Security

How Well Do You Understand Today's Threats to Data Center Security?

Data centers have evolved, and IT professionals need new tools and tactics for protecting them.

Yesterday's security approaches won't necessarily work today.

The original model for data center security was based on the assumption that threats were external. The security architecture to defend these facilities focused on establishing a network perimeter between the data center and the outside world. The basis of this perimeter was a firewall, which would examine all north-south traffic, which flowed between the data center and the internet. The firewall looked for violations of security policies and other indications of suspicious activity in this data traffic. It then took actions such as blocking traffic, logging additional information and notifying human administrators.

While data centers still have a need to look for external threats within north-south traffic, monitoring security threats has become far more complex. For example, client devices accessing servers hosted at the data center pose a considerable threat. Client devices used to be homogeneous, centrally managed desktop computers located at an organization’s facilities and protected by enterprise security controls. Compromises of client devices caused by malware and other exploits were quickly detected and corrected.

This is no longer the case in most environments. Client devices are widely varied in terms of the operating systems and applications they run, the vulnerabilities they have, the security controls they use, and the physical locations from which they connect to IT resources. Many client devices are the personal hardware of the user and often employ no security controls at all. IT managers have found that they can no longer assume that client devices aren’t compromised or that compromises will be rapidly detected and eradicated. In this new environment, each client device poses a separate threat.

Another change in data center security threats involves servers within the data center interacting with each other. Unintentional threats have always been a concern, such as a server infected with malware spreading the infection to other servers within a data center. But today, intentional threats may also be an issue. In a data center with multiple customers, such as a public cloud environment, one customer may attempt to compromise another’s server in order to steal proprietary information or tamper with records.

Network traffic between data center servers is known as east-west traffic. Monitoring this traffic has become essential to finding and stopping threats. Many data centers have far more east-west traffic than north-south traffic (client-to-server traffic), so ignoring east-west traffic means that attacks between virtual or physical servers can go unnoticed. Also, data centers are increasingly hosting high-value applications and sensitive data that previously resided on internal networks that were more isolated and thus better protected. Further, modern data centers must provide logging and auditing services for applications and data in support of operations, such as security compliance initiatives or audit requirements.

Data center operators also must understand how threats have advanced from previous generations. The typical pattern for current threats is to slowly and stealthily pass through an organization’s servers, avoiding detection while moving toward an ultimate target server. Most of today’s threats seek to access and copy sensitive data before transferring it to an external location for financial gain.

Attackers often start their work by gaining access to a rank-and-file user’s authentication credentials. Common ways of achieving this are infecting a client device with malware to capture the credentials, or using phishing or other social engineering techniques to trick the user into supplying credentials to an attacker. The attacker can then use the credentials to gain access to a particular server within the data center, and possibly other servers that support the same credentials. The attacker may need to use other exploits to elevate privileges, gain access to more user accounts or otherwise continue making progress toward the target server. Once the attacker gains access to the target, a final exploit will enable transfer of sensitive data to a system of the attacker’s choosing outside the data center.