data center security trends 2014 - ise...

1

Security and the Data Center – 4 Trends that Could Change Everything

Jerry L. Bowman, RCDD, RTPM, CISSP, CPP, CDCDPPresident / CEO InfraGard National

Past-President BICSI

2

Attendee Annoucements

Seminar Raffle – Be sure to drop your raffle ticket in the drum at today’s Keynote located in the Mile High

Ballroom. You have a chance to win a $250 American Express Gift Card. One winner will be drawn at the Opening Keynote and the Closing Keynote. You must be present to win.

Seminar Evaluations – All attendees will be receiving an email with regards to the seminar and we

encourage you to respond to the surveys. The survey results will be compiled by ISE EXPO team members, summarized, and will be shared with the seminar speakers. The seminar feedback is an important aspect of continually improving ISE EXPO.

Seminar Certificates – Attendees will be able to log into the Attendee Resource Center (ARC) using their first

name, last name, and their Badge ID (this number will appear on the badge and also on any registration confirmations) to view/print their seminar certificates. If a certificate is needed on-site, the attendee may visit the ISE EXPO registration counter between the hours of 1 PM – 3 PM September 21 & September 22 and ask for a certificate to be printed. Attendees will be able to access the ARC website up to 2 – 3 months after the event to print CEC certificates.

Subscribe – ISE magazine is the most trusted educational and solutions resource for 21,000 professionals across

the ICT industry. Each month, ISE delivers 20+ educational articles and showcases leading technology solutions in an approachable and interesting format, available in both print and digital. Visit http://www.isemag.com/subscriptions/ to begin or renew your subscription.

3bicsi.org

BICSI’s Global Region

affiliate

affiliate

bicsi.org/global

4 4

5

InfraGard Members By Sector

6

Disruptive Innovation

A disruptive innovation is an innovation that

helps create a new market and value network, and

eventually disrupts an existing market and value

network (over a few years or decades), displacing

an earlier technology.

7

Disruptive Innovation• Procter & Gamble’s Crest® Whitestrips® - created an

entirely new market by targeting nonconsumers: those who find it too inconvenient or expensive to go to the dentist for teeth whitening.

• Walmart (discount retailers) exemplify a disruptive approach that targets consumers overshot by existing offerings, in this case, department stores.

• Others;– POTS vs. Cellular

– Mainframe vs. PC/Laptop

– Doctor’s Office vs. Minute Clinic

– Wired vs. Wireless

8

Disruptive Innovation Trends

• Cyber Security Horizontal Expansion

• Cloud Computing

• Accreditation

• Outsourcing

9

Disruptive Innovation #1:Horizontal Expansion of

Cybersecurity

10

Cyber Threat Continuum

• 1970s: Phreaking – Free long distance calls

• 1980s: Computer Clubs / First Virus (1988)

• 1990s: Birth of Modern InfoSec Industry

• 2000s: Hacking/malware move to major criminal

enterprise

• 2010’s: Attacks move to connected systems as

backdoor to data networks (Target)

11

12

Protecting the Data Center

TODAY

Multi-National Enterprise Footprint

Terrorism

Global political implications

International power grid failure

Data worms & hackers

Third party liability

Regulatory Compliance

Cascading Events

Non-IT Backdoors

Managing assets and dependencies

Handle unexpected disasters …without downtime and without a list

THE OLD DAYS(20 Years Ago)

Simple Backups

24 Hour Replacement Contracts

Dial Up Bulletin Boards

Disaster Recovery

-fire, flood, tornado

Sabotage

Physical 1:1 equipment relationships

Disaster By Checklist – Be ready for the list.

13

Executive Order 13636

“Improving Critical Infrastructure Cybersecurity” It is the Policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”

14

Cybersecurity Business Outcomes

National and economic security of the United States

depends on the reliable functioning of critical

infrastructure

Cybersecurity threats exploit the increased

complexity and connectivity of critical infrastructure

Cybersecurity risk affects a company’s bottom line.

It can drive up costs and impact revenue

It can harm an organization’s ability to innovate

It can harm an organization’s ability to gain and maintain

customers

NIST – 2014 Framework for Improving Critical Infrastructure Cybersecurity

15

NIST Cyber Framework Core

16

NIST Cyber Framework Profiles

1. Partial - Organizational cyber-security risk management practices for this subcategory are not formalized, and risk is managed in an ad hoc and sometimes reactive manner.

2. Risk Informed - Risk management practices are approved by management but may not be established as organizational-wide policy.

3. Repeatable - The organization’s risk management practices are formally approved and expressed as policy.

4. Adaptive - The organization adapts its cyber-security practices based on lessons learned and predictive indicators derived from previous and current cyber-security activities.

17

How Long Would It Take to Find a Server?

A) Within minutes

B) Within 4 hours

C) Within a day

D) More than a day

E) They can’t be found

18

How Long Would It Take To Find a Server?

19

ID: How can you protect an asset if you

don’t know you have it?

A data center can contain thousands of assets, from

servers, storage, network devices, and cabling to power

and cooling infrastructure equipment

The majority of organizations still manage configuration

and asset data using spreadsheets

Common practice involves reverse engineering the

location and connectivity of assets during a service issue

Change is often the cause of as much as 80% of system

downtime

80% of mean time to repair (MTTR) is used trying to

determine what changed

20

How can you protect it if you can’t get to it?

21

How can you protect it if you don’t know the

dependencies?

Source: AssetGen

22

ID Function

The activities in the Identify Function are

foundational for effective use of the Framework.

