Securing The Center

Heightened concerns about cyberterrorism and the increasing need to open internal networks to outside access are pushing corporations to bolster data center security, both on the IT front and physically.

The goal is to add multiple layers of protection and redundancy around the data center infrastructure and software while still maintaining the levels of service demanded by the business.

On the physical side, companies are boosting their business continuity and disaster recovery capabilities by buying and building redundant hardware and facilities and geographically separating their IT assets. The technology effort, meanwhile, is focused on supplementing traditional firewall protection with newer intrusion monitors, access control tools and tougher IT usage polices.

The need for such protection is being driven by cyberthreats and the growing use of the Internet to link companies with partners and customers, says David Rymal, director of technology at Providence Health Systems in Everett, Wash.

"There is an increasing pressure to enable wide and unfettered access from our business units. We are getting so many requests to open up ports in our firewall that pretty soon it is going to look like Swiss cheese," Rymal says. "The more of them you have open, the more vulnerabilities you create."

The whole notion of Web services, under which companies link their systems with those of external partners and suppliers, is only going to increase the need for better security, users say.

Adding to the pressures is the growing number of remote workers and the trend toward wireless applications. This has meant finding better ways of identifying and authenticating users and controlling the access they have on the network.

"You have to keep in mind that the minute you open your servers or services to the Internet, you are going to have bad people trying to get in," says Edward Rabbinovitch, vice president of global networks and infrastructure operations at Cervalis Inc., a Stamford, Conn.-based Internet hosting service.

While it's impossible to guarantee 100% security, companies should make things as difficult as possible for outsiders or insiders to steal or damage IT assets, IT managers say.

Cervalis' security, for instance, begins at its ingress points—where the Internet meets its networks. The company uses strict port control and management on all of its Internet-facing routers to ensure that open ports don't provide easy access for malicious attackers.

Redundant, load-balanced firewalls that are sandwiched between two layers of content switches filter all traffic coming in from the Internet. Network-based intrusion-detection systems are sprinkled throughout the Cervalis network.

Cervalis is beta-testing an anti-denial-of-service attack tool from Israeli start-up Riverhead Networks. The tool will let Cervalis quickly isolate denial-of-service traffic that's directed against a particular Web site or server belonging to a hosted customer, without affecting the rest of the network.

Companies are also building "air gaps" between their outside-facing applications and back-end data. Providence, for instance, doesn't permit external Internet connections or wireless access to terminate on any internal machine. It's far safer to end such connections outside the firewall and then tunnel all requests through secure services, Rymal says.

Antivirus and e-mail filtering tools are being supplemented in many companies with new measures aimed at reducing the risk of attack via e-mail.

"E-mail, to me, is always the weakest link, because you are open to just about anything and everything that comes over the [Web]," says George Gualda, CIO at Link Staffing Services Inc. in Houston.

Link prohibits attachments of certain types and sizes on its network. All Internet-based chatting is banned, and users aren't allowed to download and install software. Scripting functions are disabled to prevent unauthorized scripts from wreaking havoc, says Gualda.

Link uses a secure virtual private network (VPN) service from OpenReach Inc. in Woburn, Mass., to connect its 45 remote sites. The OpenReach VPN provides firewall and encryption services, but Link placed an extra firewall in front of the VPN anyway.

Compartmentalizing networks based on the services they run makes it easier to isolate and respond to security breaches, says Lee Robertson, chief of IT security at Schlumberger Network Solutions in London.

Schlumberger used this approach—together with a slew of access control, user authentication, strict port management and intrusion-monitoring techniques—to secure the internal network at the Winter Olympics in Salt Lake City earlier this year.

"If we saw an attack, we would have been able to rapidly shut off that portion of the network which was affected and bring the service back up [on a redundant network]," Robertson says.

