How to secure the data center's expanding attack surface

Redefine the data center

CIOs already know that their data center environments are expanding and will continue to do so at a fast rate. However, non-IT stakeholders, such as the CEO, the board and other C-level executives, may not recognize this new data center reality. What these stakeholders do understand is that they don't want a security breach to affect their companies, whether it happens in the central data center, the cloud or at the edge.

There are even parts of a company's ever-expanding data center that IT might not be aware of. For example, say there is a citizen IT project in sales, funded by a separate sales budget and independently implemented with a new software vendor. Some CIOs dismiss this, believing it is not their concern as they were not notified about the new user system, so how can they be expected to secure it?

Nevertheless, the enterprise will ultimately rely on IT to protect its technological assets, regardless of where the technology is located or who uses it. These conditions have led to the concept of a data center without borders, along with an expanding attack surface in a borderless data center that IT must manage.

IT teams cannot effectively prevent security breaches if they are unaware of new cloud services that user departments subscribe to. Additional vulnerabilities arise when new groups of users in remote edge locations are not properly trained in security policies. To address these challenges, IT needs more resources to manage the expanding security attack surface. This requires increased funding and support from non-IT stakeholders who influence the budget.

All of this ultimately comes down to the talking points CIOs must present to non-IT stakeholders to obtain the necessary security resources. These talking points should address security and its role in managing corporate risk. From there, the CIO can explain how the attack surface of the data center has grown considerably, and with it, the need to invest in and protect a larger, more complex attack surface.

Adopt zero trust networks and identity management

A user may have different responsibilities and permissions at various edge sites where they work, and each site might independently fund and use its own cloud service provider. IT might not even be aware of these edge user cloud subscriptions.

CIOs can address this issue by deploying zero trust networks throughout the organization. The strength of zero trust technology lies in its ability to identify any IT assets, including new cloud services that are added, removed or modified across the enterprise network. This provides IT with comprehensive visibility into everything happening across all edge sites -- enabling them to enforce security, compliance and governance across the entire organization.

A second critical security technology for the expanded data center attack surface is user ID management software. Most IT departments already use this software in the form of identity access management (IAM), which can monitor and track user activities and access permissions across all on-premises networks. IAM verifies user identities and ensures they access only authorized IT assets.

Cloud identity entitlement management (CIEM) is similar to IAM but is designed for cloud environments. CIEM can't monitor on-premises user access permissions, and IAM can't manage user activities and access permissions in the cloud.

To facilitate comprehensive user ID and access management through a single pane of glass, it is essential to implement identity governance and administration (IGA) technology alongside IAM and CIEM. This technology offers a broad framework for monitoring users in cloud and on-premises environments, as well as for establishing identity policies and security measures.

Unfortunately, technologies such as zero trust networks, CIEM and IGA are expensive and time-consuming to implement. However, without them, defending an expanded data center attack surface will be challenging. That's why securing the necessary investment for these technologies should be a top priority for CIOs.

To secure funding, CIOs and data center managers must present compelling risk-management cases to justify investing in these technologies. A good starting point is to inform management that a majority of corporate security breaches are caused by employees, and that expanding company operations to the edge could further increase the risk.

Test and audit everything

IT depends on external audit firms to conduct quarterly security vulnerability tests. However, many small and mid-sized companies with limited budgets often have to pick and choose which areas to fund for these audits. This creates a risk as edge computing expands the data center, because all parts of the enterprise should be tested regularly. It is very important that CIOs push for regular testing.

Train employees in corporate security policies and practices

To address the growth of compute at the edge, many IT departments have chosen to train on-site edge users in basic IT maintenance tasks that can be performed locally, with IT providing guidance as needed. Part of para-IT user training must include security monitoring and management. IT should regularly follow up with para-IT users to ensure that security administration at the edge is thorough and consistent with corporate standards.

IT and HR should work together to ensure that all new hires receive comprehensive training on the company's security policies and practices. Additionally, a refresher on security training should be conducted at least once a year for all employees. Since employees are responsible for most security breaches, dedicating internal time to training is a simple, cost-effective risk management strategy that organizations of any size can implement.

Mary E. Shacklett is president of Transworld Data, a technology analytics, market research and consulting firm.