How to Assess Your Data Center
Discover, list, and evaluate your data center assets to understand which assets to protect first and who should have access to those assets.
To achieve a Zero Trust security model, you need to know and evaluate the assets in your data center so that you can prioritize protecting the most valuable assets first, determine who should have access to those assets, and understand the major risks to those assets. Understanding the users who access the assets, the allowed applications, and the network itself enables you to evaluate what you need and what you trust, so that you can craft a data center best practice security policy that allows only user access and applications that have legitimate business purposes on the network.
- Inventory the data center environment—Inventory the physical and virtual data center environments, including servers, routers, switches, security devices, and other network infrastructure, and inventory the data center applications (including internally developed custom applications) and service accounts.
- Assess each system based on its role in the network and its importance to the business to prioritize which portions of the physical and virtual infrastructure to protect first. For example, if your business involves credit card transactions, the servers that handle credit card transactions and the path of communication for traffic carrying credit card information are extremely valuable assets whose protection should be prioritized.
- Examine at least 90 days of traffic logs to inventory the applications on the data center network. Create a custom report based on the data center’s application database to help identify the existing data center applications. Use the data center application inventory to develop a whitelist of applications you want to sanction or tolerate on your data center network, including internally developed custom applications.Your initial application inventory doesn’t need to identify every application because by monitoring the block rules that you configure for the data center best practice security rulebase, you’ll discover the applications you haven’t identified. Focus on inventorying the applications and application types that you want toallow. When you finish developing the application whitelist, all applications that you don’t explicitly allow are denied.Map the applications to business requirements. If an application doesn’t map to a business requirement, evaluate whether you should tolerate it on the network. Applications that meet no apparent business need increase the attack surface and may be part of an attacker’s tool set. Even if an unneeded application is innocent, the best practice is to remove it so that there is one less surface for an attacker to exploit. If multiple applications perform the same function, for example, file sharing or instant messaging, consider standardizing on one or two applications to reduce the attack surface.If any internal custom applications don’t use the application-default port, note the ports and services required to support the custom application. Consider rewriting internal custom applications to use the application-default port.Create groups for applications that require similar treatment on the network so that you apply security policy efficiently to application groups rather than to individual applications. Application groups make designing and implementing security policy easier because you can apply policy to all of the applications in a group at one time, change policy for the entire group, add new applications to the group to apply the group’s policy to the new applications, and reuse an application group in multiple security policy rules. For example, an application group designed for data center storage applications may include applications such as crashplan, ms-ds-smb, and NFS.
- Inventory the service accounts that applications use to communicate between servers and within servers inside the data center. A best practice is to use one service account for each function instead of using one service account for multiple functions. This limits access to the service account and makes it easier to understand how the service account was used if a system is compromised. Another best practice is to identify service accounts that are hard-coded into the application so that you can write IPS signatures against them and monitor the use of the accounts.
- Characterize data center traffic—Characterize and map data center traffic to understand how data flows across your network and between users and resources. Engage a cross-functional team that includes application architects, network architects, enterprise architects, and business representatives. Characterizing the traffic flows informs you about network traffic sources and destinations, typical traffic patterns and loads, and helps you understand the traffic on your network and prioritize the most important traffic to protect. Use Application Command Center widgets, Panorama’s firewall health monitoring features, and other methods to understand the normal (baseline) traffic patterns, which helps you understand abnormal traffic patterns that may indicate an attack.
- Assess data center segmentation—Segment data center server tiers so that communication between different server tiers must pass through the next-generation firewall to be decrypted, examined, and protected by the best practice security policy, and so that communication from the user population or the internet passes through a next-generation firewall. Outside the data center, understand which zonescancommunicate with each data center zone, and then determine which zonesshouldbe allowed to communicate with each data center zone.
- Assess user population segmentation and determine who should have access to the data center—Map users to groups to segment the user population so that you can more easily control access to sensitive systems. For example, users in the Product Management group should not be able to access finance or human resource systems. In Active Directory (or whatever system you use), create granular groups of users based on the access level the users require for legitimate business purposes so that you can control access to systems and applications. This includes different employee groups as well as different contractor, partner, customer, and vendor groups, grouped by the level of access needed.Reduce the attack surface by creating user groups based on access requirements rather than just functionality, and grant only the appropriate level of application access to each group. Within a functional area such as Marketing or Contractors, create multiple user groups mapped to application access requirements.
- Continuously monitor the data center network—Log and Monitor Data Center Traffic to reveal gaps in the data center best practice security policy, to expose unusual traffic patterns or unexpected access attempts that may indicate an attack, and to diagnose application issues.
A helpful method for evaluating assets is grouping assets. Identify your most valuable assets that need to be protected first, and identify the assets that you can iterate on after protecting those assets. Prioritize the order in which to protect the assets in each category. Organize assets in the way that makes the most sense for your particular business. The following table shows you some possibilities, but it’s not comprehensive. Also consider legal compliance requirements to protect data such as passwords, personal information, and financial information when prioritizing which assets to protect first.
Most Valuable Assets
Other Valuable Assets
Remaining Assets (Iterate)
Asset priority is unique to each business. For a service company, the user experience may differentiate the business from other businesses, so the most valuable assets may be assets that ensure the best user experience. For a manufacturing company, the most valuable assets may be proprietary processes and equipment designs. Considering the consequences of losing an asset is a good way to figure out which assets to protect first.