How you can enhance your IT security with DCIM and help avoid IT security breaches such as the recent one via a zombie server at one of the largest banks.
As we conclude the holiday shopping season, we’ve heard all about worries of online shopping and cyber security/theft in general. For the technology leader of any company that does business electronically, cyber security is a constant concern. Looking back over the past 12 months of 2014 seemingly no company is immune from unauthorized data access (pity Sony at the moment).
In this blog I state how DCIM can form a vital part of every company’s arsenal of tools to keep them and their customer’s data secure. I know what you are thinking “isn’t DCIM a system to help with power monitoring and cost reduction”, yes it can do that, but that is a very narrow part of what DCIM can – and in my view should – be doing for you.
DCIM is not going to solve every security breach and won’t help you if you store customer passwords unencrypted and unsalted or credit card numbers unencrypted (no one does that anymore do they…), but DCIM can go a long way to helping keep your entire data center secure and by extension your data.
You might, as a technology leader, argue that your IT folks tell you they have very accurate spreadsheets of ‘everything’. However in my experience I have almost never found a customer with even ninety percent data accuracy and it is usually in the fifty to sixty percent accuracy range. Analyst numbers vary, but most state that between 20 and 30 percent of servers in the average data center are running and connected but not used or tracked. This is like saying in a 100 rack data center it is likely you have 200 servers that you do not know about.
What DCIM can do is identify and track unused servers, network equipment and connections and even help keep your enterprise secure when staff are on holiday. Looking at each of those in turn:
Servers tend to be implemented easily, but decommissioned with difficulty; no one wants to risk unplugging an in-use server. So what often happens is the enterprise ends up with servers inside the firewall that are not being patched with OS fixes for security problems (a recent bank security breach was due to exactly this lack of patching). Then all it takes is an infected laptop to be attached to your network to find this nice, unmonitored, insecure host to attach to. At first no one will even know that a virus is now permanently inside your network (on a relatively powerful server), possibly finding additional machines to replicate to (making the job of removal so much harder). In the meantime possibly starting to harvest company (or worse customer) data. With DCIM you can ensure that the process of end-of-life/end-of-project decommissioning includes both logical and physical steps (it’s easy to unplug a server you are confident is the correct one) to keep unknown servers to a minimum. With good DCIM solutions there should be fields for device ownership and built-in physical audit tools so that it is possible to easily conduct periodic physical audits to catch any outliers.
Network Equipment and Connections
Like servers we see switches, firewalls and routers that are either left with no connections at all or just one. Depending on configuration this is another potential for a security breach, especially if the firewall or router has an unknown connection to the outside wall that everyone ‘thought’ was decommissioned years ago. We know of one bank in Asia that was able to save over US$ 100,000 per year, by auditing and actually decommissioning external network circuits that were still active, but unknown about (except to finance, who just kept paying the bills). While connectivity seems insignificant when compared to server equipment issues, it can be huge. A connection from an external circuit plugged into the wrong port can bypass security. Two switches incorrectly connected together might produce a route into your secure (PCI compliant) inner network.
DCIM can help in many ways, including:
- with initial audits of what is connected (and verified with the network team),
- ensuring all changes are planned in the DCIM workflow system and approved before action, thus stopping errors before they occur
- using DCIM mobility to record what actually gets connected at the connection site
- periodic equipment and connection audits of critical areas (such as the inbound DMZ) to confirm what data paths are in place
The ends of November and December are often times when staff are thin on the ground, but potentially change or problems can be most catastrophic to IT security. DCIM can help minimize the length of time of an outage so your staff don’t need to play ‘hunt the server’. An inexperienced or unfamiliar staff member may make a physical change that could compromise network security. With DCIM workflow everything is planned and they are guided to make the right change, not just a change.
I know the usual reasons for justifying DCIM are around power cost savings and process integration, but the reality is IT security and reputational security should be just as high on the list. I hope you all had a very happy holiday season and are ready for a productive and secure 2015.
By: Paul Goodison