Mike Yaffe, director of product marketing, Core Security Technologies looks at security in the datacentre

Over the last decade, penetration testing has evolved from a clandestine activity into a widely embraced security practice and the growing influence of emerging IT security regulations including PCI-DSS will only propel it even further into the mainstream. However, for data centre managers, is penetration testing a fundamental requirement? Or as a pure infrastructure provider, does this process represent a practice that has not yet become widely adopted?

This debate is only clouded further by some organizations’ lingering concerns regarding the credibility of ethical hackers, along with privacy concerns and legal issues that may apply to penetration testing carried out within mixed customer environments. With security spending still on the rise and a constant stream of newly reported data breach incidents that have exposed millions of credit card accounts, the question remains, what role can penetration testing play in securing the data centre?

“Hackers want to breach servers and data centres are good targets,” said Kevin Gourlay, head of Security Testing at data security specialists Global Secure Systems, “But the data centre is normally a well protected environment, so they will look for a weak link.”

Gourlay contends that uniquely powerful IT assets distributed within most organizations, such as desktop PCs assigned to network admins, or more widely available targets, including remote user connections, will always be other attractive targets for attackers and data thieves seeking to break into enterprise networks.

Even as a Certified Ethical Hacker with over three decades of experience, Gourlay observed that adoption of penetration testing in the data centre is not yet commonplace

Securing against the insider threat is still more of a focus for many organisations, according to the expert.  

“Systems are getting more secure but humans are probably not.” he said.  “Penetration testing won’t stop poor procedures or malicious employees.”

From a technical point of view, penetration testing within a shared environment introduces  additional hurdles, according to the expert. Gourlay recalled one client engagement where his team was compelled to stop testing because the systems they were working on had multiple customers running within a shared environment, and the separation between the clients was so poor that the testing could have unintentionally affected multiple constituencies.

Although Gourlay and many other experts agree that OS and application security has improved over the last 20 years, they agree that so too have the tactics of hackers. In response, the tools used to help data centre managers conduct security audits have also grown in number. Alongside a wave of vulnerability scanners, automated penetration testing tools such as Core IMPACT have also proven increasingly popular. 

Even with a clutch of awards in hand that give praise to the automated testing capabilities of his company’s IMPACT software, Mike Yaffe, director of product marketing at developer Core Security Technologies, insists that penetration testing is, in essence, a human activity.

“The data centre is the jewel in the crown for a hacker, but the route they will take to a potential breach won’t be the front door, and penetration testing is about testing the periphery and the obvious,” Yaffe said.  “Technological solutions can’t replace the human ingenuity needed to protect IT infrastructure via manual testing, but automated testing technologies can certainly speed up the process and make it less error prone.”

Yaffe highlighted the role that IMPACT can play as a powerful method for reducing the grunt work required of security specialists or penetration testers in examining all possible avenues for compromise, as serving in a similar role as “ a calculator to a scientist.”

He recognised that testing in some mixed client environments may create some concerns, but countered that, “for the data centre manager, the goal is to make sure that as the very least things are secure on an infrastructure level.”

This reassurance must be gained by testing common applications, hard and soft firewalls, and most importantly, systems management interfaces that are web driven and allow users to manipulate their hosted assets, Yaffe said.

Trying to find a wide reaching survey on the penetration testing habits of data centre managers is a futile task, as no definitive study yet exists. In the UK, some of the earliest and most secure data centers were run by government agencies and as such have been overseen by the Communications and Electronic Security Group part of GCHQ.

These centers were bound by a scheme called CHECK, which helped to define a formalized approach to technical assurance through penetration testing. CHECK is still fully active and used extensively as the baseline for UK government security testing standards.  It is still mandated for all local and central government systems today and asked for by many private organisations as a qualification.

Alongside CHECK, the Council of Registered Ethical Security Testers (CREST), a not for profit organisation, is also helping to establish non partisan and trusted security practices. Founder and President of CREST, Ian Glover, has worked extensively within the CHECK scheme and is a leading expert on the UK security space.

“We have standards in place like the ISO 27000 series which do a good job of helping organisations to implement risk assessment and manage policy” comments Glover, “…but they do not actively test the environment at a technical level”
In his view, there is still a big gap between management level and technical level security in the data centre. Data centre managers at very least need to get their own houses in order and provide an appropriate and consistent level of security, and penetration testing can be a vital element of this process, Glover observed.

“They need to test their environment and ensure that elements around the infrastructure are secure and be in a position to provide assurances to their clients” and at best, encourage clients utilising CREST services to validate the security of the services provided.

Glover actually goes further in his view on regulation than even some existing guidelines that actively require pen tests, including the card industry’s PCI Data Security Standard. Candidly, he believes that mandated penetration testing, rather than simple vulnerability scanning, could fall into the remit of organisations like the Financial Services Authority if there were to be a breach in the UK on the scale of the recent US cases where the involved financial institutions potentially lost millions of credit card details.
As one of the few non-commercial organisations within this space in the UK, the stance of CREST offers a compelling and influential argument. All the experts seem to agree that broadly speaking, penetration testing is needed in the data centre, and that data centre managers need to start doing their bit.

In terms of whether they have the power or even the requirement to make sure the applications housed by clients within their facilities are regularly tested and secure – the jury is still out. The software industry is developing increasingly sophisticated technologies such as Core IMPACT that allow penetration testers and security administrators to quickly develop baseline security assurance policies.

Data centre managers understand the need to test physical protection systems such as fire suppression, UPS and network failovers – penetration testing is likely to soon become part of this standard test procedure.