When it comes to choosing a DCIM, security, the ability to prevent vulnerabilities and robust data segregation are a few of the most important factors. With ransomware and hacking becoming more and more prevalent, using a DCIM that employs security measures can mitigate some of the risks associated in implementing such a system.
How robust is the DCIM’s access control?
There are many aspects to consider here, but we’ll touch on the obvious requirements: restricting access to data (objects), and restricting access to actions.
Firstly, users should be assigned specific roles for managing different aspects within a datacenter and be provisioned the proper DCIM features accordingly. Any professional system should allow for proper segregation of data and job functions, so that access to privileged information is only granted to an authorized user. Furthermore, the configuration of such a system should be granular. DCIM administrators should not only be able to grant access to certain sets of assets in the datacenter, but should also be able to configure rules that manage access to entire rooms, or even single ports on a datacenter asset.
In addition, a robust access control system shouldn’t only control who has access to what, but who has access to features and operations within the DCIM. For environments where security is a top priority, being able to dictate who can manage the data is highly important. The ability to ensure that only authorized users can access and make changes to the datacenter, while preventing unauthorized actions, should be included in any acceptable DCIM offering.
Does the DCIM store log information on user activity?
Sometimes, some of the biggest threats can come from within an organization.
A disgruntled employee might decide that they want to sabotage the production network. There needs to be a way of tracking this kind of activity. Besides legal and business requirements, in some instances, audit logs are needed to see who accessed what system in case there was a security breach. A robust DCIM would allow for adequate data preservation for data, such as user logins and tracking changes. Activity monitoring should be part of any DCIM, especially for roles that provide privileged access to sensitive information.
How does the DCIM keep data confidential?
When it comes to data encryption, you might think that the temperature reading of a server is mundane information, but what about the type of devices used, or the users within the system? The more information an attacker knows, the easier it is for them to target a particular system or network. Data encryption should, therefore, be an integral part of any DCIM. In addition, data transmission between various nodes and systems should use industry standard encryption wherever possible.
Does the vendor use security best practices in their software development?
During the software development lifecycle, there are phases where the development should follow industry certifications. If the DCIM uses a web application or web client, does it follow the Open Web Application Security Project (OWASP) guidelines? OWASP is a vendor neutral organization that includes a mandate for improving software security.
The following are some of OWASP’s best practices to help develop more secure web applications:
- Development of the DCIM should be housed around the Confidentiality, Integrity and Availability (CIA Matrix) of the information.
- The software development should be compliant with industry regulatory requirements, such as Sarbanes Oxley, Health Insurance Portability and Accountability Act (HIPAA) and should follow proper data classification.
- The DCIM should include options for recovery in case of hardware failures, or due to catastrophic events. This recovery can be achieved by data redundancy with failover spanning across different sites, all the while maintaining the data transmission securely.
Is the vendor obliged in writing to inform the client or notify about a breach or known vulnerabilities within their software?
Despite the precautions taken to secure software, there can never be a 100% security guarantee. That is why a good DCIM vendor would advise its clients of any security issues or breaches as soon as they are discovered within their software. Unfortunately, depending on contract negotiations, this is not a requirement on the part of the vendor. In order to make sure that your organization is covered, it would be ideal for vendors to provide something in writing that requires the vendor to divulge this information to the client.