Toward a Secure Data Center Model

According to a survey by Infonetics Research, companies operating their own data centers spent an average of US $17 million on security products in 2013. The top drivers, according to respondents, were the need to protect virtualized servers, upgrade security products to match network performance and obtain new threat protection technologies.

Most modern data centers use virtualized servers. This technology allows multiple servers to run on a single hardware instance. The fact that all server instances, as well as databases, are now flat files dramatically increases the attack vector. It also opens up additional avenues of attack that could not be used in normal data centers (such as dark virtual machines [VMs] and VM sprawl).

It is also true that virtualization drives cloud, and cloud, in turn, enables and drives mobility. This has unique challenges in a military environment or high-security organizational setting where the security requirements are more stringent than those in the majority of organizations in the private sector.

While this article focuses on military-grade data centers, this does not exclude corporate data centers. For certain projects, defense contractors are required to maintain military-grade security for data centers relevant to the project. Many other corporate entities that handle sensitive or critical information or services may also choose to implement military-grade security in their data centers. Such entities may include financial companies and critical infrastructure providers such as telecommunications or power companies. Pharmaceutical companies that conduct research and development can benefit from implementing military-grade data center security to protect their intellectual property. Many of these types of companies are targeted by cyberespionage campaigns using advanced persistent threats (APTs).

Defining Data Centers

Gartner defines a data center as a department within a business that houses and maintains its back-end IT systems, mainframe servers and databases. In the past, when centralized IT was the norm, all these systems were housed in one place. With distributed IT models, single-site data centers are still common, but less so. The term “data center,” however, is still used to refer to the department that is responsible for these centers, irrespective of how dispersed they are.¹

Data centers have also been defined as “a parallel and distributed computing system consisting of a collection of interconnected and virtualized computers that are dynamically provisioned and presented as one or more unified computing resources based on service level agreements (SLAs) established through negotiation between the service provider and consumers.”²

The essential characteristics of data centers include:³

• On-demand access—Users specify the service requirements (e.g., number of central processing units [CPUs] needed, storage requirements), and these are automatically provisioned by the data center.
• Measured service—The service requirements stated previously must be measureable so consumers can be charged for resource usage.
• Network access—A portal or platform should be supplied to users so they can submit and manage their jobs.
• Resource pooling—Resources in the data center can be shared by consumers with different SLAs.
• Virtualization—The data center topology should not matter to the user. Applications are easily migrated across hardware platforms as demands and usage change. This happens automatically.
• Reliability—Multiple redundant copies of stored content exist.
• Maintenance—This is handled by a professional, dedicated IT team.

The two major usage models for data centers are dedicated and shared,⁴ with four distinct models—private, community, public and hybrid—as well as three service models: software, platform and infrastructure.⁵

Accenture states that by applying data center and cloud concepts to the military, costs will be reduced and operational efficiencies increased through the consolidation of systems. This also increases the effectiveness of military missions by improving business continuity, mobility and the real-time exploitation of big data.⁶

In a military environment, the data center resources could be shared across the arms of service. There could also be unique requirements such as mobile data centers,⁷ as well as the ability to analyze big data in real time to provide near real-time information to commanders, allowing them to make strategic decisions. This also holds true for civilian organizations and businesses requiring business intelligence (BI) in real time.

The military should make use of dedicated data centers, allowing them to remain in control of the information and assets to ensure that their unique security requirements are enforceable and compliance can be assured with military prescripts. The same applies where commercial entities need the same level of protection.

Data Center Security Model

Data centers are fundamentally computing resources that are accessed by users. These resources consist of users using an application hosted on a platform via a protocol and transport mechanism to access a service or information offered via an application hosted on a server or mainframe platform, as implied by Cisco and Nutanix.^{8, 9}

Considering the previous statement, it is clear that the following logical elements need protection:

• The protocol
• The service, information or application
• The platform (virtual or traditional)

The following physical elements also need protection:

• The network
• Physical security and physical access

All the logical and physical elements, as well as the human element, need to be properly managed according to military governance, risk and compliance (GRC) frameworks.

Using a taxonomy of physical, administrative and technical controls,¹⁰ a proposed framework can be created for the protection of military data centers.

Technical Controls

The model proposed in this article is based on the work done at the National Computing and Information Agency (NCIA) in South Korea.^{11, 12} The agency has developed an eight-layer defense system to ensure security for the Korean government data center,¹³ covering logical and physical elements. This system is called the Advanced National Security Infrastructure System (ANSIS). It is combined with the eight security dimensions and threat model of the International Telecommunications Union (ITU-T) X.805¹⁴ to provide a comprehensive model to protect the military data center. The ITU-T X.805 security planes and layers are replaced by the logical and physical elements previously identified.

The eight-layer defense model includes:

1. Distributed denial-of-service shelter—In a distributed denial-of-service (DDoS) attack, a multitude of compromised computers attacks a single target, causing a breakdown in service.¹⁵ A DDoS defense and shelter system ensures that possible DDoS traffic is identified, and action is taken against the traffic. This typically happens at the virtual layer, and attacks are detected and blocked at the application layer at the system level in the virtual environment.¹⁶ A multilayered approach should be followed, such as the deployment of web application firewalls (WAF), change of service and traffic priorities, caching of content, and identification of false requests from compromised computers launching the attack.¹⁷
2. Spam and virus protection—This service offers protection against malware at the point and network level.
3. Intrusion protection system—This system detects possible intrusions or DDoS attacks and alerts the monitoring staff about these attacks.
4. Intrusion block system—This system blocks any detected intrusions. This should not only be signature-based, but also include anomaly and heuristic-based detection.
5. DDoS shield—This system offers protection against DDoS traffic by redirecting the DDoS traffic to a military DDoS shelter, as depicted in figure 1.
6. Web firewall—This service protects web traffic (Hypertext Transfer Protocol [HTTP] and Hypertext Transfer Protocol Secure [HTTPS] traffic). This forms part of the protocol stack that needs protection as per the model.
7. Server security—This entails traditional server security but also includes virtual element security to threats unique to the virtual environment.
8. Database (DB) security—This service protects the service and application elements of the model.

Consolidated Framework

The standardization sector of the ITU-T developed a security architecture for systems providing end-to-end communication. This is known as ITU-T X.805 (figure 2).

The architecture makes recommendations on providing security in an end-to-end network, and can be applied to various kinds of networks, but independently of the underlying technology.

The architecture identifies eight security dimensions:

• Access control
• Authentication
• Nonrepudiation
• Data confidentiality
• Communication security
• Data integrity
• Availability
• Privacy

The security dimensions are applied to three security layers—the application, services and infrastructure security layers—and also to security planes, the management plane, the control plane and the end-user plane.

Figure 3 shows the complete ITU-T X.805 architecture with the security dimensions and the threat model.

In the proposed model, the layers and planes will be replaced with the data center elements identified. In figure 4, the ITU-T X.805 security layers and planes are replaced by the elements applicable to data centers.

Considering the taxonomy used of physical, technical and administrative controls, it can be seen that the eight layers of the defense model fall into the technical category, and the GRC element forms part of the administrative controls. The eight-layer defense model will be further augmented with additional technical controls to ensure that all ITU-T X.805 security dimensions are addressed.

It is clear from looking at figure 2 that gaps exist when using the model. All of the blocks would have to be filled with defense mechanisms according to military standards, such as the US Department of Defense (DoD) Manual 5105 21 volume 2,¹⁸ which deals with physical security and visitor control, or other requirements as mandated in the South African Department of Defence Instruction (DODI) and/or Defence Information and Communication Architecture (DICTA). However, what is clear is that all eventualities are addressed from a security perspective.

Administrative Controls

From an administrative control perspective, all elements are covered by military GRC frameworks. Alternatively, a standard such as ISO/IEC 27001:2005¹⁹ could be used to ensure that all administrative aspects are covered.

ISO/IEC 27001:2005 consists of 11 security control clauses containing 39 security categories. Each category, in turn, consists of a single control objective that contains, in most cases, high-level administrative controls.²⁰

In many cases, the administrative controls are supported by technical controls. It is worth mentioning that only controls applicable or required by the military should be implemented. These controls should be determined by following a risk management process such as that described in ISO/IEC 2005:2011²¹ or ITU-T X.1055 Risk management and risk profile guidelines for telecommunication organizations.²²

The complete model can be depicted with ISO/IEC 27001:2005 serving as guidance for administrative controls and ITU-T X.805 serving as guidelines for technical controls.

Rationale for Selection of the Standards

A deliberate decision was made to limit the number of standards in the model and avoid an alphabet soup approach. The reasons for this decision included:

• A model based on many standards requires a very large amount of effort and expense to maintain and keep current as the standards involved get updated and change over time.
• Human resources that are familiar with a wide variety of standards are difficult to find and keep.
• If the effort to keep the model up to date is not expended, the framework may become less relevant over time.
• The approach taken by different standards bodies toward network security may change in the future and result in potential inconsistencies in the model.
• Limiting the number of standards used in the model, therefore, provides for a lean approach, which requires less effort and expense to maintain and is less likely to become inconsistent over time.
• ITU and ISO standards were chosen as the baseline standards for the model.

ITU and ISO standards were chosen as baseline standards for a number of reasons:

• ITU security standards cover eight security dimensions as opposed to only the confidentiality, integrity and availability triad.
• ISO security standards are the most widely accepted and used standards globally.
• The ITU and ISO work together and have standards equivalence, e.g., many ITU X.800 series and ISO 10181-x series standards are verbatim copies of each other.
• ISO standards are usually accepted as-is by the South African Bureau of Standards as South African National Standards (SANS) and can be replaced as shown in figure 5.
• ITU-T X.805 Security architecture for systems providing end-to-end communications was selected as the basis for the model since it was most relevant for the purposes of the model.
• ITU-T X.805 will be used with consideration of ITU-T Y.2701, which looks at applying X.805 to next generation networks (NGNs).
• The use of the ITU X.805 standard enables the use of other ITU X and Y series standards that address various aspects of network security. The reason is that the standards form a family and were designed to be used with each other.
• This ensures consistency and ease of maintenance of the model in the future, because it is extremely unlikely that ITU will update any particular standard in a way that is inconsistent with the others.
• The ITU standards, however, do not apply to every aspect of data center security. Where something is not covered, ISO standards, DODIs or DICTAs are used. As a last resort, other applicable standards are used.

Other standards and frameworks are not applicable. For example, COBIT would not be applicable because it focuses on processes and does not address technical details in-depth. Similarly, the Information Technology Information Library (ITIL) focuses more on operations and addresses effectiveness and efficiency, not information security in-depth.

The different standards and frameworks and their relation to information security are depicted in figure 6.

Risk-based Model

It was decided to use the ISO/IEC 27005:2011 Information security risk management standard²³ as opposed to ITU-T X.1055 Risk management and risk profile guidelines for telecommunication organizations.²⁴ ISO/IEC 27005 is based on the generic ISO/IEC 31000 Risk management—Principles and guidelines²⁵ but tailored to, and aimed at, information security risk management. ITU-T X.1055 is aimed at telecommunications organizations.

ISO/IEC 27005:2011 also augments and compliments ISO/IEC 27001:2005,²⁶ which is used for identifying and defining administrative controls. The ISO/IEC 27005 standard also closely correlates with the US National Institute of Standards and Technology (NIST) SP 800-39 Managing Information Security Risk, which was developed for the US DoD. ISO/IEC 27005:2011 does not cover organizational risk, whereas NIST SP 800-39 does. The correlation between the NIST SP 800-39 and ISO/IEC 27005:2011 processes is illustrated in figure 7.

The ISO/IEC risk management process is cyclical and consists of the following processes:

• Context establishment
• Risk assessment
• Risk treatment
• Risk acceptance
• Risk communication and consultation
• Risk monitoring and review

The processes are illustrated in figure 8.

The ISO/IEC 27005:2011 risk management process should be applied as part of the ISO 27001:2005 administrative controls and should encompass the secure data center model. The ITU-T X.805 security domains and threat model should be used as technical input to the risk management process for the identification of vulnerabilities and threat sources. The consolidated model is depicted in figure 9.

Conclusion

The proposed model caters to all aspects of data center security, making use of deeply entrenched and tested frameworks and architectures. The ITU-T X.805 focus is specifically on information security from a technical perspective, and ISO/IEC 27001:2005 is from an information security administrative perspective. ISO/IEC 27005:2011 is used as a risk management model. Using these frameworks provides a baseline for military-grade data center security and provides an internationally recognized best practice against which to implement and audit risk and security requirements. This level of security can aid enterprises in protecting their sensitive information from espionage and other malicious activities.

