A comprehensive server management platform (also known as a data-centre automation platform) is responsible for managing the full life cycle of server and application infrastructure. This responsibility includes the following:
Today, staff members are often organised into disparate operational groups, such as Windows, Unix, security and so on. They manage data centres manually, largely with a collection of vendor-specific tools and home-grown scripts. Collaboration between these groups is difficult due to the different toolsets they use and the varying security policies applied to each group. Introducing a data centre automation platform for provisioning, change and compliance can tremendously improve productivity and configuration stability.
However, a data centre automation platform can also be an back door for hackers and malicious insiders to access and manipulate sensitive server data - and not just from the outside. While there has been tremendous focus on protecting the perimeter of data centres with security infrastructure such as firewalls, it is well-known that insiders perpetrate 80 per cent of security breaches.
In a data centre, security is traditionally an "all or nothing" model. Users either have unnecessary privileges or insufficient access to servers; the trusted administrators often have full access to all servers, while support teams often have little or no access to appropriate servers. The result is that data centre security consists of a hard outer shell with little internal structure.
Implementing a data centre automation platform will let you address many of the insider security issues that plague operations, from establishing the appropriate level of security access for all administrative personnel to ensuring that all communication related to administrative activity is encrypted and centrally logged. It is therefore imperative that IT managers carefully evaluate both the security architecture of a data-centre automation platform and the benefits it offers for controlling insider security.
Key security issues
Questions to ask about core product security include whether the solution is based on agents. Low-end patching solutions can be agentless. However, a secure data centre automation platform for software updates, patching, and deep compliance scanning and remediation must be an agent-based solution.
The core components of a solution that stores software, patches, build policies, and compliance policies must also be secured, so that a malicious user cannot compromise its content and distribute infected software or configurations to target servers.
This means that insider security is crucial, which means strong authentication and single sign-on are desirable attributes. Products should support Kerberos or another public-key infrastructure (PKI), often requiring integration with existing security mechanisms such as certificate servers or LDAP servers.
Agent communication should be encrypted as a secure communication infrastructure is critical to any data centre automation platform. This helps prevent information leakage and ensures data integrity across the platform's various components.
Role-based access control (RBAC) defines roles and maps users to the roles and you then associate access privileges with roles. For example, separate roles allow security teams to define policies and operations teams to execute them. A good RBAC solution is key to addressing the challenges related to insider security by providing the right level of access to servers across users and roles.
Cross-platform security requirements mean that support for single OS is unacceptable for a data centre automation platform. The solution should be able to use Kerberos-based Windows Active Directory for strong authentication while simultaneously using existing PKI for Unix servers.
Central logging provides a full audit trail of all administrative activity, allowing users to clearly track actions and map them back to individual users. This is a core component of any secure data centre automation platform.
Finally, a data centre automation platform must integrate with established management policies and existing security hardware. Examples include encryption standards, firewalls, VPN infrastructure and LDAP.
In terms of third-party validation, having a reputable security company audit a data centre automation platform's security architecture and also perform penetration testing is a critical step in establishing the validity and reliability of a solution's security model. Look for solutions that have already had their security model certified by an independent security firm.
If a thief is in the house, don't give him the keys to the safe. Ensuring that your data centre automation platform is secure is the most important project an organisation can undertake to address insider security while establishing a secure data centre change and automation platform. A data centre automation platform that can manage the activities of the community on privileged systems improves insider security. Implementing role-based access control improves collaboration between operations and other groups and is equally important from a security perspective.
Vijay Manwani is a co-founder and the chief technology officer of BladeLogic, a developer of data centre automation software.