Ever since the 1980s movie ‘War Games’, IT security has been depicted in terms of hackers – typically child geniuses – magically gaining access to computers with a few taps of the keyboard, creating all kinds of havoc in the process.
Over the past decade or so, in the public imagination, those hackers are more likely to be ruthless Russian ransomware gangs or shadowy groups supposedly linked with China’s People’s Liberation Army.
But while those threats may be real, most organizations’ edge data center operational and security risks are typically more mundane: people, whether malign or not, simply walking in through an unguarded door, or failing to close the door after them.
Indeed, says RF Code marketing director Gregg Primm, far from being shiny, gleaming server rooms humming with digital life and secured with the latest technology, the average edge data center might be found in a cupboard, a spare room, or whatever office space is available where the IT power is required.
And, he adds, they’re often untended, unguarded and almost forgotten about – until something goes wrong.
Rather than ransomware the most realistic threat might simply be theft: not just of personal data being processed at the facility, of course, but the more mundane theft of hardware, stolen (most of the time) with the thought of turning a quick resale profit. Yet with uncontrolled access, any number of scenarios are possible.
“They’re not bespoke computer spaces, and they’re not necessarily well designed for sensitive electronic equipment, whether that’s in terms of temperature or humidity. They may even have plumbing running through the area, for example,” says Primm.
He continues: “I can’t tell you how many times we’ve heard from customers over the past decade or so when they’ve had a system outage. And when they check their records, they find out the outage happened while the cleaning crew was in, and it was literally caused by something like the cleaner propping the door open to a temperature-controlled space and not closing it properly when they’d finished.”
That’s just one example, but there are many more to choose from, adds Primm, including unencrypted backup drives disappearing and the data turning up on the black market, with deleterious regulatory implications: ie: large fines, dented careers and blackened reputations.
“The ones I’ve seen have been primarily environment-related,” says Matt Riley, product manager, software, at RF Code. “I’ve seen unlagged pipes running through these rooms with condensation on them. I’ve seen rooms that do not have HVAC – they have relied on the doors being jammed open.
“Power capability is another one that we frequently run into, where servers are plugged into department store plug boards plugged into ordinary wall sockets. If the power blips or somebody trips over the cord, out goes the server and perhaps much more,” says Riley.
Part of this has been driven by a requirement to extend data processing as close to the corporate IT ‘need’ as possible – whether that’s the customers or a branch office. And that need is typically urgent, but limited geographically, restricting the range of choices and the time available to satisfy that need.
“It's also likely to be the case that there's fewer staff there and those staff are likely to be less security conscious. In addition, because these facilities are smaller, there's likely to be less of a security ethos surrounding them,” warns Riley.
In many cases, adds Riley, those server rooms might not even be exclusively for compute and could have people coming and going, for various legitimate reasons, with the corporate governance implications of such an arrangement overlooked.
“People going into that space may not even be there to interact with the compute but, while in there, they’ll mess something up while fumbling around in the room or knock a plug out of the wall for something that that's meant to monitor the space, and they just don't notice,” says Riley. “It's invariably as much about human error as it is about an ill intent. And either of them can obviously result in outage problems, regulatory issues, and so on.
“A lot of these places weren’t opened with this kind of data processing or even responsibility in mind. It was just there, ‘hey, there's some space, and we have a need. So let's plug some things in and go’. Furthermore, retro-fitting an area for security can be difficult. So organizations are trying to work within the limits of what they've got, whether that's in terms of the personnel available or just the physical space. They just weren't designed with IT security in mind.”
Quite simply, the current proliferation of edge data center facilities hasn’t been planned down to the final dot and comma in the same way, perhaps, that the development of the main corporate data centers was.
“There isn’t a person that has been specifically designated as responsible to manage these spaces. Sometimes, it’s the data center managers. Sometimes it’s just the local manager, where that business happens to be; or whoever the most senior person on the ground there takes responsibility,” says Riley.
Stepping into the light
With corporate IT having grown over the decades, gone through consolidation, put into the cloud, subject to digital transformation and so on, one of the first steps has to be, quite simply, an audit of IT assets: where they are, and what they’re doing, says Primm. And that has to be conducted with a consideration for security, he adds:– who’s in charge of those computing assets and how are they secured?
“You’ve got to look at your edge spaces from the perspective of how well they’ve been designed in terms of environment control. Very often, it’s going to be ‘they haven’t been’ and so then you’ve got to understand where the exposures are.
“Is access to those spaces restricted and how insecure are the spaces? How secure do they need to be to ensure that when people need access to them, we can limit access to only the right people?
“Then, are the spaces staffed with the right skills so that if there’s a problem, it can be recognised and addressed, or do you need a system in place to diagnose and deploy those skills when problems arise?” asks Primm.
Having identified those security and environmental shortcomings, the next step is to prioritize the remediations, implementing the solutions based on the facilities importance and whether data is stored there or not.
Either way, says Primm, one of the keys is access control or, at the very least, being able to monitor the various comings and goings in and out of the facility. Even if such measures are in place, they need to be revisited, he adds. “If access is via a badge, you need to review the policies and ask who’s allowed to go in there – often, that gets overlooked.
“Some of the potential vulnerabilities may just be part and parcel of these spaces’ design and you may not be able to do anything about that, or it may need to be accessible to more than just your trusted IT personnel. In that case, you’ll need to adopt solutions that can help you address the inherent risks associated with that.
“This is where having visibility into locations, whether with cameras, sensors or a combination of the two can give you instant notification of problems based on enough data so that you can determine what might be going wrong before a problem becomes a system outage,” says Primm.
A number of factors need to be monitored by those sensors, he continues, including temperature and moisture levels within the server room, as well as sensors covering for power outages, and smoke detectors in case of fire. Electronic door access linked to a video feed is also recommended for security.
“If you’re talking about truly unstaffed, lights out data centers, video monitoring can be critical in terms of remotely diagnosing many problems – you have to have visibility into the facility to know what the current situation is, as well as the events that led up to that situation. You don’t want to go in completely blind so that the personnel know what they’re facing and can go prepared,” says Primm.
If, for example, a server has failed, it will need to be replaced and data restored from backup, but sensor data and video feeds may also reveal how and why the server went down so that the cause of that failure can be eliminated.
It also helps, adds Riley, for electronic access control systems to be personalised so that you know who entered the room. “In some rooms we've seen they’ve had personnel files alongside the compute space. So employees needed to be in that room to access those files, but not to access the IT equipment. So knowing exactly who has been in that room and why can be helpful,” says Riley.
The most common type of access control, however, comes in the form of a four- or five-digit combination lock, unconnected to any monitoring system, rather than RFID badges or smartcards.
In many respects, therefore, organizations need better policies to govern their approach to edge data centers, and those policies need to include the types of security and monitoring they have, bearing in mind the workload running in the data center.
Learn more about wire-free sensor technology in this white paper from RF Code: The six benefits of using wire-free sensors in your data center
Over 65% of the CEOs that responded to PwC’s 2015 US CEO survey reported they are seeing more opportunities now compared with three years ago, but 60% also see more threats.
Sponsored Security at the edge
The biggest security threat to edge data centers might not be cyber miscreants penetrating the firewall, but very ordinary miscreants simply coming through the door, warns RF Code’s Gregg Primm
Sponsored Busting myths about data center management architecture - from the Edge through the Core, to the Cloud!
Organizations of all sizes, in all business sectors, are part of this IT transformation, shifting compute from the traditional data center out to the Edge