3

I have several datacentres and now I want to plan security for it, so it's resilient to external attacks.

I need to make a security model which will cover my web servers, auth servers, log servers, routers, databases and so on running on the Internet, and at minimum it should include:

  • OSI layers are present
  • source code handling
  • certification
  • secure operating system build, network policy and sql schema
  • encryption

Basically, there would be security on each layer, and these layers would have to be linked and the process managing these would have to be robust.

For the Secure Development Lifecycle I have seen Microsoft's SDL - is this appropriate for that stage?

The user management and physical access is something simple to understand and follow, it's not the big deal, I have good alarm systems as well monitoring, however I do lack the above at the moment.

boflynn
  • 111
  • 4
Andrew Smith
  • 1
  • 1
  • 6
  • 19
  • 2
    @AndrewSmith, my suggestion is to spend some more time thinking about what you want and identifying how to boil it down into a short, concise question that gets at what you really want. Can you get it down to one sentence? one paragraph? If you can, then create a new question with that -- it might help you get more answers. – D.W. Aug 07 '12 at 19:09
  • @D.W. I posted answer to myself, to show what basically I am looking into. Basically the combined process and the OSI layers integrated into the organization. It has to withstand both Mafias and Governments as this is actually the case, so I need a proper model which is easy to follow, so the weak spots are avoided at all cost, so this way EVERYTHING has to be covered on just two pictures. – Andrew Smith Aug 07 '12 at 19:28
  • I'm not familiar with your use of the word "model". Do you mean, a cohesive security vision that articulates the plan for security at your organization? If so, that will be organization-dependent, but we can give you some resources to help you get started on thinking about that! – D.W. Aug 08 '12 at 03:41

2 Answers2

4

OK, it sounds like you are asking for a policy, plan, and practices for secure system administration of a data center. I have some suggestions for you:

Start with a policy. Start by thinking out your security policy. Develop a written security policy, and gain approval from management.

Take a look at SANS's resources on security policies. They'll give you some ideas of things that might make sense for you.

Security plan. Develop a security plan. I suggest you start by building up an inventory of the data and systems you store, with some idea of how critical it is to the mission of your business. This will help you, because you should plan to devote the most energy to securing your most mission-critical assets.

Next, you might give a little thought to what are the most important kinds of attacks or threats that should receive the highest priority (either the most likely, given your situation, or the ones that would be most serious). You can brainstorm what threats you are most likely to face (e.g., who will have an incentive to attack you?), and use this to help you develop a plan for securing your organization.

Once you have inventoried your assets and prioritized the top security issues you are likely to face, develop a plan to mitigate the risks and protect your organization from these attacks. Take a look at the SANS list of top 20 security controls; they might form some elements of your plan, or might give you ideas for how you can protect your assets from these threats.

Execute. Next, implement your plan. You don't need to do everything at once; it is fine to pick a piece of your plan, execute on it, and gradually grow your security maturity level. Security training. It might be helpful to have some training on good security practices for system administrators. I'm not the right person to ask, but others might have some suggestions. I think SANS has a good reputation for professional training in this area.

Resources for additional information. Take a look at Security policy for system administrators on this site.

You might want to take a look at the questions tagged security on ServerFault. ServerFault is a sister site where many professional system administrators hang out, and they have some good resources on topics related to security oriented for sysadmins.

You should be aware of professional organizations in this area, and consider joining them and making use of their resources. Look at SANS. They have many resources available on their web page.

Also, look into LISA, a Usenix professional association for system administrators. They have excellent conferences, good networking opportunities, and chances to keep up-to-date on the latest technology. Also, they have a booklet series with some information for sysadmins; see, e.g., System Security: A Management Perspective.

What about Microsoft SDL? Microsoft's SDL is fantastic -- but it is really oriented at software development. I don't think it's going to be as useful to system administrators, so it might not be quite the right resource for you.

Community
  • 1
D.W.
  • 98,420
  • 30
  • 267
  • 572
  • Regarding the SDL, similar approach is taken by puppet developers, so at scale it might apply that to make a change you need to make R&D – Andrew Smith Aug 08 '12 at 10:37
1

Because it's difficult question, I am answering myself with whatever I have came up so far myself.

I have concluded, that using OSI layers as well Development Cycle like process for the whole organization and departments, delivers it.

The graph might be not well self-explanatory, so here is the description.

  • On the right, there is department / manager handling the security policy like access, enforcement etc.

  • On the left there is department / manager handling stability, continuity, certification and exploit development

  • On the top, there is dev team working on their software, as well datacentre designers and so on

  • On the bottom, there is automatic security system, e.g. encryption, anti-spam, IDS, IPS etc

The arrows try to describe relationships, so for a business to be stable, it needs to make requirements which has to go thru the dev cycle, as well business needs to develop a new exploits (or acquire them, which is the case) to stay secure.

Now, this process can be applied to multiple layers, so e.g. I can split organisation into Application, Network, Physical etc and handle it separately.

By looking on the below, I can see now the reason to multiple encryption - each layer can feature some sort of artificial intelligence or encryption (bottom), hence it could be handled by the same department to some degree.

Awareness is same as SDL cycle - researching it from all angles, one can get aware of the issues. By going with this thru each layer, one can accomplish total awareness and total security.

Important thing here is that between each layer there is authentication / IDS detection going on between bottom and right blue square.

Total Security Awareness

enter image description here OSI Layers Triangle

Andrew Smith
  • 1
  • 1
  • 6
  • 19