Net Access Blog

Seeing is Believing!  Check Out Our New Data Center Tour Video Series

Posted by Gene Rogers on Nov 9, 2015 9:20:15 PM

A live tour is the best way to experience all the unique attributes of our data centers first-hand. But we fully realize that sometimes that’s not possible, so we have created 5 short videos that allow you to virtually “go inside” our centers and see for yourself what makes Net Access so special. Click below to go to our new video page, where you can chose from short 2 minute videos about High Density Colocation, Disaster Recovery Seating, Data Center Power Systems, Data Center Cooling Systems, and Physical Security. 

Read More

Topics: data center power density, disaster recovery seating, security, data center cooling,

Key Questions to Ask When Evaluating a Data Center's Security Policies

Posted by Rob Stevenson on Jun 11, 2015 11:25:58 AM

Data-Center-SecurityAs I mentioned in my last blog post, today’s data center has become a key strategic asset for most companies, but it seems that often times physical security takes a back seat to IT security when companies are selecting a facility. When evaluating data center solutions, asking the right questions is of paramount importance for the future proofing of your investment. When touring a prospective data center, here are some key physical security questions that you should ask:

 

EXTERIOR SECURITY:

  • What kind of perimeter protection does the facility provide, and are there any natural or structural physical barriers incorporated into the design?
  • Is there a perimeter fence and/or access control gates restricting vehicle and pedestrian traffic?
    • Are these items K-rated? “K” indicates the DOS certified barrier speed rating’s maximum vehicle impact speed achieved when a vehicle traveling at a nominal speed is successfully arrested by the barrier from a perpendicular direction.
      • K12 = 50 mph (80 kph)
      • K8 = 40 mph (65 kph)
      • K4 = 30 mph (48 kph)
  • Is there sufficient exterior security camera coverage?
  • Is there adequate exterior lighting at night?

FACILITY ACCESS:

  • How many points of entry/exit are there for customers and visitors? When customers and visitors enter and exit through a single point it significantly reduces the chance of a security breach.
  • Are the building entry points single factor or multi-factor? Multi-factor authentication methods such as biometric fingerprint readers should be utilized for granting access to the building. Single factor methods like card swipe readers are easily defeated as keycards can be dropped in the parking lot (or other areas) and be picked up and used for entry by any individual.

INTERIOR SECURITY:

  • How is the interior of the building protected?
  • What types of security systems are being used to monitor video and entry access alarms?
  • Are security personnel onsite 24x7x365? If not, what are the hours that security personnel are present and are they providing in-house security or are they contracted out from a 3rd party vendor?
  • Is there an adequate number of surveillance cameras monitoring the critical areas?
  • What type of alarms are being monitored (forced entry, door held open, etc)?
  • Do you have the ability to request video footage and/or an investigation of an event?

SECURITY RECORD RETENTION/COMPLIANCE:

  • What is the retention period for video footage and keycard swipe records? I would strongly recommend having access to these items for a minimum of 30 days as you will most likely need to use them at some point.
  • What types of data center compliance measures are in place to ensure that the industries best practices and standards are being met?  Some of the common compliance audits include the Payment Card Industry (PCI) Data Security Standard (DSS), the Statements on Standards for Attestation Engagements (SSAE 16) and the Health Insurance Portability and Accountability Act (HIPAA).

EMERGENCY EVENTS:

  • What measures are in place to respond to emergency events?
  • Do proper policies and procedures exist to mitigate any potential damage?
  • Is there a sufficient fire monitoring system in place?
  • What type of fire suppression system is being used and who is the monitoring company?
  • Are there any first-aid kits or automated external defibrillators (AED’s) onsite, and is the staff required to know how to use these items?
  • What kind of security related training or certifications exist?

 

Rob_Stevenson Rob Stevenson has been with Net Access for over 6 years and currently manages the Security department. He previously served 4 years in the U.S. Air Force as a Security Forces member.

Read More

Topics: security

Don't Take Data Center Security for Granted!

Posted by Rob Stevenson on Jun 1, 2015 3:33:13 PM

Data-Center-Security I think it’s imperative that today’s data centers provide an adequate layer of physical security and incorporate that into their facility design and architecture. Customers have a lot of time and money invested in the assets they store within their data centers. In return they are entrusting their colocation partner to provide the security protection necessary to keep their assets safe.

At times physical security has a tendency to take a back seat to IT security when companies are selecting a data center. Customers are focused on the obvious requirements, such as network infrastructure, redundancy, power and cooling, but often times they fail to realize the importance of physically supporting and securing their assets. It goes back to the old saying, “you are only as strong as your weakest link” and I think that holds true in this industry. Why invest so heavily in IT if someone can just walk into a building, manipulate their way into your environment and obtain physical access to all of the data stored in your cabinet? An optimal data center provider should be able to offer a well- balanced IT and physical security solution for their customers.

block_compliance1

A typical data center needs to incorporate entry access (software/readers/ACU panels/hardware), video surveillance capability (cameras/software/licensing), and visitor management controls (software/badge solutions) into their overall security plan. All of these items would only allow a data center to meet the most basic customer requests like reviewing camera footage, entry access alarms\transaction logs and efficiently being able to track visits. Add in the cost of full-time security personnel and a few advanced measures like an anti-tailgating security portal or perimeter site protection and it’s easy to see how annual operating costs can easily be hundreds of thousands of dollars.

