With a new year comes renewed opportunity to take a hard look at security. As Marriott scrambles to contain the damage caused when hackers stole the passport numbers of more than 25 million guests, IT organizations everywhere are rushing to fortify their own networks and data centers.
Interestingly enough, data center infrastructure is often an overlooked security risk. As Data Center Knowledge reported last year, power supplies as well as heating and cooling systems can all be entry points for both determined threat actors and casual attackers who scan the Internet for insecure access points.
In many data centers, for example, the ability to monitor rack power distribution units remotely is highly desirable, yet security on these systems often is insufficient. As the experts say, “If a device has an IP address, it can be hacked.” Now, more than ever, security needs to be a front-and-center issue for every piece of data center infrastructure as bringing down power and cooling systems can wreak more havoc than attacking servers.
This is where the “CIA Triad” comes in—and no, that’s not a euphemism for three guys from the Central Intelligence Agency examining gear and security practices for vulnerabilities. The CIA Triad is a well-respected security model with a three-pronged approach for establishing and monitoring Confidentiality, Integrity and Availability.
The Triad principle should be applied to all data-center devices, applications and networks, including the emergence of Software Defined Power (SDP) solutions. As leading SDP deployments encompass both hardware and software, it’s important to identify and address any potential risks.
As the creators of SDP, Virtual Power Systems has leveraged the CIA Triad to improve energy efficiency without compromising system availability or reliability. To ensure the highest levels of application security, an additional layer of encryption, such as AES-128 or AES-256, should be used for messages and commands that are exchanged between servers and devices. This prevents unauthorized devices or users from accessing sensitive data in the event that the network or device is hacked.
Moving beyond the SNMP protocol, which still lags behind other security standards, is important as applying SDP in hyperscale and cloud datacenters will necessitate the use of industry-standard HTTP and TLS protocols for enhanced device and transport security.
Device authentication also is crucial for ensuring confidentiality and integrity, so consider the use of different mechanisms like user ID and password authentication, as well as certificate-based SSL and one-time password (OTP) authentication for an extra layer of security. Industry-standard websockets should be the default for persistent HTTP sessions.
According to the CIA Triad, availability is ensured through the elimination of single points of failure through redundant device designs, along with multiple and segmented network paths between devices and servers. Equally important is the use of proper tools for detecting and diagnosing the root cause of device failures to bolster resiliency.
HTTP-based device management tools offer heightened support and increased operational efficiency. With HTTP, device administrators can connect to devices securely from a browser for real-time views of device status, alerts and alarms. The ability to initiate tasks through a simple web interface streamlines routine tasks, such as server configuration, device authentication, firmware upgrades and device replacements.
Implementing centralized device management of SDP solutions not only eases large-scale deployments, it enables administrators to easily manage multiple devices from a single console while executing management operations with a single click.
With secure SDP deployments, cloud and colo providers can have their cake and eat it too by aggregating and reallocating power resources to racks, nodes, workloads and circuits as needed, without introducing unforeseen risks into secure data center environments.