This article concludes the series highlighting the three areas of focus in the 2021 revision of the FFIEC IT Examination Handbook titled “Architecture, Infrastructure, and Operations.” This guide was published in part to replace the prior “Operations Management” document, released in 2004, to address the changes that have occurred inside the data center with continuously evolving and emerging technologies, changes in business strategies designed to leverage the new technologies, and changes in the threat landscape, with more sophisticated cyber-attacks and rising ransom demands.

In part one, we opened the series with a high-level view of “Operations” in the data center, defined as “the performance of activities comprising methods, principles, processes, and services that support the business function.”

In part two, we took a deeper dive into the significance of “Architecture” in the design of the data center, defined as “the manner in which the strategic design of the hardware and software infrastructure components (e.g., devices, systems, and networks) are organized and integrated to achieve and support the entity’s business objectives. Planning and designing an effective IT architecture facilitate management’s ability to implement infrastructure that aligns with the entity’s strategic goals and business objectives.”

Now in part three, we will address the “Infrastructure” within the data center that seeks to bridge or connect the “Architecture” with the “Operations.” The FFIEC handbook defines Infrastructure as “the physical elements, products, and services necessary to provide and maintain ongoing operations to support business activity and includes the maintenance of physical facilities.”

As we conclude this series on the daily care and feeding of the data center, we will attempt to bring these three perspectives together to demonstrate how they complement each other.

Comparing the functions of a data center to a finely tuned orchestra

To provide a visualization throughout this series, we have been comparing the relationship of these three elements covered in the data center to an orchestra. If we consider the infrastructure to be the instruments and operations as the musicians that play the instruments, we can view the architecture or design as the conductor.

An effective conductor assembles the appropriate instruments (infrastructure) and skilled musicians (operations), guiding them in the execution at precisely the right time according to the desired musical score. Every detail is defined with focused attention to the intended design. The same is true inside today’s increasingly complex and integrated data center.

• Infrastructure = Instruments
• Operations = Musicians
• Architecture = Conductor

Management oversight and responsibilities

It is the responsibility of the board and senior management to oversee the planning and implementation of an IT infrastructure that is aligned with the objectives of confidentiality, integrity, and availability, and not only complements but enables the execution of the business plan in the pursuit of the organization’s goals and objectives.

To accomplish this, management should develop, document, and implement control policies relative to the infrastructure in a manner that moves toward the desired security posture including both redundancy and resilience for physical infrastructure as well as related products, services, and communications.

As defined above, “infrastructure” involves all physical components, products, and services necessary to provide and support daily business activity, including regular system maintenance. These physical components include:

• Network Hardware (physical equipment)
• Telecommunications (both data and voice)
• Network Software (internal and cloud-based)
• Environmental Controls (power, HVAC, and fire/smoke)
• Physical Access Controls

The selection of infrastructure components should seek to minimize dependency on any single component (single point of failure) through redundant strategies in all categories (hardware, software, network communications, etc.). Data center management may be managed internally or outsourced to a third-party service provider (colocation, cloud, etc.) or a hybrid of both.

Hardware

The FFIEC IT handbook defines hardware as “the physical components of an information system.” Hardware components are often the target of bad actors in cyber attacks and must be inventoried and tracked as part of the overall security strategy. Maintaining an accurate and comprehensive IT asset inventory is a crucial element in maintaining the security posture within the data center.

Advanced IT asset discovery tools are available to assist security operations staff in identifying and remediating potentially vulnerable hardware components. This is an area where the use of automation and centralized solutions can benefit teams, allowing them to focus on prioritized tasks.

Software

Software is required for most hardware devices to function in the data center. The FFIEC IT handbook defines software as “computer programs—which are stored in and executed by computer hardware—and associated data—also stored in the hardware—that may be dynamically created or modified during execution.”

The architecture design strategy will in part determine the types of software needed to achieve the organization’s IT strategic objectives. Like the selection of hardware components that make up the infrastructure within the data center, the selection of software must involve consideration for confidentiality, integrity, and availability at the top level, while addressing the need for scalability, interoperability, and portability.

IT management and security operations teams must follow the same diligent activities to identify and remediate software that has been installed throughout the data center network to ensure the desired security posture.

Network hardware components

At a high level, hardware that comprises the infrastructure in the data center can be grouped as “Network” or “Telecommunications” which includes both data and voice. The network infrastructure includes components such as hubs and switches, routers, firewalls, servers, storage area network appliances, etc. Network components are designed to securely transmit, process, and store data within the organization and with authorized external parties.

Hardware components introduced or installed on the network should contain an approved and test-validated baseline security (hardened) configuration to minimize the risk of weakening overall security. Once installed, all hardware should be monitored for abnormal activity, as well as maintained with proper patch management and change management processes.

