Data centers today contain a plethora of equipment, including database servers, application servers, web servers, load balancers, telecommunications and storage systems, redundant power supplies, environmental controls, and security devices. New devices are constantly being added to data centers as the range of equipment and devices that is IP-enabled continues to expand and the number of devices, such as smartphones, that must be supported grows.
Organizations use automation to streamline new business processes, reduce operational costs, and further improve efficiencies. In line with these needs, they are embracing new technology delivery models such as software as a service to drive down capital expenditures and are looking to consolidate their data centers for greater efficiencies. Data centers are also undergoing substantial change as a result of the growth in the use of virtualization technologies whereby a virtual version is created of systems such as hardware platforms, operating systems, storage devices, or network resources. To reduce complexity and to take advantage of new technology developments, many organizations are looking to consolidate or update their data center infrastructure.
In traditional data centers, security controls can be applied to each physical system, and systems with different levels of criticality or that contain the most sensitive data can be physically separated. However, the next-generation data centers that are being built today are very different in nature. They contain a mix of physical and virtual systems and must cater to the need to provide access to highly distributed collaborative applications as well as support systems that leverage cloud computing.
8 Best Practices for Data Center Security
The following checklist* summarizes best practices for data center security.
- Include security and compliance objectives as part of the data center design and ensure the security team is involved from day one. Security controls should be developed for each modular component of the data center—servers, storage, data and network—united by a common policy environment.
- Ensure that approach taken will not limit availability and scalability of resources, as these are prime reasons for investing in a next-generation data center.
- Develop and enforce policies that are context, identity and application-aware for least complexity, and the most flexibility and scalability. Ensure that they can be applied consistently across physical, virtual and cloud environments. This, along with replacing physical trust zones with secure trust zones, will provide for seamless, secure user access to applications at all times, from whatever device is used to connect to resources in the data center.
- Choose security technologies that are virtualization-aware or enabled, with security working at the network level rather than the server. Network security should be integrated at the hypervisor level to discover existing and new virtual machines and to follow those devices as they are moved or scaled up so that policy can be dynamically applied and enforced.
- Monitor everything continuously at the network level for the ability to look at all assets, physical and virtual, that reside on the LAN, even those that are offline, and all inter-connections between them. This monitoring should be done on a continuous basis and should be capable of monitoring dynamic network fabrics. Monitor for missing patches or application or configuration changes that can introduce vulnerabilities that can be exploited.
- Look for integrated families of products with centralized management that are integrated with or aware of the network infrastructure, or common monitoring capabilities for unified management of risk, policy controls and network security. This will also provide detailed reports across all controls that provide the audit trail necessary for risk management, governance and compliance objectives. Integrated families of products need not necessarily be procured from just one vendor. Look for those that leverage the needed capabilities of a strong ecosystem of partnerships to provide a consolidated solution across all data center assets.
- Consider future as well as current needs and objectives at the design stage, such as whether access is required to public cloud environments.
- Define policies and profiles that can be segmented and monitored in multi-tenant environments. Consider security technologies that provide secure gateway connections to public cloud resources.
*Source: Architecting the security of the next-generation data center,” Bloor Research: www.bloorresearch.com