may appreciate the benefits of security, but they tend to think about it narrowly. They focus on how to secure the aspect they are familiar with – if they understand users, they think a lot about single sign on and federated identity, which is great, but it’s not the whole of security.
Likewise, the people most familiar with databases tend to think about the problem in database terms – row-level and column-level access controls, etc. All this siloed thinking, though, tends to make a data centre with a scatter of security ideas sprinkled around it, but no coherent overall design.
Imagine a corporate building built in this haphazard way, where some people lock their file cabinets, but others don’t, some labs have security and some don’t, and all the while, the building has no badge readers at the edge, because nobody was thinking about the big picture.
Security failures are almost always about gaps. As the crypto nerds have found, the security arms race really isn’t about evil genius hackers breaking yesterday’s cipher math, forcing us up to a new mathematical level.
Instead, real database breaches are because someone exposed their AWS bucket to the Internet, when it was only supposed to be reachable internally. Security, or the lack of it, is all about defensive gaps. This means the only viable defense is to think about the system as a whole, identify gaps and prioritise them. Narrow thinking about one control or one security technology won’t work – the attackers will just find a path in that evades your elaborate control. Breadth is far more important than depth. It’s far more important to check that every basic control has been implemented consistently, than to get into depths of the countermeasure of the month.
In a sense, this is good news – if you need to increase the defensive posture of a data centre, your best next step is almost certain to be a simple one, where some of the Centre for Internet Security (CIS) Top 20 basic controls are not in place or not being used properly.
The hard part is consistency – humans are not that good at being thorough and if you only lock 99% of the doors, the bad guys will find that other 1% through simple persistence.
Attackers use automation to search out any corner of your data centre that is weak and so the defenders need to use automation too, to find the defensive gaps before they are exploited.
This means looking at the whole environment, end to end and checking the basics – is the inventory complete? Are the access controls enforced consistently? Do you have a pre-set plan to shut down or isolate any asset that proves to be compromised?
Being resilient in the face of cyberattacks is about doing the basics well.