Gregory Machler offers advice on secure ways to protect applications in the event of a datacenter relocation You’re a security officer in your corporation and you’ve been informed your company is moving a datacenter from California to Chicago, Illinois. The applications generate over 50 million in revenue yearly. What advice do you follow and where do you start? First you determine the style of the architecture of the applications. Then you investigate the age of the tools used to build the applications. If the applications have a web interface, you deploy tools to protect them from attack while making the applications more secure. Then upgrade the infrastructure components. Update the change and configuration management processes. Scan and correct the application’s web errors. Lastly, modify the application so that it supports the latest security tools that integrate with the application such as Active Directory for authorization.[Database security: At rest, not at risk]Some of the applications may be old and use client server or single tier web application design. Due to their age and architecture design, they lack many of the security improvements made in application and infrastructure security over the last few years. The company kept their IT expenditures at a minimum to grow the business. Now, theyve been purchased and their applications are tired. Those same applications may use old application tools to maintain and modify the application. The language and tools used to create the application may not be supported anymore by the tool vendor. Keeping proper source code controls and promoting software through various development, test, and production environments may also be lacking. It is important to update development tools to vendor supported levels while maintaining the design. This port of the application to use new tools can occur before starting the infrastructure migration. Since the bar for web application security is always going higher over time; mitigate internet risks by deploying a web based URL whitelisting tool. It tracks all URLs that are used properly over a period of a couple of weeks and makes a whitelist of them. Future attacks that attempt to move to URLs that are not in the whitelist will have the session dropped. This URL whitelisting protects web-based applications and gives a company time to mitigate application weaknesses.Initially, the application is moved with the following security process and infrastructure changes: 1. New or updated change and incident management processes are followed.2. New or updated configuration management tools are used to track configuration changes. This enables application roll-back if errors are difficult to resolve.3. New IP addresses and DNS entries are created for the new virtual and physical servers.4. Load balancers are configured to use a pool of servers to address web based traffic.5. Various firewalls are configured to protect both the DMZ web servers and application data.6. The databases are tuned and scaled for traffic demands. 7. The data in the storage subsystem is replicated to another subsystem in the new datacenter.The second phase of mitigations addresses information security weaknesses at the applications level. It assumes that the new datacenter has Active Directory or LDAP (Light Directory Access Protocol) services, a remote monitoring tool, a HIDS (Host Intrusion Detection System) tool, an operating system upgrade tool, a logging tool, a web scanning tool and firewalls. The following security tools will likely be in the datacenter after the first migration occurs. That is because all the tools will likely be used for all future migrations.1. Correcting application errors found with web scanning and code scanning tools2. Authentication and authorization weaknesses 3. Remote monitoring of servers, network and storage equipment4. HIDS implementation on the servers 5. Operating system upgrades6. Logging of application, user, and administrative operations7. Deploy firewalls in zones to protect data and applications effectively.In summary, systematically and carefully protect the application with URL whitelisting where relevant. Then upgrade the infrastructure, application tools, and processes. Then correct the application errors found with web and code scans. Integrate the application with authentication and authorization, remote monitoring, HIDS, and auditing/logging tools. Lastly, protect the applications’ data using a “Deep Theater Defense” firewall configuration.Gregory Machler is an information security architect and cloud security expert and a frequent contributor to CSOonline Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe