Jinu S., Joint Director, Indian Computer Emergency Response Team (CERT-In), Ministry of Electronics and Information Technology

The growth of data centres has been greatly influenced by advancements in technology and government initiatives such as Digital India. However, this growth has led to a surge in cyberattacks as well. At a recent tele.net conference, “Data Centres in India”, Jinu S., Joint Director, Indian Computer Emergency Response Team (CERT-In), Ministry of Electronics and Information Technology, spoke about the data privacy and security issues for data centres, measures to reduce risks, and solutions to enhance security. Edited excerpts…

Data centres serve as a single, centralised infrastructure for storing data, providing a great advantage to industries and enterprises. However, they also present an opportunity for cyber-at­tackers, as all the information is stored in a single location. Instead of targeting multiple networks, attackers can simply focus on breaching the security of a data centre to gain access to all the data.

Key data privacy and security issues

Data security in data centres has various aspects. These can be grouped into four ca­tegories: physical security, infrastructure security, network security and data security.

Physical security

When it comes to physical security, access control measures and video surveillance are the main concerns from a cybersecurity perspective. Most software-based security controls can be compromised if an attacker gains access to the physical facility and equipment. To secure access to a data centre, there should be multifactor au­then­tication and biometric authentication. CCTV cameras should be deployed, covering  every nook and corner of the data centre and ensuring zero blind spots. It is the responsibility of data centre players to ensure that proper access control measures and video surveillance are available to de­tect any unauthorised access.

Infrastructure security

Infrastructure security is a critical aspect of information technology (IT). It pertains to not only mainstream data centre devi­ces, network devices, storage and servers, but also supporting network devices such as access control devices, biometrics, CCTV and other IT devices. All these de­vices should be secured to ensure safety. Re­gular firmware updates are an important aspect of infrastructure security. Ori­ginal equipment manufacturers (OEMs) release security patches regularly once they become aware of security vulnerabilities. Therefore, it is essential to have proper agreements with OEMs, to guarantee that all devices are updated with the latest security patches.

In addition, access control measures are essential for infrastructure security. They ensure that only authorised personnel can access the infrastructure and data. Proper access control mechanisms must be deployed, such as privileged access management (PAM) solutions. In a normal scenario, users will be allotted only minimum privileges and whenever privileged access is required, the end-user can raise a request through PAM. Privileged access will be granted through PAM, and the credentials of privileged accounts will not be available with the end-users. Furthermore, there may be a multitude of network and server devices in use, but not all applications or services need to be enabled on every device. To ensure data protection, only necessary applications sh­ould be enabled on each device.

Only secured protocols should be used to enhance security. For instance, for remote access, a secure socket shell should be used, and for monitoring devices, a mo­re refined version of a simple network ma­na­gement protocol should be used.

“It is essential to strictly follow regulatory guidelines from CERT-In, the Telecom Regulatory Authority of India and other regulatory bodies to ensure that proper security measures are in place.”

Network security

Network security covers all data centre networks, including the ancillary networks of other devices; infrastructure; connectivity; architecture and configuration. Net­work segmentation is a key point in network security, as plenty of ransomware attacks happen due to a lack of proper network segmentation. Proper security en­tails dividing a data centre into areas that are logically separate, to contain an attack with minimal impact.

There should also be a proper demilitarised zone (DMZ), where internet-facing devices including webservers can be placed. Additionally, implementing firewalls at different levels, including perimeter firewalls (separating the internet from the DMZ) and internal firewalls (separating the DMZ from the internal zone), can increase defence against vulnerabilities.

For a defence-in-depth mechanism, the­­re are various aspects to consider, in­cluding perimeter-level defence, network-level defence, host-level defence and layered security checkpoints. By having proper security measures in place, unauthorised sessions can be avoided.

Data security

Ensuring data security is crucial for any organisation. Should the physical or network infrastructure be compromised, it is vital to have inbuilt security measures to protect the data stored in the data centre. Data protection has three aspects: securing data at rest, in transit and in use.

To protect data at rest, we can use pro­per disk encryption, or self-encrypted dri­ves that encrypt the data while it is being stored. For data protection in transit, we should have robust mechanisms su­ch as transport layer security and IPSec Tunnel mechanisms for ensuring proper data encryption. Protecting data in use, meanwhile, has two aspects – confidential computing and cryptographic computing. In confidential computing, the data is proce­ssed in a trusted environment or se­cure enclaves where it is decrypted, computed, encrypted and returned along with computational results. Cryptographic computing is an enhancement of confidential computing.

Proper encryption is the key to preventing ransomware attacks. In these attacks, data is encrypted and made unusable. Backups can also mitigate this risk, especially immutable backups made with the write once, read many mechanism. Therefore, immutable storage in encrypted form is crucial for disaster recovery.

“Data centres serve as a single, centralised infrastructure for storing data, providing a great advantage to industries and enterprises. However, they also present an opportunity for cyber-attackers, as all the information is stored in a single location.”

Additional measures to reduce cyberrisks

It is crucial for the industry to have a proper security policy in place. Objects and devices involved in a network should be identified and accounted for. There should be proper policies for both authentication and configuration purposes.

Moreover, backup options should be available both within data centres and for disaster recovery. In the event of a disaster, all data needs to be synced. In addition, even with all the security measures in pla­ce, proper logging facilities and notifications should be set up to detect unknown actions. Appropriate action must be taken to mitigate such actions.

Regular security audits should also be carried out for an outside perspective on a security network. This will help in making changes to improve the security strategy of the network.

Proper documentation and standard op­­erating procedures should be made avai­lable in case of an attack or risk. It is es­sential to strictly follow regulatory gui­delines from CERT-In, the Telecom Regulatory Authority of India and other regulatory bodies to ensure that proper security measures are in place.

Another major concern is insider threat. To mitigate this, firms must ensure that employees receive proper training and their activities are monitored. Finally, data sanitisation is crucial. Advanced technologies should be used to ensure that data is properly discarded, so that it cannot be recovered even during advanced forensic analysis.

Emerging solutions

Memory encryption

A memory attack, or a cold boot attack, is a physical attack that allows a person to ac­cess data in the volatile memory. This threat involves hardware-level attacks such as the removal and reading of dual in-line memory modules or the installation of atta­ck hardware. Memory encryption en­sures that the data passing to and from the memory is encrypted with a single transient key.

Zero-knowledge proof

Zero-knowledge proof can be used for ad­vanced authentication. It involves using cryptography to verify data without sharing credentials with other entities. Zero-knowledge proof can also be made use of to prevent supply chain risks. With this, data can be securely transmitted to the ot­h­er end without tampering.

Self-encrypting drives

Full disk encryption is necessary to prevent attacks on data. In addition, by using proper self-encrypting drives, data can be protected from unauthorised access.

Homomorphic encryption

Homomorphic encryption is a type of co­nfidential computing. It ensures that data remains in an encrypted form, while all the computations are carried out on it and then made available to the relevant entities. This is how data in use can be protected and secured.