Reinventing data center security, from the hardware up
Connecting state and local government leaders
To establish chain of trust through the stack, agencies must shift their attention to hardening infrastructure.
Never before have government organizations faced so many cybersecurity threats from so many sources. From hacktivists to organized crime to nation-states, bad actors are working around the clock to compromise government's technology, infrastructure and people. Terrorist organizations are actively seeking to exploit software vulnerabilities, as evidenced by the recent National Security Agency advisory regarding ISIS and the BlueKeep vulnerability, which targets legacy Windows-based systems. Even amateur hackers are posing an increased threat as toolkits developed by nation-states leak into the public domain.
Not surprisingly, cybersecurity is the No. 1 concern for CIOs. Gartner expects that the $90 billion spent on security in 2017 will grow to $1 trillion by 2022. Meanwhile, the Council of Economic Advisers reports that the cost of malicious attacks to the economy could be as high as $109 billion per year, while IBM estimates that the average cost per breach is $3.86 million.
With so much at stake, no government organization can afford infrastructure vulnerabilities. Yet combating cyber threats is an acute challenge for agency staff working against a backdrop of tightening budgets and resources.
Data center complexity adds to the cybersecurity challenge
Part of the management challenge for agencies is that data center environments have grown increasingly complex over the past decade. Workloads are running on premises, in public and private clouds and at the edge. Such diversity brings increased security risks.
Many CIOs are understandably concerned about where to place their critical workloads and want end-to-end security across environments. But the reality is that security risks are present in every layer of the data center stack. Hackers are aware of this and, having previously targeted the application layer, are now levelling attacks further down the stack -- on hypervisors, boot drivers, firmware and even hardware.
While agencies, and particularly the Department of Defense, have worked in recent years to mitigate security risks in personal computers, they are beginning to realize the need to shift their attention to infrastructure. Traditional data center protections, such as detection and quarantine software, or perimeter controls, like firewalls, are no longer enough. By the time a problem has been detected, the damage has likely been done.
Sound security starts at the root of the infrastructure
To protect data at rest, in flight and in use, IT administrators must start at the processor foundation, taking a holistic view of the organization’s risks and establishing controls. Security must be designed into data center architecture at the outset -- not addressed ad hoc, through random products.
Data center attacks that take place at the application layer are easy to identify, but the real threat is further down the stack where attacks get harder to detect and remediate. This is because traditional detection solutions are less adept at identifying malware infiltrating hardware components toward the base and because some components expose the stack to additional vulnerabilities. Hypervisors, for example, are designed to optimize virtual machine memory space and cores. However, this sharing of resources opens up the hypervisor -- and the stack -- to increased risk of attack.
Establishing a chain of trust
A chain of trust is the key to establishing hardened security from the very first boot process, and it all starts with trusted platform modules. Stored in the silicon of a machine instead of the software, TPMs store crypto keys that tie specifically to the device itself. Establishing a root of trust means that every layer in the application stack (boot, virtualization, libraries, services and applications) is checked against the TPM, attesting the validity of every layer of the stack.
Until now, safeguarding infrastructure and application stacks in this manner was not easily achievable due to performance, complexity and cost factors. However, the technology and conviction now exist to do so.