Presentation is loading. Please wait.

Presentation is loading. Please wait.

Locking Down the Data Center of Tomorrow By Kevin Beaver, CISSP Founder and principal consultant - Principle Logic, LLC 4430 Wade Green Rd., Suite 180.

Published byIra Horton Modified over 8 years ago

Similar presentations

Presentation on theme: "Locking Down the Data Center of Tomorrow By Kevin Beaver, CISSP Founder and principal consultant - Principle Logic, LLC 4430 Wade Green Rd., Suite 180."— Presentation transcript:

1 Locking Down the Data Center of Tomorrow By Kevin Beaver, CISSP Founder and principal consultant - Principle Logic, LLC 4430 Wade Green Rd., Suite 180 Kennesaw, GA 30144 kbeaver@principlelogic.com www.principlelogic.com Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

2 Kevin Beaver Information security consultant, author and trainer 15+ years of IT/security experience Specialize in security incident response, security assessments, network security, and security policy and strategy development Author of the upcoming book Ethical Hacking for Dummies by John Wiley and Sons Co-author of the new book The Practical Guide to HIPAA Privacy and Security Compliance by Auerbach Publications Author of the new book The Definitive Guide to E-mail Management and Security by Realtimepublishers.com Regular columnist and information security/HIPAA advisor for SearchSecurity.com, SearchMobileComputing.com, ITSecurity.com, and HCPro’s Briefings on HIPAA newsletter Hold CISSP, MCSE, MCNE and IT Project+ certifications Bachelor’s in Computer Engineering Technology from Southern Polytechnic State University and Master’s in Management of Technology from Georgia Tech Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

3 Current state of data center security The convergence of information and physical security Security technologies and practices required for the successful convergence of physical and information security Skills required of security professionals What to expect in the coming years Resources Copyright © 2003, Principle Logic, LLC, All Rights Reserved. What We’ll Cover

4 Where everything security related comes together –Network, applications, physical Enable consolidation of information systems management and security within a controlled environment Heightened sense of criticality since 9/11 There’s a lot of good security, but there’s also a lot of bad –Not necessarily as secure as they claim to be Copyright © 2003, Principle Logic, LLC, All Rights Reserved. Current State of Data Center Security

5 Protection of people and physical property Traditional physical security involved guards, locks, keys, etc. – this is changing Physical security in buildings, including data centers, is becoming increasingly dependent on technical systems for control and monitoring Copyright © 2003, Principle Logic, LLC, All Rights Reserved. What is Physical Security?

6 Increase of insider threats Someone walking off with a laptop, server, software installation disks, etc. Malicious outsider gaining access to the data center –To obtain passwords –To install a network analyzer Malicious insider gaining access to CDs, tapes, hard copies of network diagrams or password lists Copyright © 2003, Principle Logic, LLC, All Rights Reserved. Physical and Information Security Risks

7 Security to protect corporate assets is technology based –Firewalls –Intrusion detection Security systems typically found in discrete areas – Not across the organization Different security departments doing different things –Has resulted in various inconsistencies in meeting security policy requirements Copyright © 2003, Principle Logic, LLC, All Rights Reserved. Past Paradigm

8 Security has been seen as a roadblock to overall organization effectiveness in the past –Both physical and information security can be combined and now seen as a business enabler supporting the organization’s mission and goals Copyright © 2003, Principle Logic, LLC, All Rights Reserved. …Past Paradigm

9 Data center security is more than just protecting IT assets –We’re now moving towards protecting enterprise assets The most valuable corporate assets are virtual –Electronically and in the minds of employees Many corporate assets are housed in critical data centers Physical security is established and mature for the most part –Information security is still in its infancy Copyright © 2003, Principle Logic, LLC, All Rights Reserved. Physical Security, meet Information Security

10 There are emerging governmental requirements forcing the collaboration of physical and information security Security management of the data center continues to be fragmented After many years of separation and strife, the two practices are coming together – especially in the data center environment Copyright © 2003, Principle Logic, LLC, All Rights Reserved. …Physical Security, meet Information Security

11 The goal of both is to keep the bad guys out and the “good” guys honest Each one uniquely contributes to the organization’s bottom line Both require: –Identification of assets –Classification of assets –Assessment of risks –Implementation of countermeasures –Incident response expertise Copyright © 2003, Principle Logic, LLC, All Rights Reserved. Similarities

12 An ever increasing skill set required for security leaders, managers and doers –Keeping up with the latest technologies –Understanding how to effectively respond to incidents Money Technology and computers Effective policies and procedures Layered protection – defense-in-depth Copyright © 2003, Principle Logic, LLC, All Rights Reserved. Demands of Physical and Information Security

13 Authorization – need to know basis Authentication Accountability Audit Destruction policies and procedures Ongoing awareness A good balance of security vs. convenience Both (especially infosec) are requiring stronger ties with law enforcement than ever before Copyright © 2003, Principle Logic, LLC, All Rights Reserved. …Demands of Physical and Information Security

14 You Must Find a Balance If you have a network that’s secure but a data center building that’s not OR If you have a data center building that’s secure and a network that’s not –They will defeat the purpose of each other Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

15 The Simple Truth Need more than just a guard and locked doors Need more than just firewalls and IDSs Security must be tightly integrated with every organizational function You can’t force the two different departments to work well together – must give business reasons and incentives Must balance the requirements of both physical and information security Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

16 Where We’re Headed Decentralization of data centers and corporate assets Tighter integration between physical and information security equipment The design goals of newer technologies will help support convergence of physical and information security Systems will be easier to use, making data center technology implementation, collaboration and change management simpler Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