Endnotes

¹ Gartner IT Glossary, “Data Center,” 2013, www.gartner.com/it-glossary/data-center/
² Buyya, I. B. R.; C. Yeo; S. Venugopal; J. Broberg; “Cloud Computing and Emerging IT Platforms: Vision, Hype, and Reality for Delivering Computing as the 5^th Utility,” Future Generation Computer Systems, vol. 25, iss. 6, June 2009, p. 599-616
³ Yang, Li; “Network-aware Job Placement in Data Center Environments,” University of Calgary, 2014
⁴ Abts, D.; B. Felderman; “A Guided Tour Through Datacenter Networking,” ACM Queue, vol. 10, 3 May 2012, p. 10-23, http://queue.acm.org/detail.cfm?id=2208919
⁵ Mell, P.; T. Grance; “The NIST Definition of Cloud Computing,” National Institute of Standards and Technology, USA, September 2011, http://csrc.nist.gov/publications/PubsSPs.html#800-145
⁶ Accenture, “A New Era: Cloud Ushers in Insightdriven Defense,” 2013, www.accenture.com/SiteCollectionDocuments/PDF/Accenture-A-New-Era-Cloud-Ushers-in-Insight-Driven-Defense.pdf
⁷ Wait, P.; “Dell Launches Military Data Centers-In-A-Box,” InformationWeek, 18 July 2012, www.informationweek.com/architecture/dell-launches-military-data-centers-in-abox/d/d-id/1105382
⁸ Cisco Systems, “Data Center Architecture Overview,” 2014, www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Data_Center/DC_Infra2_5/DCInfra_1.html
⁹ Nutanix, “8 Strategies for Building a Modern Datacenter,” 2013, http://go.nutanix.com/rs/nutanix/images/WP_8_Strategies_for_Building_a_Modern_Datacenter.pdf
¹⁰ Tipton H. F.; M. Krause; Information Security Management Handbook, 5^th Edition, CRC Press, 2012, p. 179-182
¹¹ Chernicoff, David; “Korea Sets the Standard for Government Datacenters,” ZDNet, 30 December 2011, www.zdnet.com/blog/datacenter/korea-sets-the-standard-for-government-datacenters/1161
¹² National Computing and Information Agency (NCIA), Korea, www.ncia.go.kr/eng/about/about_01.jsp
¹³ NCIA, “Security,” www.ncia.go.kr/eng/key/key_02.jsp
¹⁴ International Telecommunication Union, “ITU-T X.805 Security Architecture for Systems Providing End-to-end Communications,” 2003, www.itu.int/rec/T-REC-X.805-200310-I/en
¹⁵ Rouse, M.; “Distributed Denial-of-service (DDoS) Attack,” SearchSecurity, May 2013, http://searchsecurity.techtarget.com/definition/distributed-denial-of-service-attack
¹⁶ KrCERT/CC, DDoS Shelter Service, Korea, http://eng.krcert.or.kr/service/ddos.jsp
¹⁷ Ibid.
¹⁸ US Department of Defense, “Sensitive Compartmented Information (SCI) Administrative Security Manual: Administration of Physical Security, Visitor Control, and Technical Security,” no. 5105.21, vol. 2, 19 October 2012, www.dtic.mil/whs/directives/corres/pdf/510521m_vol2.pdf
¹⁹ International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), ISO/IEC 27001:2005, Information technology—Security techniques—Information security management systems—Requirements, 2005, www.iso.org/iso/catalogue_detail?csnumber=42103
²⁰ International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), ISO/IEC 27002:2005, Information technology—Security techniques—Code of practice for information security management,” 2005, www.27000.org/iso-27002.htm?
²¹ International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), ISO/IEC 27005:2011, Information technology—Security techniques—Information security risk management, 2011, www.iso.org/iso/catalogue_detail?csnumber=56742
²² International Telecommunication Union, ITU T X.1055, Risk management and risk profile guidelines for telecommunication organizations, 2008, www.itu.int/rec/T-REC-X.1055-200811-I/en
²³ International Organization for Standardization (ISO), ISO/IEC 27005:2011 Information security risk management, 2011, www.iso.org/iso/catalogue_detail?csnumber=56742
²⁴ International Telecommunication Union, ITU T X.1055, Risk management and risk profile guidelines for telecommunication organizations, 2008, www.itu.int/rec/T-REC-X.1055-200811-I/en
²⁵ International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), ISO 31000, Risk management, 2009, www.iso.org/iso/home/standards/iso31000.htm
²⁶ International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), ISO/IEC 27005:2008, Information security risk management, 2011, www.iso.org/iso/catalogue_detail?csnumber=42107

Brett van Niekerk, Ph.D., is currently employed as a senior information security analyst. He is also an honorary research fellow at the University of KwaZulu-Natal (Durban, South Africa) and is secretary of the International Federation of Information Processing Working Group 9.10 on information and communications technology (ICT) in Peace and War.

Pierre Jacobs is currently employed as a senior security specialist. He has 15 years of experience in the cybersecurity field. His focus and interests are in the security operation center and computer security incident response teams.