Securing Big Data is Like Dressing for Winter: Best Done in Layers

Once upon a time there was a company that put a Cisco firewall on their new, always-on Internet connection. With this move their security was in place, keeping their network safe from outside attacks. There’s a problem with this fairy tale - it was never true. Today it’s even less true than it was in years past.

Computer and network security in the early part of the 21st century is significantly more complex than that. Firewalls to stop unexpected inbound traffic are only a small part of the solution. Companies also need a firewall that inspects traffic coming in for malicious code riding on valid data. Internal spam and virus filtering software needs to prevent known threats that make it through from getting to employees. When something does somehow make it past all that, network monitoring must be in place watching for unexpected and unusual internal traffic. In short, today’s security model is complex and many-layered.

Security Happens at All Layers

A 2013 white paper from the SANS Institute Reading Room showed a list of 20 guidelines, fitting into 5 layers, critical for digital security. From network controls to detection and remediation, each layer has specific types of attacks it protects against.

The network controls layer is where we think of classic security, the firewall from our story is here. It isn’t alone though, dedicated intrusion detection systems and intrusion prevention systems have joined the firewall in protecting networks both at the perimeter and internally.

Anti-virus is another commonly considered layer. This is generally the most visible one, running on servers and user’s systems alike. Modern anti-virus software scans not only for signatures, but also suspicious application activity.

File verification is similar to anti-virus in that it scans for a type of signature. It is more concerned with a file’s checksum, kind of a digital fingerprint, and using that to see how widely used an application is. Behavior analysis is also similar to anti-virus in that it checks to see what a system is doing, then acts based on what is abnormal. It goes more in-depth than the heuristics often seen in anti-virus software.

All the prevention and detection in the world only goes so far. Eventually something will get through. Remediation is about finding problems and fixing them when they happen.

Shared Cloud Systems Share Vulnerabilities

Moving the server room to the cloud is essentially a given these days. While shared system security has taken great strides in recent years, it’s still not as good as security on a private system. On a high level, shared database hosting can cause big problems for companies. If the hosting provider isn’t keeping their system properly patched, then every company using the system is susceptible to breaches. It’s not all about the hosting company, though.

Imagine another company sharing your cloud database is using an application your company doesn’t. Now imagine a vulnerability is found in that application, allowing malicious attackers access to the entire database. Suddenly your data is compromised due to an application you never even used.

No system is completely secure. Sharing your cloud system with others is like getting on a commercial airliner instead of a private jet. Both may have risk, but on the airliner you add indirectly exposing yourself to the same stuff everyone else has been exposed to. On a private jet you limit your exposure.

Cloud Service and Performance Levels, On-Premise Security

At Bigstep, things are different. Every compute instance in the Bigstep Metal Cloud is a physically isolated bare metal server. You are given root access because there isn’t another company’s sub-system you could gain access to, or that could gain access to yours. Root control gives you the ability to install only what you need, and patch everything on your schedule.

The security layers aren’t ignored either. The network your bare metal system rides on is physically isolated from the other companies we serve. With no virtual switching or multi-tenancy, your traffic cannot be intercepted or injected on our Metal Cloud, which uses layer 2 broadcast domains and dedicated gateways for each client.

Even the SAN traffic is isolated to the instances subnet, using switch ports as layer 3 gateways to prevent traffic sniffing inside each subnet. The advanced security measures in place on our switches ensure no one user can impersonate another.

Beyond the server room is also covered. The data center has a 24/7 physical security presence with live CCTV monitoring. The perimeter of the site has barriers to funnel access through card-restricted, man-trap access points.

System security is becoming more important every day as exploits and breaches are announced. Bigstep takes your security seriously, and our Bigstep Metal Cloud has the best security you can get in a cloud solution. Contact us for a live demo and let us show you how we can help you secure your big data solutions today.