The growth of data centres has been greatly influenced by advancements in technology and government initiatives such as Digital India. However, this growth has led to a surge in cyberattacks as well. At a recent tele.net conference, “Data Centres in India”, Jinu S., Joint Director, Indian Computer Emergency Response Team (CERT-In), Ministry of Electronics and Information Technology, spoke about the data privacy and security issues for data centres, measures to reduce risks, and solutions to enhance security. Edited excerpts…
Data centres serve as a single, centralised infrastructure for storing data, providing a great advantage to industries and enterprises. However, they also present an opportunity for cyber-attackers, as all the information is stored in a single location. Instead of targeting multiple networks, attackers can simply focus on breaching the security of a data centre to gain access to all the data.
Key data privacy and security issues
Data security in data centres has various aspects. These can be grouped into four categories: physical security, infrastructure security, network security and data security.
When it comes to physical security, access control measures and video surveillance are the main concerns from a cybersecurity perspective. Most software-based security controls can be compromised if an attacker gains access to the physical facility and equipment. To secure access to a data centre, there should be multifactor authentication and biometric authentication. CCTV cameras should be deployed, covering every nook and corner of the data centre and ensuring zero blind spots. It is the responsibility of data centre players to ensure that proper access control measures and video surveillance are available to detect any unauthorised access.
Infrastructure security is a critical aspect of information technology (IT). It pertains to not only mainstream data centre devices, network devices, storage and servers, but also supporting network devices such as access control devices, biometrics, CCTV and other IT devices. All these devices should be secured to ensure safety. Regular firmware updates are an important aspect of infrastructure security. Original equipment manufacturers (OEMs) release security patches regularly once they become aware of security vulnerabilities. Therefore, it is essential to have proper agreements with OEMs, to guarantee that all devices are updated with the latest security patches.
In addition, access control measures are essential for infrastructure security. They ensure that only authorised personnel can access the infrastructure and data. Proper access control mechanisms must be deployed, such as privileged access management (PAM) solutions. In a normal scenario, users will be allotted only minimum privileges and whenever privileged access is required, the end-user can raise a request through PAM. Privileged access will be granted through PAM, and the credentials of privileged accounts will not be available with the end-users. Furthermore, there may be a multitude of network and server devices in use, but not all applications or services need to be enabled on every device. To ensure data protection, only necessary applications should be enabled on each device.
Only secured protocols should be used to enhance security. For instance, for remote access, a secure socket shell should be used, and for monitoring devices, a more refined version of a simple network management protocol should be used.
“It is essential to strictly follow regulatory guidelines from CERT-In, the Telecom Regulatory Authority of India and other regulatory bodies to ensure that proper security measures are in place.”
Network security covers all data centre networks, including the ancillary networks of other devices; infrastructure; connectivity; architecture and configuration. Network segmentation is a key point in network security, as plenty of ransomware attacks happen due to a lack of proper network segmentation. Proper security entails dividing a data centre into areas that are logically separate, to contain an attack with minimal impact.
There should also be a proper demilitarised zone (DMZ), where internet-facing devices including webservers can be placed. Additionally, implementing firewalls at different levels, including perimeter firewalls (separating the internet from the DMZ) and internal firewalls (separating the DMZ from the internal zone), can increase defence against vulnerabilities.
For a defence-in-depth mechanism, there are various aspects to consider, including perimeter-level defence, network-level defence, host-level defence and layered security checkpoints. By having proper security measures in place, unauthorised sessions can be avoided.
Ensuring data security is crucial for any organisation. Should the physical or network infrastructure be compromised, it is vital to have inbuilt security measures to protect the data stored in the data centre. Data protection has three aspects: securing data at rest, in transit and in use.
To protect data at rest, we can use proper disk encryption, or self-encrypted drives that encrypt the data while it is being stored. For data protection in transit, we should have robust mechanisms such as transport layer security and IPSec Tunnel mechanisms for ensuring proper data encryption. Protecting data in use, meanwhile, has two aspects – confidential computing and cryptographic computing. In confidential computing, the data is processed in a trusted environment or secure enclaves where it is decrypted, computed, encrypted and returned along with computational results. Cryptographic computing is an enhancement of confidential computing.
Proper encryption is the key to preventing ransomware attacks. In these attacks, data is encrypted and made unusable. Backups can also mitigate this risk, especially immutable backups made with the write once, read many mechanism. Therefore, immutable storage in encrypted form is crucial for disaster recovery.
“Data centres serve as a single, centralised infrastructure for storing data, providing a great advantage to industries and enterprises. However, they also present an opportunity for cyber-attackers, as all the information is stored in a single location.”
Additional measures to reduce cyberrisks
It is crucial for the industry to have a proper security policy in place. Objects and devices involved in a network should be identified and accounted for. There should be proper policies for both authentication and configuration purposes.
Moreover, backup options should be available both within data centres and for disaster recovery. In the event of a disaster, all data needs to be synced. In addition, even with all the security measures in place, proper logging facilities and notifications should be set up to detect unknown actions. Appropriate action must be taken to mitigate such actions.
Regular security audits should also be carried out for an outside perspective on a security network. This will help in making changes to improve the security strategy of the network.
Proper documentation and standard operating procedures should be made available in case of an attack or risk. It is essential to strictly follow regulatory guidelines from CERT-In, the Telecom Regulatory Authority of India and other regulatory bodies to ensure that proper security measures are in place.
Another major concern is insider threat. To mitigate this, firms must ensure that employees receive proper training and their activities are monitored. Finally, data sanitisation is crucial. Advanced technologies should be used to ensure that data is properly discarded, so that it cannot be recovered even during advanced forensic analysis.
A memory attack, or a cold boot attack, is a physical attack that allows a person to access data in the volatile memory. This threat involves hardware-level attacks such as the removal and reading of dual in-line memory modules or the installation of attack hardware. Memory encryption ensures that the data passing to and from the memory is encrypted with a single transient key.
Zero-knowledge proof can be used for advanced authentication. It involves using cryptography to verify data without sharing credentials with other entities. Zero-knowledge proof can also be made use of to prevent supply chain risks. With this, data can be securely transmitted to the other end without tampering.
Full disk encryption is necessary to prevent attacks on data. In addition, by using proper self-encrypting drives, data can be protected from unauthorised access.
Homomorphic encryption is a type of confidential computing. It ensures that data remains in an encrypted form, while all the computations are carried out on it and then made available to the relevant entities. This is how data in use can be protected and secured.