17 …Where We’re Headed The convergence of the two types of security will help further the information security cause –Management has always bought into physical security –It’s now becoming more apparent that information security is a critical element as well Smaller computing devices such as PDAs, 1U servers, cell phones and laptops are just getting smaller leading to more physical security issues –Nanotechnology devices both inside and associated with data centers are increasing the demand for physical and information security convergence Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

18 …Where We’re Headed Prevention vs. protection Increased responsibilities on everyone’s part Reduced costs, but possible increase in risks Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

19 Emerging Trends Enhanced biometric systems Increase in the number of uses of biometrics to facilitate both physical and information security in the data center Increased usage of identity management solutions Perimeter control has been – and will be even more so – the job of both physical and information security professionals Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

20 …Emerging Trends Need for greater physical and information security of wireless components within data centers Storage and management issues associated with RFID data Defense-in-depth will be even more important Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

21 …Emerging Trends Enhanced monitoring –Power, air and server conditions –Access controls Will require more human involvement –In the form of awareness, policies and procedures Increased use in temp/contract workers –Need to include these people in security policies and procedures Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

22 …Emerging Trends Open Security Exchange (OSE) OSE-compliant products from vendors More data center involvement from large vendors Development of data center education initiatives by the Association for Computer Operations Managers (AFCOM) and Marist College Overall the merger of the two will have a huge impact on organizations, employees, users and the industry as a whole Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

23 CSOs of the Future CSOs manage data centers among other things Role is still being defined Need a strong leader in this role Business and technical expertise Must build relationships with business managers Has authority within the organization to create and enforce security policies Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

24 …CSOs of the Future Ability to influence security-aware culture in and around the data center See CSO Magazine’s State of the CSO report for more insight – www.csoonline.com/csoresearch/report56.html www.csoonline.com/csoresearch/report56.html Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

25 A Few More Tips A security-aware culture will buy your data center more protection than all other efforts combined Policies and procedures should be integrated between physical and information security systems for the data center whenever possible –With management support of course Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

26 …A Few More Tips CISO and IT-only types may only be interested in information security –If so, s/he might not be the best fit for a CSO or director of data center security position A wise security officer (physical or information) will stay abreast of both If you’re not sure about the physical security, contact some experts on it Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

27 Resources Open Security Exchange –www.opensecurityexchange.com/info/summary.htmwww.opensecurityexchange.com/info/summary.htm –Physical Security Bridge to IT Security (PHYSBITS) Framework www.opensecurityexchange.com/downloads/white_paper.pdf AFCOM –www.afcom.comwww.afcom.com ISC 2 Certified Information Systems Security Professional (CISSP) and ISSAP concentration –www.isc2.orgwww.isc2.org ASIS Certified Protection Professional (CPP) –www.asisonline.org/certification/cpp/index.xmlwww.asisonline.org/certification/cpp/index.xml CSO job description –www.csoonline.com/research/executive/description.htmlwww.csoonline.com/research/executive/description.html Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

28 Resources CSO job description –www.csoonline.com/research/executive/description.htmlwww.csoonline.com/research/executive/description.html Physical security tips –www.techarch.state.ar.us/indexes/publications/physical.pdfwww.techarch.state.ar.us/indexes/publications/physical.pdf Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

29 The physical security market is very strong now and it will take time for the two areas of security to successfully merge It will be impossible to ensure solid information security of the data center without the proper physical security controls – and vice versa It’s essential to ensure that data is available after a disaster –This can only be possible when information and physical security systems and personnel work together Copyright © 2003, Principle Logic, LLC, All Rights Reserved. Closing Thoughts

30 Security initiatives driven from the bottom up usually aren’t effective Haphazard combination of physical and information security can cause more problems than it solves A more secure data center can increase customer comfort level helping to maintain customers and even drive more business = Copyright © 2003, Principle Logic, LLC, All Rights Reserved. …Closing Thoughts

31 Questions? Copyright © 2003, Principle Logic, LLC, All Rights Reserved. You can submit your questions to Kevin by clicking on the Ask a Question link on the lower left corner of your screen.

32 Thank you Copyright © 2003, Principle Logic, LLC, All Rights Reserved. Thank you for participating in this SearchSecurity.com webcast. If you have comments or suggestions for future webcasts, please e-mail the moderator at webcast@searchSecurity.comwebcast@searchSecurity.com

Download ppt "Locking Down the Data Center of Tomorrow By Kevin Beaver, CISSP Founder and principal consultant - Principle Logic, LLC 4430 Wade Green Rd., Suite 180."

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
 Cyber Ecosystem & Data Security Subhro Kar CSCE 824, Spring 2013 University of South Carolina, Columbia.

 Cyber Ecosystem & Data Security Subhro Kar CSCE 824, Spring 2013 University of South Carolina, Columbia.
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
Security and Personnel

Security and Personnel
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Managing A Secure Infrastructure – Tales From the Trenches November 6, 2003.

Managing A Secure Infrastructure – Tales From the Trenches November 6, 2003.
The Islamic University of Gaza

The Islamic University of Gaza
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Rethinking Security to Enable Business LJ Johnson Nike’s Global Information Security Officer August 16, 2005.

Rethinking Security to Enable Business LJ Johnson Nike’s Global Information Security Officer August 16, 2005.
1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.

1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.
World Class Security Experts © Copyright 2004 SkyView Partners LLC. All rights reserved. www.skyviewpartners.com How IT is affected by Sarbanes-Oxley Act.

World Class Security Experts © Copyright 2004 SkyView Partners LLC. All rights reserved. How IT is affected by Sarbanes-Oxley Act.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

Similar presentations

Ads by Google