This one weird trick can increase your information security—Mind the (air) gap
The year is 2019. People are connecting all sorts of things to the internet. I am sort of surprised I even have to mention this but—for the most part, we are not really thinking this through.
For the last five years, I have been working with a group of companies—with whom I have worked before—to get a data center business up and running. Our team did not forget that everything is on the cloud now, we just remembered clouds also need to be made of something—Linux servers, mostly.
While this has been ongoing, I have also seen “Internet of Things” (IoT) go from a mere buzzword to an internet breaking, botnet making steam roller. Chances are, as you read this, you also have “smart” devices connected to the internet.
This is not really news. We have been connecting things to the internet even before Internet of Things became a thing and we started slapping the “smart” sticker to everything including actual kitchen sinks. But I thought it would have been the obvious sane choice to draw a line at critical infrastructure—at least things that can have an effect on safety and life support.
I have been known to be wrong before.
Even to date, some smart home thermostats depend on an internet connection to regulate temperature within a house. I am not sure, at what point the makers of these decided that depending on an internet connection to keep families warm and comfortable was an acceptable system design or an acceptable risk factor.
As humans, our technology has not been inherently good or bad—like Godzilla. But how we have used it though, have been questionable at best—like Godzilla movies. There are obvious ethical and privacy-related concerns of technology. But those are for other times.
How this came into my work-life radar was seeing some service providers offer solutions such as remote Network Operations Center (NOC) facilities, which usually made me uneasy. As long as I held such responsibilities as of an internal auditor or subject-matter expert, my risk assessments of these kind of scenarios almost always came out as unacceptable (and in many cases, unnecessary to begin with) within the given context.
Coming back to the topic at hand—as part of my work setting up an internet data center, one of the well-known vendors in the industry pitched us a cloud-based DCIM as a service: a Data Center Infrastructure Management system connected to the cloud. I instinctively flinched at the mention.
Again, I maintain, there could be scenarios where this makes sense. But let us consider this one. We were building an internet data center, which would house critical IT infrastructure of multiple clients. The DCIM would manage the whole of the facility infrastructure including thermal, fire protection, environmental monitoring, and at least parts of power infrastructure (e.g., UPS systems). Which meant, the vendor was pitching us to connect all of the above systems within our data center facility’s critical infrastructure to the internet. There was of course the promise of secure VPNs, communication security, etc. However, they did not have any standardized certifications (e.g., ISO 27001) at that point either. If their marketing was to be believed, multiple data centers in India were already using this or similar services.
Let that sink in for a bit. In the age of unfixable hardware vulnerabilities, critical bugs in ubiquitous software, and mass surveillance, some people who operate critical IT infrastructure are willingly adding more potential attack vectors, increasing information security operations complexity, without any standard indication of service provider security practices, because cloud.
Even forgetting additional factors, keeping a data center’s security tied down is a huge and an increasingly difficult task. Throw the possibility of a bad actor gaining access to the infrastructure management system into the mix—it becomes almost always impossible to justify the risk. This is why data centers (and other critical infrastructure) usually are air-gapped.
I do not know how further I need to drive this point across. If you have or planning any infrastructure that can use connectivity, assess if it is essential to have the connectivity. Unless it is, even then unless the risks are understood, mitigated, and accepted—perhaps opt not to connect it to the internet. It is that simple.