ISACA Journal - 2015 Volume 3

According to a survey by Infonetics Research, companies operating their own data centers spent an average of US $17 million on security products in 2013. The top drivers, according to respondents, were the need to protect virtualized servers, upgrade security products to match network performance and obtain new threat protection technologies.

Most modern data centers use virtualized servers. This technology allows multiple servers to run on a single hardware instance. The fact that all server instances, as well as databases, are now flat files dramatically increases the attack vector. It also opens up additional avenues of attack that could not be used in normal data centers (such as dark virtual machines [VMs] and VM sprawl).

It is also true that virtualization drives cloud, and cloud, in turn, enables and drives mobility. This has unique challenges in a military environment or high-security organizational setting where the security requirements are more stringent than those in the majority of organizations in the private sector.

While this article focuses on military-grade data centers, this does not exclude corporate data centers. For certain projects, defense contractors are required to maintain military-grade security for data centers relevant to the project. Many other corporate entities that handle sensitive or critical information or services may also choose to implement military-grade security in their data centers. Such entities may include financial companies and critical infrastructure providers such as telecommunications or power companies.

Pharmaceutical companies that conduct research and development can benefit from implementing military-grade data center security to protect their intellectual property. Many of these types of companies are targeted by cyberespionage campaigns using advanced persistent threats (APTs).

DEFINING DATA CENTERS

Gartner defines a data center as a department within a business that houses and maintains its back-end IT systems, mainframe servers and databases. In the past, when centralized IT was the norm, all these systems were housed in one place. With distributed IT models, single-site data centers are still common, but less so. The term “data center,” however, is still used to refer to the department that is responsible for these centers, irrespective of how dispersed they are. 1

Data centers have also been defined as “a parallel and distributed computing system consisting of a collection of interconnected and virtualized computers that are dynamically provisioned and presented as one or more unified computing resources based on service level agreements (SLAs) established through negotiation between the service provider and consumers.” 2

The essential characteristics of data centers include: 3

• On-demand access—Users specify the service requirements (e.g., number of central processing units [CPUs] needed, storage requirements), and these are automatically provisioned by the data center.

• Measured service—The service requirements stated previously must be measureable so consumers can be charged for resource usage.

• Network access—A portal or platform should be supplied to users so they can submit and manage their jobs.

• Resource pooling—Resources in the data center can be shared by consumers with different SLAs.

• Virtualization—The data center topology should not matter to the user. Applications are easily migrated across hardware platforms as demands and usage change. This happens automatically.

• Reliability—Multiple redundant copies of stored content exist.

• Maintenance—This is handled by a professional, dedicated IT team.

Brett van Niekerk, Ph.D., is currently employed as a senior information security analyst. He is also an honorary research fellow at the University of KwaZulu-Natal (Durban, South Africa) and is secretary of the International Federation of Information Processing Working Group 9. 10 on information and communications technology (ICT) in Peace and War.

Pierre Jacobs is currently employed as a senior security specialist. He has

15 years of experience in the cybersecurity field. His focus and interests are in the security operation center and computer security incident response teams.