But as you know the security industry as a whole has changed pretty drastically over the past decade due to increased threats. Data center security has certainly evolved over that period as well. You are starting to see companies invest in advanced biometric systems such as face scanners and iris readers that add an additional layer of protection to the most critical areas. Anti-pass back devices such as security portals are also being used to ensure that each and every individual is being authenticated when passing through biometric access points. And data centers are increasingly investing in perimeter protection such as fencing and access control gates that help regulate vehicular and pedestrian traffic onsite. The ability to identify authorized personnel and deny access to unauthorized individuals before they ever step foot on company property is a huge advantage and helps to limit your liability from a security perspective.

 

Rob_Stevenson Rob Stevenson has been with Net Access for over 6 years and currently manages the Security department. He previously served 4 years in the U.S. Air Force as a Security Forces member.

Read More

Topics: security

Security: Heartbleed, Net Access and How It Can Effect You

Posted by Net Access on Apr 24, 2014 10:57:00 AM

So What Is Heartbleed Really?

what is heartbleedIt’s all over the news that there is a major security flaw in the Internet exposing practically everyone that has ever used it and transmitted private data over it.

The root cause of the problem is in a security protocol called OpenSSL (Secure Sockets Layer) that facilitates encrypted sessions between a client application (web browser, email etc.) and the host application (web server) securing the data that passes between them. What has been discovered is that a flaw was introduced 2 years ago so that while these sessions are alive and heartbeat packets are exchanged between the host and client, this is the point at which the session is vulnerable to high-jacking by a 3rd party who can spoof the heartbeat packet and intercept the session. 

Technically Speaking..

The Heartbleed bug write-up mentions Apache and nginx as being the most notable software using OpenSSL, and also points out that these have a combined active site market share of over 66% according to our April 2014 Web Server Survey. The good news is not all of these servers are running an HTTPS service, nor are they all running vulnerable versions of OpenSSL with heartbeats enabled. According to estimates just over 15% of SSL are running the heartbeat extension, accounting for around half a million certificates issued by trusted certificate authorities. These certificates are consequently vulnerable to being spoofed (through private key disclosure), allowing an attacker to impersonate the affected websites without raising any browser warnings.

For those of you on Microsoft platforms only small percentage of IIS web servers also appear to support the TLS heartbeat extension; these are more likely to be vulnerable Linux machines acting as reverse proxy frontends to Windows servers.

Support for heartbeats was added to OpenSSL 1.0.1 (released in 2012) by Robin Seggelmann, who also coauthored theTransport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension RFC. The new code was committed to OpenSSL's git repository just before midnight on new year's eve 2011.

OpenSSL's security advisory states that only versions 1.0.1 and 1.0.2-beta are affected, including 1.0.1f and 1.0.2-beta1. The vulnerability has been fixed in OpenSSL 1.0.1g, and users who are unable to upgrade immediately can disable heartbeat support by recompiling OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag.

In all actuality how serious is the risk to me?

Like all security scenarios it really comes down to how big the target is (like in the Target credit card hack). For an end-user that is regularity accessing higher profile sites on the Internet for transactional purposes or Social networking it is of a greater concern as hackers usually target these types of assets due to the high volume of traffic, which leads to an increasing likelihood of intercepting useful data for nefarious use later. Especially as many Internet users tend to use the same passwords and usernames for a large proportion of their accounts .

According to a recent Netcraft web server survey that looked at nearly 959,000,000 websites, 66% of sites are powered by technology built around SSL, and that doesn't include email services, chat services, and a wide variety of apps available on every platform. 

For a business, if you are running and operating any type of Internet accessible server or services (web, email, transaction processing) that uses OpenSSL you are at risk of exposing your user bases secure information on the Internet.

Should I change my password?

This is a simple answer -  YES

 However, understand that until the vulnerability is fixed and a patch is applied to the server there is still a risk that data can be intercepted. Also, remember to use good password practices that combine case, numbers and symbols to create a complex passcode that is much harder to crack.

To help you remember your passcode create a passphrase or rhyme that uses the first letters of each word, numbers and symbols such as:

     ! I walk my kids to school @ 830 Every day = !Iwmkts@830ED

Unfortunately not all websites accept symbols in the passwords however I expect this will become more apparent in the very near future.

So, we operate servers that use OpenSSL what should we do ?

Apply updates and patches to your system as soon as they become available then notify all your end users and clients to change their passwords. To enhance security implement passcode type practices, enable symbols and the like within the system, also for internal purposes consider implementing strong authentication using token based solutions from companies like RSA.

What is Net Access doing about this ?

Net Access has a culture of operating highly secure infrastructure, systems and secure managed services. Our security team is constantly assessing all our platforms on an ongoing basis. We are proud to say that all systems are go, the customer portal was never at risk and we do not anticiapate any adverse effects due to the 'Hearbleed' crisis.

We are also working with vendors and partners to ensure any systems we interface with are also secured.

Read More

Topics: heartbleed, ssl, security, ddos, heart beat, heart bleed, net access, risk, RSA