23

Asset Management Subcategories

24

NIST Cyber Framework: CCS CSC

25

What is the cost of a Day 2 inventory?

Individual Task Areas EquipmentCount

Unit Total Cost

Duration

Collect readily visible data* 8,000 $15 $120,000 40 Man Weeks

Detailed information* 8,000 $60 $600,000 200 Man Weeks

Physical Layer (E to E) 400 Racks $840 $336,000 120 Man Weeks

Based on 400 Rack Data Center enterprise data center – 20 devices per rack

*Source: Data Center Knowledge Guide to DCIM

Complete Site Audit EquipmentCount

Unit Total Cost Duration

Collect detailed information* 8,000 $60 $600,000 200 Man Weeks

Physical Layer (E to E) 400 Racks $840 $336,000 120 Man Weeks

CMDB & Configuration (Layer 1)** 12,000 Total Devices

$12.50 $150,000 5 Man Weeks

Estimated Total $1,086,000 325 M Weeks

Includes reverse engineering of undocumented infrastructure

**Source: AssetGen

26

Disruptive Innovation #2

Cloud Computing

27

Types of Clouds

28

Shifts Emphasis To Data In Motion

Source: Wikimedia

29

CIA Triad

30

Pressure on Passive Infrastructure

31

Emphasis on Capacity Management• One of five components in the ITIL Service Delivery area• Proactive rather than reactive in nature • Ensures that business needs and service definitions are fulfilled using a minimum of

computing resources• Ensures that capacity exists

Capacity Management activities include: • Monitoring, analyzing, tuning, and implementing necessary changes in resource

utilization • Managing demand for computing resources, which requires an understanding of business

priorities • Modeling to simulate infrastructure performance and understand future resource needs • Application sizing to ensure required service levels can be met • Storing capacity management data • Producing a capacity plan that documents current utilization and forecasted

requirements, as well as support costs for new applications or releases • Building the annual infrastructure growth plan with input from other teams

32

2014 Sky High Networks Report

• 1 million users across more than 40 EU companies spanning the financial services, healthcare, high technology, manufacturing, media, and professional service industries

• Quantified the use of cloud services and the security risk that they pose to enterprises

• Overall findings:– Enterprises used an average of 588 cloud services.

– Only 9% of the cloud services in use provide enterprise-grade security capabilities

– The remaining 91% (more than 9 out of 10) pose medium to high security risks

• Data privacy and data residency – Only 1% of the cloud services in use both offer enterprise-grade security

capabilities and store data in Europe’s jurisdictional boundaries

– The remaining 99%, either store data in countries where data privacy laws are less stringent

33

Key Findings of Sky High Report

Key findings from the report include:

• Only 5% of cloud services in Europe are ISO 27001 certified, posing compliance issues for those organizations unaware that their employees are using uncertified services

• 25 of the top 30 cloud services in the collaboration, content sharing, and file sharing categories were based in countries (United States, Russia, China) where the privacy laws are less stringent compared to Europe.

• 49 different services in use are tracking the browsing behavior of employees on the Internet. This exposes organizations to the increasingly prevalent watering hole attack.

34

M&M Security Doesn’t Work With Clouds

Physical Security Perimeters Network Security Perimeters

Deter potential intruders Distinguish authorized from

unauthorized people Delay, frustrate and ideally prevent

intrusion attempts Detect intrusions and monitor/record

intruders Trigger appropriate incident responses

How do I establish a

perimeter if the data

center isn’t under my

control?

35

Disruptive Innovation #3

Accreditation

36

Data Center Security Accreditations?

Courtesy Isaak Technologies Inc.

37

The Cost of Accreditation

38

39

Disruptive Innovation #4

Outsourcing

40

Who will you be working for in 5 years?

41

Types of Outsourcing

42

Outsourcing Report Card

Source: Insights from Deloitte’s 2012 Global Outsourcing and

Insourcing Survey 2014 NAOP Survey

43

Shadow ITDisruptive Innovation2

BYOD

Disruptive Technology

Internet of Things

Wearables

Implantables

M2M

IPv6

iPhones

iPad

Tablets

Social

Activation

Cloud-to-Cloud

Smart Watch

Google Glass

IP Home

Locks

The Pebble

W200

Anyone

Anything

Anytime Anyplace

Any Service

Any

Network

44

First, Make it mobile

Next, Make it wearable

Finally, Make it implantable

44

Google Glass

Smart Tattoo

iPhone 5c

Disruptive Innovation Roadmap?

45

Final Thoughts

1. The consequences of not managing the transformational trends in the data center could be profound.

2. Exponential growth or change is no longer an excuse for not documenting and managing what you have.

3. Users won’t wait for IT anymore - internal customers will spend more of their IT budgets elsewhere, and could eventually bypass the IT organization entirely.

4. The Cloud is redefining the concept of perimeters.

5. The virtual world has no police jurisdictions –countermeasures can not rely on clear venue.

6. Data centers (virtual world) create blind spots for traditional security designers and managers – cybersecurity is driving an entirely new workforce.

New Cybersecurity Problem With Clouds

Accreditation Shadow IT

46

47

Contact Info:Jerry L. Bowman, RCDD, RTPM, CISSP, CPP, CDCDP

Chief Business Officer, IMTAS

President BICSI 2012 - 2014

President / CEO InfraGard

Phone: (202) 962-0000

Email: Bowman-jerry@imtas.com

Jbowman@bicsi.org

Jbowman@infragardmembers.org

Thank You