Download presentation
Presentation is loading. Please wait.
Published byIra Horton Modified over 9 years ago
1
Locking Down the Data Center of Tomorrow By Kevin Beaver, CISSP Founder and principal consultant - Principle Logic, LLC 4430 Wade Green Rd., Suite 180 Kennesaw, GA 30144 kbeaver@principlelogic.com www.principlelogic.com Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
2
Kevin Beaver Information security consultant, author and trainer 15+ years of IT/security experience Specialize in security incident response, security assessments, network security, and security policy and strategy development Author of the upcoming book Ethical Hacking for Dummies by John Wiley and Sons Co-author of the new book The Practical Guide to HIPAA Privacy and Security Compliance by Auerbach Publications Author of the new book The Definitive Guide to E-mail Management and Security by Realtimepublishers.com Regular columnist and information security/HIPAA advisor for SearchSecurity.com, SearchMobileComputing.com, ITSecurity.com, and HCPro’s Briefings on HIPAA newsletter Hold CISSP, MCSE, MCNE and IT Project+ certifications Bachelor’s in Computer Engineering Technology from Southern Polytechnic State University and Master’s in Management of Technology from Georgia Tech Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
3
Current state of data center security The convergence of information and physical security Security technologies and practices required for the successful convergence of physical and information security Skills required of security professionals What to expect in the coming years Resources Copyright © 2003, Principle Logic, LLC, All Rights Reserved. What We’ll Cover
4
Where everything security related comes together –Network, applications, physical Enable consolidation of information systems management and security within a controlled environment Heightened sense of criticality since 9/11 There’s a lot of good security, but there’s also a lot of bad –Not necessarily as secure as they claim to be Copyright © 2003, Principle Logic, LLC, All Rights Reserved. Current State of Data Center Security
5
Protection of people and physical property Traditional physical security involved guards, locks, keys, etc. – this is changing Physical security in buildings, including data centers, is becoming increasingly dependent on technical systems for control and monitoring Copyright © 2003, Principle Logic, LLC, All Rights Reserved. What is Physical Security?
6
Increase of insider threats Someone walking off with a laptop, server, software installation disks, etc. Malicious outsider gaining access to the data center –To obtain passwords –To install a network analyzer Malicious insider gaining access to CDs, tapes, hard copies of network diagrams or password lists Copyright © 2003, Principle Logic, LLC, All Rights Reserved. Physical and Information Security Risks
7
Security to protect corporate assets is technology based –Firewalls –Intrusion detection Security systems typically found in discrete areas – Not across the organization Different security departments doing different things –Has resulted in various inconsistencies in meeting security policy requirements Copyright © 2003, Principle Logic, LLC, All Rights Reserved. Past Paradigm
8
Security has been seen as a roadblock to overall organization effectiveness in the past –Both physical and information security can be combined and now seen as a business enabler supporting the organization’s mission and goals Copyright © 2003, Principle Logic, LLC, All Rights Reserved. …Past Paradigm
9
Data center security is more than just protecting IT assets –We’re now moving towards protecting enterprise assets The most valuable corporate assets are virtual –Electronically and in the minds of employees Many corporate assets are housed in critical data centers Physical security is established and mature for the most part –Information security is still in its infancy Copyright © 2003, Principle Logic, LLC, All Rights Reserved. Physical Security, meet Information Security
10
There are emerging governmental requirements forcing the collaboration of physical and information security Security management of the data center continues to be fragmented After many years of separation and strife, the two practices are coming together – especially in the data center environment Copyright © 2003, Principle Logic, LLC, All Rights Reserved. …Physical Security, meet Information Security
11
The goal of both is to keep the bad guys out and the “good” guys honest Each one uniquely contributes to the organization’s bottom line Both require: –Identification of assets –Classification of assets –Assessment of risks –Implementation of countermeasures –Incident response expertise Copyright © 2003, Principle Logic, LLC, All Rights Reserved. Similarities
12
An ever increasing skill set required for security leaders, managers and doers –Keeping up with the latest technologies –Understanding how to effectively respond to incidents Money Technology and computers Effective policies and procedures Layered protection – defense-in-depth Copyright © 2003, Principle Logic, LLC, All Rights Reserved. Demands of Physical and Information Security
13
Authorization – need to know basis Authentication Accountability Audit Destruction policies and procedures Ongoing awareness A good balance of security vs. convenience Both (especially infosec) are requiring stronger ties with law enforcement than ever before Copyright © 2003, Principle Logic, LLC, All Rights Reserved. …Demands of Physical and Information Security
14
You Must Find a Balance If you have a network that’s secure but a data center building that’s not OR If you have a data center building that’s secure and a network that’s not –They will defeat the purpose of each other Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
15
The Simple Truth Need more than just a guard and locked doors Need more than just firewalls and IDSs Security must be tightly integrated with every organizational function You can’t force the two different departments to work well together – must give business reasons and incentives Must balance the requirements of both physical and information security Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
16
