How to Assess Your Data Center
Discover, list, and evaluate your data center assets to understand which assets to protect first and who should have access to those assets.
To achieve a Zero Trust security model, you need to know and evaluate the assets in your data center so that you can prioritize protecting the most valuable assets first, determine who should have access to those assets, and understand the major risks to those assets. Understanding the users who access the assets, the allowed applications, and the network itself enables you to evaluate what you need and what you trust, so that you can craft a data center best practice security policy that allows only user access and applications that have legitimate business purposes on the network.
- Inventory the data center environment—Inventory the
physical and virtual data center environments, including servers,
routers, switches, security devices, and other network infrastructure,
and inventory the data center applications (including internally
developed custom applications) and service accounts.
- Assess each system based on its role in the network and its importance to the business to prioritize which portions of the physical and virtual infrastructure to protect first. For example, if your business involves credit card transactions, the servers that handle credit card transactions and the path of communication for traffic carrying credit card information are extremely valuable assets whose protection should be prioritized.
- Examine at least 90 days of traffic logs to inventory the applications on the data center network. Create a custom report based on the data center’s application database to help identify the existing data center applications. Use the data center application inventory to develop a whitelist of applications you want to sanction or tolerate on your data center network, including internally developed custom applications.Your initial application inventory doesn’t need to identify every application because by monitoring the block rules that you configure for the data center best practice security rulebase, you’ll discover the applications you haven’t identified. Focus on inventorying the applications and application types that you want to allow. When you finish developing the application whitelist, all applications that you don’t explicitly allow are denied.Map the applications to business requirements. If an application doesn’t map to a business requirement, evaluate whether you should tolerate it on the network. Applications that meet no apparent business need increase the attack surface and may be part of an attacker’s tool set. Even if an unneeded application is innocent, the best practice is to remove it so that there is one less surface for an attacker to exploit. If multiple applications perform the same function, for example, file sharing or instant messaging, consider standardizing on one or two applications to reduce the attack surface.If any internal custom applications don’t use the application-default port, note the ports and services required to support the custom application. Consider rewriting internal custom applications to use the application-default port.Create groups for applications that require similar treatment on the network so that you apply security policy efficiently to application groups rather than to individual applications. Application groups make designing and implementing security policy easier because you can apply policy to all of the applications in a group at one time, change policy for the entire group, add new applications to the group to apply the group’s policy to the new applications, and reuse an application group in multiple security policy rules. For example, an application group designed for data center storage applications may include applications such as crashplan, ms-ds-smb, and NFS.
- Inventory the service accounts that applications use to communicate between servers and within servers inside the data center. A best practice is to use one service account for each function instead of using one service account for multiple functions. This limits access to the service account and makes it easier to understand how the service account was used if a system is compromised. Another best practice is to identify service accounts that are hard-coded into the application so that you can write IPS signatures against them and monitor the use of the accounts.
- Characterize data center traffic—Characterize and map data center traffic to understand how data flows across your network and between users and resources. Engage a cross-functional team that includes application architects, network architects, enterprise architects, and business representatives. Characterizing the traffic flows informs you about network traffic sources and destinations, typical traffic patterns and loads, and helps you understand the traffic on your network and prioritize the most important traffic to protect. Use Application Command Center widgets, Panorama’s firewall health monitoring features, and other methods to understand the normal (baseline) traffic patterns, which helps you understand abnormal traffic patterns that may indicate an attack.
- Assess data center segmentation—Segment data center server tiers so that communication between different server tiers must pass through the next-generation firewall to be decrypted, examined, and protected by the best practice security policy, and so that communication from the user population or the internet passes through a next-generation firewall. Outside the data center, understand which zones can communicate with each data center zone, and then determine which zones should be allowed to communicate with each data center zone.
- Assess user population segmentation and determine who should
have access to the data center—Map users to groups to segment
the user population so that you can more easily control access to
sensitive systems. For example, users in the Product Management
group should not be able to access finance or human resource systems.
In Active Directory (or whatever system you use), create granular
groups of users based on the access level the users require for
legitimate business purposes so that you can control access to systems
and applications. This includes different employee groups as well
as different contractor, partner, customer, and vendor groups, grouped
by the level of access needed.Reduce the attack surface by creating user groups based on access requirements rather than just functionality, and grant only the appropriate level of application access to each group. Within a functional area such as Marketing or Contractors, create multiple user groups mapped to application access requirements.
- Continuously monitor the data center network—Log and Monitor Data Center Traffic to reveal gaps in the data center best practice security policy, to expose unusual traffic patterns or unexpected access attempts that may indicate an attack, and to diagnose application issues.
A helpful method for evaluating assets is grouping assets. Identify your most valuable assets that need to be protected first, and identify the assets that you can iterate on after protecting those assets. Prioritize the order in which to protect the assets in each category. Organize assets in the way that makes the most sense for your particular business. The following table shows you some possibilities, but it’s not comprehensive. Also consider legal compliance requirements to protect data such as passwords, personal information, and financial information when prioritizing which assets to protect first.
|Most Valuable Assets||Other Valuable Assets||Remaining Assets (Iterate)|
Asset priority is unique to each business. For a service company, the user experience may differentiate the business from other businesses, so the most valuable assets may be assets that ensure the best user experience. For a manufacturing company, the most valuable assets may be proprietary processes and equipment designs. Considering the consequences of losing an asset is a good way to figure out which assets to protect first.
Plan Your Data Center Best Practice Deployment
If you’re already familiar with Palo Alto Networks’ platform, this checklist streamlines planning your data center best practice deployment strategy and roll-out so that you ...
How Do I Deploy a Data Center Best Practice Security Policy
Learn how to create and implement a best practice data center security policy that protects your most valuable assets. ...
Data Center Best Practice Security Policy
Learn about Palo Alto Networks data center security policy best practices to protect your most valuable assets. ...
Define the Initial User-to-Data-Center Traffic Security Pol...
Define who can use which data center applications on which servers and other devices. ...
Define the Initial Internet-to-Data-Center Traffic Security...
Define the external application traffic from vendors, customers, partners, etc., that can access your data center from the internet. ...
Create Internet-to-Data-Center Decryption Policy Rules
Create rules that decrypt partner, vendor, customer, and other third-party traffic from the internet to the data center so you can inspect the traffic and ...
Why Do I Need a Data Center Best Practice Security Policy?
Ensure the availability, confidentiality, and integrity of your network and valuable assets from external and internal attacks. ...
How to Segment the Data Center
The next-generation firewall acts as a segmentation gateway and provides tools to segment your network. ...
How Do I Deploy a Best Practice Internet Gateway Security P...
How Do I Deploy a Best Practice Internet Gateway Security Policy? Moving from a port-based security policy to an application-based security policy may seem like ...