Mobility and Cloud Computing and the need for a new security concept

RestrictedThe current modern way of doing business and service provisioning is based on openness and agility.
This brings the traditional security concept in which an organization is positioned as an “information fortress” strongly under pressure. The traditional perimeter is vanishing and sensitive information travel outside your organization in many ways on many different devices. Mobility and Cloud Services is the name of the game.

For the most part business information is stored as unstructured data. Unstructured data refers to information that either does not have a pre-defined data model or is not organized in a pre-defined manner and is usually stored in files instead of databases.

This context creates a strong need for other security concepts. Instead of securing a predefined and fixed “location” the focus must be shifted to the actual security of information that is mobile; information security at the file level. Or in other words file protection and control beyond the perimeters of the enterprise because the rule set is stored with the file itself.

There are security products on the market that makes it possible to achieve security at the file level. Applying this security concept will affect the current and usual roles and activities related to security.

Still it is common that a security officer in cooperation with the system administrator ensures safe work areas to which firewalls, passwords and malware scanners protect access. The user organization is consulted and her voice, the voice of the customer, is found in the general security policy but the focus is on the security of the IT infrastructure. So bottom line security is an IT issue.

By implementing a security concept based on information security on the file level, one comes in very close contact with the daily operational activities of the users and the organization. Security choices have a much more immediate and greater impact on the work and activities than in a traditional security concept.

Who has when and where access to which information? The access management can be excellently managed by using the new file access management tools. But access management is not an isolated topic. Access is granted to individuals and groups, thus the topic of Identity Management comes in sight and should be very well organized. Access management is part of the triple A; authentication (identity management), authorization (access management) and accounting. These are well-known concepts in the security world but they were mainly applied to the level of IT infrastructure. Now that it is urgently needed to shift the focus of the security of the IT infrastructure to the security of information, one comes in very close contact with the daily work of the organization. This includes authorization, as well as authentication and accounting.

In the traditional division of labor a security officer defines a security policy, based on the input from the user organization and rules and legislation, and then align with the IT organization what mechanisms will be used to operationalize this policy. Product selection, technical equipping and the daily operation are performed by the IT organization. Thus the questions about why, how and with what are satisfied. In fact the user organization is only involved with the first question and it plays no role in the implementation. Also the security officer is hardly involved in the daily operations of the IT organization and the user organization. It is a slow top-down approach.
In fact in terms of a responsibility assignment matrix (RACI), one could say that the security officer is accountable, the system administrator is responsible and the user organization is consulted and informed.

The application of information security through access management at the file level puts this traditional work under pressure. The granularity of the access rights on file level is very fine-grained, in combination with the dynamics of working processes, the needed agility, and the shortening of time to deliver, is conflicting with the traditional hierarchical top down approach.

So to solve this issue a different way of working is required, where the user organization should be much more involved in information security or better stated they should in fact take the lead. After all it affects their daily work. The security officer, the auditor, and the IT organization must be well aware about the daily work of the user organization. They should gain knowledge about what is going on in the workplace to ensure that the access management is workable, that it produces the desired result, and meets the expectations of the user organization. Additionally, identity management and accounting at this micro level should also be taken into account.

To get information security by means of access management at the file level it is advisable to take a closer look at the different roles that are involved. These are the security officer, the auditor, the system administrator and the “super user” or functional administrator of the access rules for the user organization.

• The security officer is dedicated to define the information security policy and with which mechanisms (the solution approach regarding the security organization, workflow and technology) this should be realized. On behalf of the user organization.
• The auditor is the one that shows how accounting should take place (what are the control points, which information should be captured to comply with laws and regulations, what is the audit trail) and executes audits.
• The system administrator is the one that operationalizes the access management within the framework of the security officer and the auditor, and also takes care of the relationship (in terms of technology and execution) with the work areas of identity management and monitoring (accounting).
• The “super user” or functional administrator of the user organization is the one that actually manages the access rules within the framework of the security officer and the auditor.

To support the modern way of doing business and service provisioning we need to create an agile security organization, with a transparent separation of interests and responsibilities. Instead of a hierarchical security organization, a flat organization is needed where the “super user” is accountable, the system administrator is responsible, the security officer and auditor are consulted and the end-users get informed.

Datacenters need another perspective on security

As stated by Intel “Changing demands for bandwidth, processing power, energy efficiency and storage – brought on by such trends as cloud computing, big data, increased services and more mobile computing devices hitting the network – are driving the need for new architectures in the data center.”

Therefore we see that the datacenter world is making a transition from an artisanal mode of operation to an industrialized mode of operations. To make the industrialization of datacenters possible there is a need for uniformization, standardization, and automation to get the benefits of economy of scale.  One of the current big things in this datacenter transformation is DCIM.

Until recently there was a disconnect between the facility and IT infrastructure in the datacenter. To get rid of the limited visibility and control of the physical layer of the data center we see the rise of a new kind of system: the Data Center Infrastructure Management System (DCIM).

You could say that a DCIM system is the man in middle, a broker between the demands of the IT world and the supply of power, cooling, etc. from the Facility world. The DCIM is layered on top of the so called SCADA system. Where SCADA stands for Supervisory Control And Data Acquisition, the computerized control systems that are the heart of modern industrial automation and control systems.

So currently DCIM is a hot topic, and the added value of the different kind of flavors and implementations of DCIM systems are heavily discussed.

But something is missing. The world, moves rapidly towards the digital age, whereSCADASecurity information technology forms a crucial aspect of most organizational operations around the world. Where datacenters provide the very foundation of the IT services that are provided. Therefore datacenters can be considered as a critical infrastructure, assets that are essential for the functioning of a society and economy. But how are these assets protected? And here we are not talking about the physical security of a datacenter or how save is your business data stored and processed in a datacenter. Here we are talking about the security of the facility control systems, the cooling, the power, etc.

Beware that DCIM functionality is not only about passive monitoring and dashboards but also about active controlling and automation. The information obtained with SCADA systems will become crucial to control the infrastructure sides of facilities and even IT equipment. With DCIM the traditional standalone SCADA and Building Management Systems (BMS) get connected and integrated with the IP networks and IT systems. But also the other way around, SCADA and BMS get accessible by means of these IP networks and IT systems. This, by misusing these IP networks and IT systems, creates the risk of a (partial) denial of service or damaged data integrity of your DCIM and SCADA/BMS systems and thus the disabling of a Critical Infrastructure: The Datacenter.

 In most organizations SCADA and BMS security are not yet in scope of the activities of the Corporate Information Security Officer (CISO). But awareness is growing. Although not specifically focused on datacenters the following papers are very interesting.

 From the National Institute of Standards and Technology the Guide to Industrial Control Systems Security or the  Checklist security of ICS/SCADA systems from the National Cyber Security Centre of The Netherlands or the white paper of Trend Micro

So read it, make your own checklist and get this topic on the datacenter agenda!