Where We’re Headed Decentralization of data centers and corporate assets Tighter integration between physical and information security equipment The design goals of newer technologies will help support convergence of physical and information security Systems will be easier to use, making data center technology implementation, collaboration and change management simpler Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
17
…Where We’re Headed The convergence of the two types of security will help further the information security cause –Management has always bought into physical security –It’s now becoming more apparent that information security is a critical element as well Smaller computing devices such as PDAs, 1U servers, cell phones and laptops are just getting smaller leading to more physical security issues –Nanotechnology devices both inside and associated with data centers are increasing the demand for physical and information security convergence Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
18
…Where We’re Headed Prevention vs. protection Increased responsibilities on everyone’s part Reduced costs, but possible increase in risks Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
19
Emerging Trends Enhanced biometric systems Increase in the number of uses of biometrics to facilitate both physical and information security in the data center Increased usage of identity management solutions Perimeter control has been – and will be even more so – the job of both physical and information security professionals Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
20
…Emerging Trends Need for greater physical and information security of wireless components within data centers Storage and management issues associated with RFID data Defense-in-depth will be even more important Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
21
…Emerging Trends Enhanced monitoring –Power, air and server conditions –Access controls Will require more human involvement –In the form of awareness, policies and procedures Increased use in temp/contract workers –Need to include these people in security policies and procedures Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
22
…Emerging Trends Open Security Exchange (OSE) OSE-compliant products from vendors More data center involvement from large vendors Development of data center education initiatives by the Association for Computer Operations Managers (AFCOM) and Marist College Overall the merger of the two will have a huge impact on organizations, employees, users and the industry as a whole Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
23
CSOs of the Future CSOs manage data centers among other things Role is still being defined Need a strong leader in this role Business and technical expertise Must build relationships with business managers Has authority within the organization to create and enforce security policies Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
24
…CSOs of the Future Ability to influence security-aware culture in and around the data center See CSO Magazine’s State of the CSO report for more insight – www.csoonline.com/csoresearch/report56.html www.csoonline.com/csoresearch/report56.html Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
25
A Few More Tips A security-aware culture will buy your data center more protection than all other efforts combined Policies and procedures should be integrated between physical and information security systems for the data center whenever possible –With management support of course Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
26
…A Few More Tips CISO and IT-only types may only be interested in information security –If so, s/he might not be the best fit for a CSO or director of data center security position A wise security officer (physical or information) will stay abreast of both If you’re not sure about the physical security, contact some experts on it Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
27
Resources Open Security Exchange –www.opensecurityexchange.com/info/summary.htmwww.opensecurityexchange.com/info/summary.htm –Physical Security Bridge to IT Security (PHYSBITS) Framework www.opensecurityexchange.com/downloads/white_paper.pdf AFCOM –www.afcom.comwww.afcom.com ISC 2 Certified Information Systems Security Professional (CISSP) and ISSAP concentration –www.isc2.orgwww.isc2.org ASIS Certified Protection Professional (CPP) –www.asisonline.org/certification/cpp/index.xmlwww.asisonline.org/certification/cpp/index.xml CSO job description –www.csoonline.com/research/executive/description.htmlwww.csoonline.com/research/executive/description.html Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
28
Resources CSO job description –www.csoonline.com/research/executive/description.htmlwww.csoonline.com/research/executive/description.html Physical security tips –www.techarch.state.ar.us/indexes/publications/physical.pdfwww.techarch.state.ar.us/indexes/publications/physical.pdf Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
29
The physical security market is very strong now and it will take time for the two areas of security to successfully merge It will be impossible to ensure solid information security of the data center without the proper physical security controls – and vice versa It’s essential to ensure that data is available after a disaster –This can only be possible when information and physical security systems and personnel work together Copyright © 2003, Principle Logic, LLC, All Rights Reserved. Closing Thoughts
30
Security initiatives driven from the bottom up usually aren’t effective Haphazard combination of physical and information security can cause more problems than it solves A more secure data center can increase customer comfort level helping to maintain customers and even drive more business = Copyright © 2003, Principle Logic, LLC, All Rights Reserved. …Closing Thoughts
31
Questions? Copyright © 2003, Principle Logic, LLC, All Rights Reserved. You can submit your questions to Kevin by clicking on the Ask a Question link on the lower left corner of your screen.
32
Thank you Copyright © 2003, Principle Logic, LLC, All Rights Reserved. Thank you for participating in this SearchSecurity.com webcast. If you have comments or suggestions for future webcasts, please e-mail the moderator at webcast@searchSecurity.comwebcast@searchSecurity.com
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.