Data centre security: Moving beyond prevention...
When it comes to gateway and data center security, there's one aspect grabbing attention – and it's not a specific technology, as Heather Wright discovers.
Think gateway and data center security is just about the technology to secure the network and data center?
Think again, says Sid Deshpande, Gartner principal research analyst covering security infrastructure and services. Deshpande says incident response is now coming to front and centre for many organisations.
“We're seeing a lot of interest one level above prevention – what if it does go wrong? What are our policies for incident responses?,” Deshpande says.
“There's an awareness of the need to focus beyond prevention to include a strategy for limiting damage when things do go wrong.” Gartner figures show that by 2020, 60% of enterprise information security budgets will be allocated to rapid detection and response approaches, up from less than 10% in 2014.
“Organisations are focused a lot more on what to do after a breach and are working to put in place policies for ensuring remediation for breaches is quick.”
Incident response procedures, he says, include the jobs different stakeholders will take to make sure the company is rid of the problem – in whatever form it may take – and to communicate to both internal and external stakeholders that status.
“It's particularly important where a company has a digital side to it – such as banks with internet banking or retailers with eCommerce. “In those cases, IT infrastructure is directly customer facing and so there is a big impact if it goes down.”
He says he's also seeing organisations allocating budget for incident response not necessarily from the security budget. “With things like a distributed denial of service, or DDoS, attack there we are finding sometimes the funding comes from the business continuity or disaster recovery budget allocation.
“If the eCommerce platform is hit, there's a direct impact and that funding may come from other budgets too.” He says while pulling together an incident response plan can be 'complicated', following a structured approach can ease the way.
"A lot of organisations focus on security operations and monitoring and managing a single point of view, being able to detect incidents and analyse them while monitoring.” That, he says, may be handled via a security operations centre, however these are costly to run and issues with staffing and skills also come into play.
“Security or IT is usually not the main business or revenue generator, so to have a security operations centre in-house and staffed 24/7 is a complicated, time consuming and cost heavy process.” Instead, he says many will outsource that aspect to a managed security service provider.
“But beyond technology you need to have the processes and policy and the structure in place to follow in the case of a security event. “Typically, a good incident response involves not just the IT centre but the chief security officer and other IT functions and business and risk divisions.
“It involves a whole lot of stakeholders.” And, he says, there's one thing to bear in mind when creating your plan or strategy. “Remember that the check list will have to be followed at a time of high stress and in an environment where things have to move fast and there's no time for restrategising.”
Specialisations
Deshpande says on the technology front, there's an increasing trend to specialisation because of advanced persistent threats becoming more advanced in their nature.
“So we're seeing a lot of network security products focused on a very specific outcome, such as email security, web gateways, next generation firewalls, advanced malware.”
Last year – and into this year – saw a number of mergers and acquisitions as security technology players bought up best of breed specialist offerings.
“We've seen endpoint security companies buy advanced malware protection specialists and web gateways adding advanced threat protection. “Vendors are trying to add more context aware intelligence to their offering. “There has been a lot of consolidation in the past year and a half, done to be able to offer as many pieces to the customer as possible.”
Where vendors are not in direct competition with each other, he notes its not unusual to see them partnering up to provide complementary offerings. However, he says a 'complete security offering is really a misnomer'.
“No one solution can ever be complete in protecting all businesses.” Extending boundaries Deshpande says as organisations continue to explore cloud based offerings, the traditional boundaries of control are being expanded well beyond the data center.
By 2017, Gartner predicts 25% of corporate data traffic will bypass the enterprise network – meaning potentially less control for IT managers and CIOs.
“They're using social media, mobile, cloud and big data technologies and sometimes extending it outside of the organisation itself, so there is a need to consistently extend your security posture.” Identity and access management, he says, are particularly important in this case.
“There's also a requirement for mobile security solutions and a requirement for solutions that can adapt to mobile technologies in an efficient manner. “And there are plenty of emerging solutions out there including cloud access security brokers and mobile device management offerings."
Flawed assumptions
Meanwhile, Rob Johnson, Unisys distriguished engineer, says there is an underlying, flawed assumption that all businesses need to do to protect their data is to secure the gateway. “There is no longer a single (or multiple) known gateway to corporate networks,” he says.
“With Wi-Fi and 3G/4G capable devices, there is no longer a well-defined network perimeter. And the trend toward BYOD multplies the risks to corporate security. “Employee-owned, unmanaged smartphones, tablets and laptops bring the bad guys, in the form of malware, directly into the heart of an organisation.
“When those same devices are used to access corporate mission-critical assets, all bets are off.” Johnson says instead, companies must use a multi-layered security profile. “You must assume that your network is in a constant state of attack.
“Once you accept that reality, you can accept the fact that endpoints need to protect themselves, and they they need to be protected from every other endpoint in the network."
He says companies need a multi-layered security profile of checks and balances, designed to securely segment data centers, protecting business data and systems by cloaking strategic assets.
"The solution should be designed to assist organisations to deal with the security erosion of the general network perimeter by using data classification to establish smaller perimeters around related data and by allowing access on a strict need-toknow basis only."
He says the solution should also be designed to establish communities of interest, using encryption and group membership, driven by LDAP access groups, including Microsoft Active Directory.
“The security profile needs to operate as software inside server and workstation components, so companies can implement communities of interest without network changes, application changes or end-user disruption.
“Additionally the solution must be designed to secure the entire data stream from data center to mobile devices.”