Cyxtera experts Chip Freund and Chris Steffen discussed 8 steps to secure and optimize data center connectivity in a recent webinar. Here we summarize four of those steps.
Step One – Out of band and management connections
POTS lines into modems, cellular (3G/4G) connections, and Intelligent Platform Management Interface (IPMI) ports are all out of band and management connections that require extra security. If you are not watching, these can be real security and financial issues.
For example, POTS lines – that plain old telephone line – is a real thing. When moving old POTS lines to an internet-based VPN into your management console, if you do not disconnect the modems to the POTS lines, they’re still there, providing access to your systems.
To secure these connections, the obvious first step is to do an audit. You’ll get a better understanding of management, backup and DR connections to your primary data center or colo facility. A colo provider can do a cross-connect audit for you or you can look at your telecom bills. Next, you’ll want to disconnect the connections no longer in use to remove the entrance opportunity into your environment. This not only helps to secure your data center or colocation environment, but it also helps you to stop paying for connections not in use. You’ll want to document all of the connections to your systems and secure those either by eliminating them, determining their usability or updating their usability.
Step Two – Backup and redundant connections
Step two builds from the previous point and it’s really all about network connectivity. Legacy technology is still out there – ISBN, cellular backup, VPN over satellite on-demand, other broadband VPN – and if you are not giving them the same level of security scrutiny as your primary infrastructure, you can be vulnerable.
Many times we try to plan ahead, yet our planning doesn’t take advantage of or decommission that elder technology that’s no longer needed. You want to conduct an audit, understand what connections are available and make certain you have decent documentation that maps the services in use for backup and any redundant connections. Disconnect what’s not in use and secure what’s in use to make certain there are no unsecured connections into your environment.
Step Three – Third-Party Connections
Third-party connections are another connectivity issue to review. For example, a third-party contractor may have indirectly provisioned connectivity not to your data center, but to a corporate office to provide remote management of equipment or HVAC environments. Much of this has moved to the internet, but there are still legacy connections. Even though these may be connecting to an office environment, there may be a path back to your data center. In fact, many would be shocked at how these connections proliferate. When you review the breaches that happen every single year, many have to do with an unmonitored third-party connection.
Take action by once again conducting an audit of these connections. You want to avoid direct connections to corporate LAN and use separate vLAN and document and secure those connections.
Step 4 – Old or abandoned circuits
It’s very common for data center customers to put up temporary circuits for a special project. At the end of that project, they may think the circuits were disconnected when, in fact, they are still live. If live, those circuits are connections that could cause issues.
Consider WAN circuits from a former network provider. More specifically, if switching from provider A to B, make sure that you know that provider A’s circuits are disconnected. Another source is abandoned extranet connections to business partners.
Built before the internet became the center of business communications, there were separate dedicated extranets and they are still out there particularly in the manufacturing sector. If a supply chain member had access to the extranet, but no longer exists, then you may have abandoned connections there that are still live.
Abandoned also doesn’t mean years ago - it may be yesterday when a company merged or was acquired. There may be a circuit that people thought was decommissioned, but wasn’t. You’re still paying for it and it may be a door into the data center or colo environment.
Audit old or abandoned circuits by looking at cross connections and also evaluate telecom expenses as part of a continuous auditable review to make certain those circuits are valid. Any circuits that you’ve acquired that you no longer need should be decommissioned, secured or retired. Document and secure those connections especially during M&A activity to avoid tribal knowledge i.e. “Bob set this up, but he’s no longer here.”
Remote access and VPNs, data center access control, third-party systems and unauthorized IT equipment are further discussed as steps to secure and optimize data center connectivity. Watch the on-demand webinar to hear our experts discuss what you can do to save money and secure your data center and colo facilities.