Rationalise and Consolidate
Datacentre consolidation is one of the most important issues currently exercising the minds of enterprise level CIOs and IT professionals.
The challenge when consolidating operations is managing the transition running the Business-As-Usual (BAU) and maintaining the integrity of Cyber defences particularly in a high threat environment.
Cyber defence in context of this article revolves around threats posed by committed threat sources employing “threat actors” with advanced skills targeting a specific company’s environment. This type of threat is characterised as an Advanced Persistent Threat (APT) and is in the top three IT security concerns. APTs arguably hold the number one position occupying the minds of CIO/CSO and CEO.
Advanced Cyber Attacks- Advanced Persistent Threat (APT)
APT attacks are usually carried out without exploit tools and conducted over extended periods with a strategic goal. Truly advanced attacks are Credential (user name and password) driven using Remote Access Trojans (RAT) disguised as legitimate system software components that communicate undetected to an external command and control (C&C) node.
Credential driven attacks may therefore use advanced threat actors with specialised System Administration knowledge across a range of systems including Unix, Linux, Windows SCADA based Industrial control technology frameworks. A key characteristic of an APT attack is vertical and lateral privilege escalation using credentials from an infected End User Device (EUD).
The nature of an APT is that it will primarily exploit design and configuration weaknesses. During a Datacentre consolidation, the integrity of the design and configuration is at an elevated risk of compromise. The change associated with Datacentre consolidation may therefore exacerbate any existing design and configuration weaknesses.
Cyber Threat Landscape
Transitions or transformations involving Data Centre Consolidation can represent an opportunity for an advanced threat actor to identify “in-flight” consolidation projects during a reconnaissance phase of an advanced attack execution.
Data Centre Consolidation opportunities
The attraction of reducing complexity and the resultant or expected drop in operating costs is usually a fundamental basis of IT transformations. Other conditions that may present an opportunity for Data Centre consolidation are:
· Exponential increase in Compute (CPU, RAM & Storage) Density- creates more Datacentre floor space
· Moving from dedicated Physical Hosting to multi-tenant Cloud services- e.g. Payroll and CRM
· Outsourcing non-core IT services- remaining in-house compute assets can be consolidated
· Leveraging order of magnitude economies of scale- enabled by compute density & Cloud
· Communication link cost savings- Cost saving by reducing WAN links converging to single Datacentre
Cyber Attack Surface
Reduction in System and Compute complexity should at least theoretically reduce a business’s Cyber ‘Attack Surface.’ The technical and process Cyber attack surface can be expressed as a combination of:
· Core functional Systems, Data, Network and supporting Computing resources
· Datacentre based hosting environments
· Supporting Operational Services: Configuration, Release, Patch, Performance, Availability and Change Management operational services
The above three aspects effectively represent an extended attack surface susceptible to a large range of attack vectors. Reducing complexity across all three aspects can reduce the attack surface.
However, the Datacentre hosting environment supporting a Customer’s Server environment and any Operational Support Services (e.g. release management) will likely be a standard offering with constrained physical and environmental settings. Additionally, the Datacentre site, admin and command & control will involve several vendors/ partners. These partners form part of the attack surface and can also potentially represent a threat to the Datacentre customer’s hosted server environment.
Datacentre Consolidation- reducing the Cyber attack surface
Reducing complexity
Consolidation that involves IT Estate rationalisation and therefore complexity can have a positive impact on Cyber Security in respect of the customer’s Core IT Functional Assets. However, any benefit requires People, Process and Technology Cyber security measures being re-configured and re-calibrated to the rationalised IT environment.
Where consolidation occurs without a customer’s server rationalisation there still is a potential marginal Cyber Security benefit due to a slight attack surface reduction.
Datacentre Environment supporting (or not conflicting with) Cyber Security
Where possible, the Datacentre environment physical and technology security controls supporting the hosted Customer Server environment should to be configured to align with customer Cyber Security controls. This means strict People, Process and Technology measures to enforce physical, virtualised compute and network segregation. This is particularly important in multi-tenanted hosting Datacentres. Additionally, coordination between a Datacentre Network Operations Centre (NOC) and customer SOC should be carefully set up to reflect distinct transition phases and future state operations.
Operational Support Services
Operational Support Services e.g. Configuration, Release and Patch Management either outsourced to third parties or under the direct control of the customer will continue to represent a threat since they exist as a distinct set of tools and processes with interactive electronic access to the Datacentre customer IT environment.
Remote support and maintenance channels from third party vendors represent additional attack vectors. A consolidation should seek to:
· Rationalise the processes and tools underpinning Operational Support Services.
· Assess third party vendor security posture, compliance (e.g. PCI, ISO27000) and how strictly they control and monitor vendor access in a Security Operations Centre (SOC)
Transition Risk
During a consolidation project that involves IT/ System asset rationalisation, technical controls can be compromised due to the priority of maintaining BAU- e.g. enabling open access to certain LAN segments where firewall rules are no longer relevant to a revised environment. Malware detection involving finely tuned network and host sensors will likely become misaligned with the revised environments particularly where network segmentation is impacted.
In addition, during a transition phase, a SOC will likely experience a large number of “false positive” and “false negative” alerts. Discerning what is a genuine alert becomes a challenge leaving the Customer IT environment more vulnerable to an APT attack.
Concluding thoughts
Datacentre Consolidation can represent significant physical and logical change to a customer’s hosted Server environment. This change can significantly degrade Cyber defences and increase the vulnerability to an APT attack. Such an attack can also be far more damaging than would otherwise been the case.
All businesses have a Cyber attack surface represented by the Core Functional IT System Architecture, Datacentre Hosting Environment and Operational Support Services, which can be exploited by a skilled advanced attacker.
Any consolidation exercise should include a Cyber Security Impact Analysis (under change management process) covering the Core Functional IT System Architecture, Hosting Environment and Operational Support services. Change control and appropriate governance involving the right stakeholders is a fundamental part of this approach.
Lastly, the transitioned environment should be assessed to establish how exposed the business is to an APT attack. Re-configuring firewalls, Malware rules and sensors is unlikely to be enough. Good practice is running a simulated APT attack across the transitioned environment- i.e. a snapshot. This will confirm the consolidation has not created a vulnerability that can cost far more in breach situation than the savings planned by the consolidation per se.