Additional controls include changing all default device passwords, disabling all unnecessary ports and services, as well as documenting and monitoring all user access permissions (especially elevated users).

Network telecommunications: data

The network telecommunications infrastructure provides connectivity to internal and external IT resources in support of ongoing business operations. The telecommunications infrastructure components are shared by both data and voice packet transmission with the appropriate hardware and software devices to route them to the desired destination. The design of network telecommunications should consider the desired level of security, integrity, and availability of the data that is transmitted, as well as capacity, latency, and connectivity objectives that support ongoing business activities.

Like network hardware components, telecommunication should be designed and built for resilience. Partial or full disruption of communications can have a significant impact on all business units across the organization. The infrastructure should be documented to a level that enables prompt and effective troubleshooting and restoration when disruptive incidents occur. Single points of failure within a device, within a system, within a data center, and across the network should be identified and assessed for proper business impact analysis.

Additional information is provided by the FFIEC in the IT Examination Handbook on Business Continuity Management.

Network telecommunications: voice

Like data communications, voice communications are critical to enabling the organization to perform critical business functions, especially in the area of client services and support. Integration with technology service providers for communications with key vendors and the public at large introduce an additional layer of risk relative to confidentiality, integrity, and availability.

The necessary skills and experience of talent resources should be part of the overall data center operations strategy that supports resilient voice communications for optimal user experience.

Network software components

Like network hardware components, the FFIEC IT Examination Handbook categorizes software used in data center operations to enhance understanding of the associated risks and interoperability requirements to address confidentiality, integrity, availability, and resilience. Software can be developed internally, purchased off the shelf (COTS – commercial-off-the-shelf), or purchased as a customized solution.

For organizations with the skills and resources to write their own code, the FFIEC has published the IT Examination Handbook “Development, Acquisition, and Maintenance” to address the threats and associated risks along with guidelines for adhering to best practices.

Purchase of externally developed software should follow appropriate and approved acquisition and due diligence efforts prior to introducing it to the data center infrastructure. In addition, appropriate support agreements and product warranties should align with the level of criticality (RTO/RPO) for the business activities that rely on the software for ongoing operations.

In addition to categories, the IT Examination Handbook groups network software into the following types:

• OS (Operating System) Software
• Core Processing Software
• Productivity Software
• Enterprise Software
• Security Software

These types are provided to assist organizations in determining appropriate security controls required for each based on the impact to operations and proximity to sensitive data in the event of unauthorized access.

Software hosting

Once the type of software required is determined, options exist for where the software will reside. The traditional internally hosted (on-premises) environment brings with it certain controls, however, it also often requires internal skills and resources for maintenance and support. Not to mention the increasingly evolving technology requirements necessary for operating the software.

As such, more organizations are turning to externally hosted, cloud-based solutions (SaaS). While this does provide a certain level of futureproofing and transferring of risk for availability and resilience, capacity and reliance on telecommunications across the organization is heightened. The jump from internally to externally hosted software solution usually takes place over a period of time with a hybrid approach.

Environmental controls

This group of controls seeks to address the need for managing the environment within the data center by providing a description and recommendations for securing the applicable controls in the data center. The FFIEC IT Examination Handbook defines this as “the mitigating strategies designed to detect and prevent against natural, mechanical, and man-made risks and threats to the organization’s buildings and facilities and the affected personnel and infrastructure within them.”

Common environmental controls include HVAC for proper heating and cooling as well as humidity control, fire/smoke detection and suppression, water, as well as a clean, reliable source of power.  Once installed, environmental controls must be maintained and monitored regularly for capacity, reliability, and sustainability.

Physical access controls

The section concludes with a list of several physical access controls targeting the data center and the hardware, software, and telecommunications that make up the network infrastructure.

These include appropriate policies and procedures for managing physical access, identification of authorized personnel, a process for logging ingress and egress of escorted “guests” in the data center, physical intrusion alarms and surveillance, as well as review of controls, authorized personnel lists, and visitor logs. These controls must address contingencies and workarounds for disruptive events such as power interruptions and severe weather incidents.

Start reviewing today

As you can see, the FFIEC IT Examination Handbook on “Architecture, Infrastructure, and Operations” is a timely document to address the changing data center environment. After review, it indeed accomplishes the goal of demonstrating the relationship between the three perspectives as organizations seek to design, build, and manage the technology layer of the business model in today’s 24/7 marketplace, addressing the need of mitigating the risk in the current and evolving threat landscape.

Source: FFIEC IT Examination Handbook

I hope that you have found the articles in this series informative and insightful. Moreover, I hope that if you’ve not yet done so, you will review this handbook and accompanying FFIEC IT publications to share the knowledge gained with your coworkers and leadership team. As we launch the new year, I encourage you to identify the steps you will take to enhance the security posture of your data center in a way that enables the execution of your business plan in pursuit of your goals and objectives.