FEEDBACK: What is your most worrisome data center security issue?
Send your feedback to the SearchSecurity.com news team.
There's an increase in awareness, but not in spending and not in priority, which of course is counterintuitive. Because security is 80% people and process and 20% technology, it's a difficult thing to get on top of. The gut feeling is to buy a product to solve the problem, and that won't work. What kinds of products are they buying?
They are installing some products, like firewalls and IDS [intrusion-detection systems]. They are monitoring the right Web sites, such as the CERT Web site, paying attention at the server level and monitoring level, and they're doing their best to keep up with patch management. But if the underlying system is unstructured or disorganized, it's going to be impossible to keep up. Sounds risky. But if they must outsource, how can they avoid the possibility of those kinds of security breaches?
What you need to do with security is take into account any security ramification that new code would have. That means going through the lines of code, looking for trap doors, buffer overflows, making sure that there's a good maintenance arrangement so, when you do find these security problems, you can fix them. Security is an issue for IT, but why particularly for the data center?
The data center holds the crown jewels, and they need to think about it on a number of levels. [The data center manager] needs to think about security as it relates to staff [and] network security applications level security. The data center is the one location where all the security demands come together. If data centers are outsourcing code, are they also considering outsourcing security?
There are a number of companies that will take over your security operation -- Counterpane, Guardent -- and then traditional vendors like Unisys, IBM and Computer Science Corp. The big issue is, 'Do I want to outsource security because it's so fundamental to my businesses?' If I'm Goldman Sachs and I need to secure my systems, do I trust someone outside or do that myself? I'm probably going to do it myself; it's that important and I probably have the resources. There's usually a split among data centers as to who will outsource and who won't. What we see is that the larger companies, like Goldman Sachs, are not likely to outsource. But smaller to midsize companies will. A larger data center has a bigger staff devoted to security, but it's also more likely to be a target than a smaller, anonymous company. How does the changing landscape of the data center change its security needs?
More and more data centers are bringing in service providers, temps, consultants, outsourcers and giving them access to data. The more they do that, the more they need to include those users into the mix and overall security policies. During your session, a data center manager raised an interesting concern about the increase in outsourcing the programming of code to India, which then outsources to China. Where is the security risk here?
There are two levels here. One, there's purposeful maliciousness. 'I'm putting a back door to develop a Trojan horse to give me access later on.' Certainly, managers need to consider that a possibility when outsourcing their code. But, most of the time the problem is just sloppy code writing, which results in buffer overflows. When you write a program, you're writing to a specific location and memory and, when a buffer overflow occurs, the memory buffer gets so filled it forces the system to overwrite memory and opens the system to hackers -- a smart hacker that can gain access. Would you recommend outsourcing security?
Yes, but I think the general rule of thumb would be the more dynamic the environment, the less likely it will work. In a cost center it may work well, but in the environment where business processes and IT are really interlinked, like an eBay or Wal-Mart, it's not a good idea to outsource. Outsourcers make money when things are pretty stable. It's almost impossible for them to keep up when things are dynamic.