In a recent editorial, Peter Judge, the global editor of DatacenterDynamics, posed the question can management quell the embedded threat. The story led from an observation made by Ed Ansett of consulting firm i3 Solutions, that much data center critical infrastructure which can be controlled automatically, including UPS systems, power distribution equipment and cooling systems may have open backdoors to security threats that their operators are not aware of.
Cyber security is one of those topics which tends to raise its head in practically every DCIM user discussion I’m involved in these days. Taking a bit of a lateral path, it got me wondering how it was that in the natural world, great numbers of creatures (that pretty much all look, and probably taste the same) gathering together in a big herd, flock or shoal can be an effective strategy to avoid getting eaten? (DatacenterDynamics also published my thoughts on their own blog – Data Center Security: Is there safety in numbers?).
Mass behavior helps us hide in plain sight
To me, mass behaviour can sometime look like Mother Nature’s answer to the buffet bar. If you’re a predator, how could you say no to a big meal gathered in one place? Yet evidence seems to suggest that collective behavior such as a baitball is possibly an evolutionary response to being hunted (cf “Flocking Under Predation” by Dan Sayers 2009) which can actually increases survival rates.
There have always been all kinds of predators in the business world. It’s not a positive word and they rarely exist for the betterment of the businesses they target. In recent years the apex list has been joined by a new breed; the cyber criminal. The hacker.
With corporate digitization increasing almost exponentially, the perpetration of cyber attacks have become more prevalent. Symantec’s 2015 Internet Security Threat Report is a worrying read – cyber attackers are moving faster, defences are not. Attackers are streamlining and upgrading their techniques while companies struggle to fight old tactics.
In the data center, we’ve tended to practice a code of silence; if we don’t say anything about potential vulnerabilities perhaps hackers will simply maintain their traditional focus. But it’s a doomed strategy. The more important data networks become, the more the data, the IT and the underlying physical infrastructure will all be targeted.
Rhonda Ascierto, an analyst for 451 Research who I like personally and whose views I respect, recently claimed that up to 50% of data center physical infrastructure devices with an IP connection are at risk of attack. I’m not trying to start a panic here – Rhonda’s numbers could be a little high and it might be only 30% in reality (!).
Here’s the thing; we can learn a lesson from nature. If data center and security managers make a collective response, we can possibly make it a lot less easy for those attacking corporate domains to bite off a nice juicy mouthful. Predators are adaptive and therefore threats will change. The question is, are we safer if we stick with the herd – or if we go it alone?
In my opinion, the adoption of cloud and other managed services could provide the trigger for beneficial mass behaviour. Most companies that outsourced their data center infrastructure in part or as a whole have quickly recognized their service provider can be trusted to deliver predictable and cost-effective levels of uptime, power and cooling. They’ll write SLAs to guarantee their claims and produce the testimonials of high profile customers to build confidence.
As more and businesses turn to internet clouds to ensure that their IT services can keep pace with the speed of business, at Schneider Electric we’re increasingly of the opinion that trust is also the answer to security concerns. In this case though, trust is placed in the service provider to fully protect the internet gateway and all information passing that way.
What cloud users will exchange for their trust is moot. I’ll give you my thoughts about that in another blog. One thing is for sure though, they’ll almost certainly drive a harder bargain than those network users who famously exchanged computer passwords for candy in a security survey. It will mean a somewhat counter-intuitive paradigm shift as they move away from trusted old patterns of behaviour to outsource protection.
My old friend Wikipedia says safety in numbers is the hypothesis that by being part of a larger physical group, an individual is less likely to be victim to a mishap, accident, attack or other bad event. If we all go our own way on security matters, we’ll be easy meat. What’s more, if more of us persist in doing things our own way, then more points of weakness are created which in turn can only encourage more attacks. And that’s just not social!