Good security also requires good systems configuration management, says Tony DeVoto, systems manager at Montvale, N.J.-based Volvo Finance North America. Breaches often occur because companies fail to securely configure systems, or stick systems with easily crackable default configurations out on the Internet. Volvo uses Enterprise Configuration Manager from Woodland Park, Colo.-based Configuresoft Inc. to monitor configuration variables from each of its Windows NT and Windows 2000 servers.

Physical Security

Companies are also boosting the physical security around data centers, especially after Sept. 11.

Computer Horizons Corp. (CHC), a Mountain Lakes, N.J.-based company that offers human resources management software and managed hosting services for clients such as AT&T Corp. and Sabre Inc., has signed up to have Equinix Inc. host several of its managed application servers.

Mountain View, Calif.-based Equinix maintains a series of fortresslike data centers called Internet Business Exchanges, where clients connect to high-bandwidth lines from a variety of service providers.

Armed guards patrol each facility. Concrete bulwarks around each of the anonymous, warehouselike buildings protect the facilities from being rammed by vehicles laden with explosives. The walls of each Equinix data center—which are also hardened against earthquakes and fire—are lined with Kevlar, a material used in bulletproof jackets. The facilities are also windowless to protect against scanning.

"It would have been an enormous cost for us to have tried to do all this ourselves," says James Dipasupil, CHC's director of infrastructure services.

Running a data center out of such hardened facilities can greatly increase the comfort level of people who want to do business with you, says Mike Colon, IT manager at Simpata Inc. Folsom, Calif.-based Simpata does human resources and salary-related processing services for employers.

Simpata houses all of its data center equipment in a hardened facility managed by Intel Corp. Apart from extensive physical security, Intel also provides a suite of disaster recovery and backup services, Colon says.

Like many other users these days, Simpata encrypts all data that flows from its hosted servers and client systems to protect against cracking. The servers are also constantly monitored against intruders. The result is far better security and peace of mind, not just for Simpata, but for its clients as well, Colon says.

Augmenting physical and electronic security measures with policies that are clearly articulated and enforced is also crucial, Gualda says.

Link has a tough IT usage policy that employees must abide by. Failure to comply can result in termination, says Gualda, who has fired two employees for this reason in the past. To enforce the policy, the company uses monitoring and auditing tools to inventory employee computer usage.

Securing operations also means regularly going through a checklist of maintenance items, IT managers say. Periodic reviews and external audits are also needed to ensure that there is adequate security.

"There is never going to be a 100% security solution; there is always a theoretical way for someone to find their way through," Rabbinovitch says. "The task, therefore, is to make it as challenging as possible for the hacker."


Protecting Data Center Services

Be sure to physically secure data centers and IT infrastructure. Protect against natural disasters, malicious attacks and internal threats.

Have multiple means of identifying and dealing with attacks. Supplement firewalls with host- and network-based intrusion monitors, antivirus software and access control technologies.

Compartmentalize networks, services and functions as much as possible. This makes it easier to manage risks and isolate failures.

Build business continuity and disaster recovery plans. Replicate data and services. Geographically separate critical IT assets where possible.

Have strong identity management and access controls. Know who's on your network, what they're doing and what they're allowed to access.

Secure wireless and remote access. Make sure telecommuters, mobile workers and outside partners don't leave an open doorway into your network.

Administer, audit and maintain. Regularly change passwords and IP addresses, update patches and antivirus software, delete old user accounts, and benchmark against best practices.

Back up data regularly.

Be prepared for incidents. Know what to do when attacked. Have an incident response team.

Spell out a clear IT policy to users, and enforce it. Stress the importance of using only approved services and strong password policies, and emphasize the risk of malicious attachments and other threats.


Cervalis Inc.'s MultiLayer Security Architecture

Multiple means of identifying an attack and protecting against it are crucial to companies trying to protect data centers while allowing Web access. That means having firewalls, network- and host-based intrusion-detection systems (IDS), access control lists and technologies for dealing with distributed denial-of-service attacks (DDOS).

Cervalis Inc.'s MultiLayer Security Architecture


Copyright © 2002 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon