While the infamous bank robber Willie Sutton never said that he robbed banks because that's where the money was, it was a good strategy just the same. For hackers, data centers are the place to be because they hold an organization's crown jewels.
As a result, a trio of trends are driving a rethink of how best to secure data centers:
More hosting means more options
Hosting creates opportunities to implement security technologies and practices that would have been prohibitively expensive or difficult when everything was in house. One example is ringing data centers with next-gen firewalls that focus on prevention rather than detection by scrutinizing requests before granting access, all without adding unacceptable amounts of latency in the process.
"Those are additional layers of protection that we never would have considered in the past to put around data centers," says Jason Rader, national practice director of security services at
Datalink Corp. (Nasdaq: DTLK), a data center provider. "We used to never be able to do that because of the speed it would have cost us."
Growing third-party access means more back doors
Organizations also are increasingly giving business partners, vendors and other third parties access to those data centers, regardless of whether they're run in house or by a data center operator. One example is Target Corp. , which gave an HVAC contractor access to its IT network to facilitate electronic billing, contract submission and project management. By attacking the contractor and turning it into a back door, hackers got access to credit and debit card information for roughly 110 million Target customers.
Each additional ingress and egress point increases the challenge of making sure the bad guys aren't getting through. "It's harder to track data flows from an application perspective," Rader says. "So you've got to design those environments especially for the ability to detect and analyze the flows."
BYOD inches toward becoming the rule rather than the exception
This year, Gartner Inc. predicts that 40% of organizations will have stopped providing their employees with smartphones and tablets because it's significantly cheaper to allow them to use their personal devices for work. If hackers can compromise those devices, such as because employees balk at employer security policies, they're more back doors. This risk is exacerbated by the way many organizations authenticate devices, regardless of who owns them.
"Even when you authenticate through Active Directory or whatever directory service, you're typically authenticated only one time," Rader says. "Then you have access to everything in the organization."
Not surprisingly, many IT experts recommend end-to-end encryption to provide an additional layer of security.
"It is no longer a matter of if you will be breached, but when, and attackers could already be inside your perimeter," says Reiner Kappenberger, global product manager for data security, at
Hewlett Packard Enterprise . "In addition, today's security threats have made the traditional approach of providing data protection at rest in data centers no longer enough, as this only protects against improper disposal of hard drives and physical theft of hardware. The most effective data center security implementations take a data-centric approach that utilizes format-preserving encryption and tokenization solutions to protect the data at rest, in motion and in use."
A data-centric approach such as encryption also can be attractive alternative to strategies that require forklift upgrades and other extensive, expensive changes.
"Organizations fear that they will need to change the data infrastructure architecture, as this is a lengthy and costly process," Kappenberger says. "With a data-centric security approach, organizations do not need to change the infrastructure architecture since it is not changing the application, only modifying the data underneath and adding a small layer for key management."
But one big barrier to end-to-end encryption is the burden it puts on processors and batteries in laptops, smartphones, tablets and Internet of Things (IoT) devices. CENTRI's BitSmart platform
is an example of how some vendors are addressing that concern with mobile-friendly encryption solutions.
"The old philosophy of 'Let's build a wall around the whole thing and protect it that way so nobody gets in,' we just can't do that anymore," Rader says. "That's not practical. Somebody is going to get in. The detective capabilities and remediation capabilities are things we need to focus on more. Where it's going to give you the most bang for the buck is where the core data center components are."
— Tim Kridel, Freelance Contributor, special to The New IP