Achieving true, across-the-board security for your enterprise data center can be a major challenge. Many of the same elements that make your data center so vital to your business, including data storage, highly-connected networks and cloud infrastructure support—also increase your organization’s potential security threats. And while hackers will always target your enterprise’s data for profit, you also need to remember other potential threats, like physical security, the internet of things and your own internal people, must also be managed carefully. Here are four data center security challenges that aren’t always obvious— but must be managed effectively.
Threat #1: Your People
There’s no denying it; people are your greatest risk to data center security. Even if you have the best technology in place, if your people aren’t of the highest caliber (and many times, even if they are), your data center will still be at risk. Employees are an important part of keeping your data center up and running, so insider threats must be considered, no matter how strict your hiring processes.
A recent study from Vometric found that 50 percent of IT security managers are concerned about security threats instigated by employees, while 43 percent worry about third-party access to company networks and data and 38 percent see privileged users, such as IT admins, as risks. Renowned former hacker Kevin Mitnick further explains why people are your greatest risk to enterprise security. He writes, “All of the firewalls and encryption in the world can’t stop a gifted social engineer from rifling through a corporate database. If an attacker wants to break into a system, the most effective approach is to try to exploit the weakest link—not operating systems, firewalls or encryption algorithms—but people. You can’t go and download a Windows update for stupidity… or gullibility.”
To mitigate these risks, hold continuous data security trainings for employees across your organization—not only in the IT department but in HR, finance, etc. Teach employees never to rely on someone’s word alone to get past security procedures or secure checkpoints. (i.e. “I forgot my badge,” or “I’ve been working closely with [Name].” Conduct thorough background checks, and put fail-proof physical security in place throughout your facilities. You may even consider sending “practice” phishing emails to see how employees respond, or other such situational awareness training tactics.
Threat #2: Your Physical Security
Speaking of physical security, many organizations gloss over this element when planning their data security strategy, focusing more on cybersecurity threats. But physical security shouldn’t be an afterthought. As Jason Destein, a technology consultant for Ingram Micro’s Physical Security business unit, explains, “[Organizations] put one access control reader at the front door and think they’re safe, failing to recognize that the people working inside the data center could be a threat.” Even if you have the best cybersecurity plans in place, it’s still possible for individuals to physically threaten your data center(s). The best way to avoid risk is to have a good combination of both.
Here are a few physical solutions you can put in place to prioritize physical security in your data center(s):
- Alarms: These should include motion detection, breakage sensors and door sensors.
- Access Control: Limit the individuals who have access to certain areas/rooms within your data center, and use multiple forms of authentication when possible.
- Video Cameras: Focus on inside and outside doors, and add at least one in each server room—preferably one per rack row.
- Water & Temperature Sensors: Put alerts in place if pipes break/flooding occurs. Temperature sensors should send alerts if the AC fails and the room/hardware overheats.
Threat #3: Your Physical IT Assets
The physical security of IT assets is also often overlooked. Many data centers have loose drives or outdated servers in storage closets or in other areas of your enterprise location(s). These IT assets present a risk of being lost or stolen if not sanitized in an efficient manner; they also take up space you could be using otherwise. If a company cannot account for a data-bearing device, it can’t sure if it’s been lost or stolen. These situations often come to light with equipment inventory reports. The enterprise must determine if a data breach has occurred and if their data has been compromised.
Of course, none of these situations is ideal. It’s best that you don’t have IT assets sitting around waiting for the decommissioning process. Whether you’re using physical destruction, software-based data erasure or a mix of both, you need to make sure your IT assets are cleared of data before they ever even leave your facility—even if they’re on the way to an ITAD for physical destruction. Security issues can happen in-transit. It’s always best to erase first, just in case. In addition, sometimes physical assets are also redeployed inside the data center for new user groups or end customer data; these assets must be erased before reconfiguration and redeployment.
If you have any concerns about your data sanitization and decommissioning process, download our Data Center Gap Analysis for IT Asset Decommissioning to benchmark your data center against industry best practices.
Threat #4: The Internet of Things (IoT)
Both a threat and an opportunity, the Internet of Things is predicted to grow to 26 billion units globally by 2020, according to Gartner. With more devices and connections comes more unknown variables, bringing new and unforeseen challenges in the enterprise data center.
Recent server vulnerability events, such as Heartbleed indicate these potential dangers. Malware and other cyber security threats can quickly spread, but many IT pros aren’t making IoT security a priority. As technology pro Jaikumar Vjayan explains, “The challenge for IT is less about technology and more about getting ahead of the security curve. Many of the technology controls needed to secure a highly connected world already exist. What CISOs and other IT managers need to focus on are policy and process – specifically, developing secure deployment practices and policies and putting in place architectural foundations for accommodating new IP-enabled devices.”
8 Ways to Prevent IoT Threats:
- Always change the default password on connected devices.
- Read the terms and conditions. Understand what data is being collected and what type of threats might exist.
- Consider outsourcing storage and networking functions when possible. The more devices you have connected, the more ways there are for hackers to infiltrate your network.
- Keep the software updated on all your connected devices to receive any bug fixes. If your devices haven’t been updated in several months, update them as soon as possible.
- Issue device ID certificates to each device at the point of manufacturing to establish identity and facilitate authentication to service and other devices.
- Encrypt IoT data, including stored data to prevent interception.
- Securely erase the data from IoT devices at end-of-life.
- Use signed digital certificates with code signing of firmware/software updates. Only communicate with devices using SSL certificates.