Drexel University’s Online MS in Cybersecurity
The online MS in Cybersecurity at Drexel utilizes the College of Computing & Informatics and College of Engineering’s network of professionals to give students access to the latest research, tools and insights, and prepares students to meet the workforce needs through rigorous academic and experiential practical training. Learn more!
Defending Datacenters and Cloud Services
An essential part of moving software and services out into the cloud is ensuring that those cloud services are supported by secure and robust infrastructure. Datacenters are an increasing target for attacks, allowing a focused effort to create significant disruption.
Much is written about security in a technological sense – identity and access management (IAM), malware protection, firewalls, the principle of least privilege, and so on. It is important not to forget, though, that all these concepts relate just to our own systems. We generally rely on one or more third parties to provide another element of defense for our systems: physical access to the datacenters that host our apps and data.
A Level of Implicit Trust
In the public cloud we are presented with a fait accompli. We rely heavily on the likes of Amazon, Microsoft, Google, Rackspace etc. that they have strong controls over who can access the datacenters in which their public cloud services reside – though of course the independent certifications they hold provide a substatial level of reassurance that independent auditors share the opinion that they are suitably secure.
In the private or hybrid cloud, however, we are hosting all or part of the infrastructure in a datacenter on a much more fundamental level: regardless of the “value add” messages from their marketing teams, the providers are simply renting us space and providing power, air-conditioning and fire extinguishing services. We, therefore, must look much more closely at the risks associated with this more direct relationship and mitigate them accordingly.
Physical Building Security
Datacenters with guards staffing the entrance 24x7 provide reassurance, as electronic entry systems are simply not trustworthy 100% of the time. The worst-case scenario is an unguarded building that simply requires a (highly stealable) swipe card to enter. Although it can be helpful to add the requirement for a PIN to be entered after swiping the card, in reality even a novice can shoulder-surf an unsuspecting client and gain their PIN. Also, as Warren Houghton of Pen Test Partners pointed out in a presentation in October 2024, cloning swipe cards can often be very straightforward, depending on the card and reader technology being used.
Provider Service Components
We mentioned previously that the datacenter operator provides power, along with heating, ventilation and air conditioning (HVAC) to the building, and as part of the sign-up process you should get an understanding of how they are protected. For instance, a secure compound full of big green generators is a great marketing tool, but if those generators’ management interfaces are connected to the internet so the support provider can manage and monitor them remotely, the risk needs to be investigated and understood. Ask firm, pointed questions about any components on which you will rely that are in any way connected to a computer network of any sort.
Inside the Building
A greater risk than physical entry to the building, however – and the biggest datacenter risk – is illicit access once someone is inside the building. If your hosting budget is reasonably large you may be able to have an area of the data hall physically segregated for your sole use, surrounded by a large cage with its own secure door (though beware of the risks of electronic entry systems mentioned already). Usually, though, datacenter hosting means one or more cabinets in a large, shared space to which many organizations have access.
In the latter case, the only safe assumption to make is that at least one of the hosting company’s other clients has at least one employee who is not completely honest. Hence a non-zero number of potential attackers has the facility to walk up to our cabinets, and the fact is that the average datacenter cabinet was not designed for security. Three-digit combination locks or simple barrel key locks are common. If we estimate that a brute-force attack takes three seconds per guess to select the number and try the lock, that gives a worst-case time of 50 minutes to try all possibilities, or five seconds with a pry bar. (Most users do not reset the lock to 000 when they leave, instead leaving each of the three dials within one or two digits of the real combination and making the attacker’s life easier). And while there is usually a physical key lock on the cabinet too, these are almost always low-security and easy to defeat (bear in mind, incidentally, that the example in the video is representative of many vendors’ locks, not just the one the presenter happens to use). There is also always a gap between the cabinet and the floor, and in most cases if you kneel down and look under the cabinet you will see cables – a potential for a denial-of-service (DoS) attack via a quick snip with some wire-cutters.
We should assume, then, that cabinets are a point of vulnerability. Where possible, use cable management to keep exposure to a minimum and prevent easy external access. Bring cables in via the tops of the cabinets (which are largely closed except perhaps for some fans and small cable access gaps) instead of the bottom (which are always fully open to allow air flow from the floor air conditioning ducts). And although it is not possible to prevent, say, disconnecting cables from a network switch by someone who has defeated the door, you should use the physical features on your servers and storage (generally physical key locks and strong access credentials) to at least slow down an attacker.
Do Not Add Your Own Risks
Finally, do not allow your engineers to build convenience into your datacenter installations. Despite what the hosting company’s policies may dictate regarding band on you installing wireless kit, in most datacenter environments you can open your laptop’s WiFi control panel and see a number of available networks. Many of these have been installed by engineers who spend a lot of time at the datacenter and would rather work in the break room or even just the corridor instead of a noisy, dry data hall, and more than zero will have vulnerabilities. Be scrupulously careful to avoid mitigating the physical risks of the datacenter and then breaking that mitigation with insecure, unofficial technological shortcuts.
When it comes to public cloud hosting providers’ datacenters, we can have a good level of confidence that they both restrict physical access and care about doing so, not least for reasons of reputation. For traditional datacenters, the average reputable provider has good defenses at its perimeter to ensure that visitors are who they say they are and that they are on the admission list. However, where we host private or hybrid cloud with directly contracted hosting providers, we need to give strong consideration to the risk factors that exist despite the strong controls on entry and mitigate them to bring them in line with what our own senior management team deems acceptable.
Related Insights