A state’s data center is a crucial hub for services and a repository for sensitive data. In Oregon, the state’s data center provides centralized computer services such as networking, email, backup and server services for more than 100 agencies, boards and commissions.
Since the data center started operating in 2006, state audits found that it faced “significant secure weaknesses” and, historically, minimal action was taken to address security weaknesses identified by audits. However, a new audit, released earlier this month by the Oregon Secretary of State’s office, found that the state has “made significant progress in improving security at the data center through security planning and staffing, vulnerability assessments, security event monitoring, and anti-malware and patching processes.”
While the audit represents a significant step forward for Oregon, it also indicates that “further progress is needed to refine these processes and better track vulnerability remediation.” Specifically, some security areas require improvement, including privileged access, asset and configuration management and security incident response. And work is underway to improve privileged access for users of Microsoft’s Windows server environment.
The audit found that day-to-day computing remains stable and that disaster recovery capabilities have improved. “While additional disaster recovery capabilities are being built, data center customers need to prioritize which systems should be recovered first in the event of disaster,” the audit found.
“We acknowledge and commend the progress made to help secure the state’s computing environment,” Oregon Secretary of State Dennis Richardson said in a press release. “But since the work to secure Oregon’s data systems is never done, more improvements are needed.”
How Oregon Improved Data Center Cybersecurity
A continuous theme of the new audit is that the Beaver State has made progress on data center security, but gaps still remain.
As StateScoop reports, the last comprehensive audit of Oregon’s data center, in 2015, dinged the Enterprise Technology Services division of the office of the CIO for several security weaknesses that put confidential information from state workers and residents at high risk of breaches or cyberattacks.
The 2015 audit found that the data center “was running on obsolete network equipment with out-of-date operating systems and did not maintain complete inventories of its authorized device configurations, protocols designed to raise firewalls around computing systems or update security settings,” StateScoop reports.
Although it was not publicly reported, the 2015 audit found that while some initial work had begun, vulnerability scans were not being conducted. The current audit found “significant improvement” in this area, as the data center currently conducts scans of most of its environments. However, more work needs to be done, as “coverage is incomplete, and the results are not completely tracked over time to ensure all critical vulnerabilities are being addressed” quickly.
In the past, audits found that various hardware and software had been purchased to monitor logs of activities on the state’s network, but such systems were never fully implemented or appropriately staffed. Since the 2015 audit, the state’s Enterprise Security Office “made significant progress by implementing a monitoring system and assigning staff to monitor the traffic to identify whether alerts should be generated for potentially affected agencies.” And while this represents “a major improvement to the security stance of the state,” more work is needed to “add capabilities and to measure and report results to demonstrate and improve its effectiveness,” the new audit says.
Oregon has replaced many pieces of networking equipment that were no longer supported by the vendor, the new audit found. However, these lifecycle replacements have been handled on a project-by-project basis “without the development of an ongoing lifecycle management program funded to ensure critical equipment continues to be replaced” in a timely manner. Similarly, the new audit found that the data center has made progress eliminating out-of-support operating systems, but some unsupported operating systems remain on the state’s network.
Oregon has made significant progress on patching and anti-malware management. Since 2015, the data center replaced the software product used to facilitate automated patching and has put in place an exception process to document servers not following normal patch or anti-malware processes.
Auditors compared the list of deployed servers in the inventory tracking tool to servers being covered by centralized patching and anti-malware software to identify whether the software and supporting processes and procedures were functioning as intended. “We found that 99% of deployed servers were being managed through the automated patching software, or were being managed manually but represented known exceptions, although not all exceptions had been formally documented,” the audit says. “The remaining 1% of servers were not being managed under the central patching solution, but data center staff reported they have now corrected these.”
Oregon Still Needs to Make Progress on Data Center Security
While progress has been made, the audit found there are some areas where security is still lagging.
In the 2015 audit, the Secretary of State’s office recommended developing a comprehensive security plan to address security weaknesses. The Enterprise Security Office recently released an updated security plan that the data center adopted. However, the new report notes that the plans “lack details regarding how security measures will be enforced or accomplished under the state’s shared security model.”
Prior audits also found security initiatives were not always properly staffed and therefore were never fully implemented. The Secretary of State’s office recommended clearly defining and assigning data center security roles and providing sufficient human resources to carry out critical security functions. “During the current audit, we identified improvement in the assignment of resources,” the new audit states. “Even so, there are some areas where responsibilities should be better clarified or assigned.”
Meanwhile, the 2015 audit noted weaknesses in the assignment of special access and monitoring of activities of privileged users. The new audit found that data center managers developed, but have not yet implemented, new processes to periodically review who has privileged access. Additionally, the report found that there are “still very few procedures in place to monitor the actions of privileged users.” Oregon is undertaking a project to improve these weaknesses in the Windows environment.
The prior audit also noted that potential information security incidents were not sufficiently tracked. The data center has since developed an information security incident response plan, but elements of it have not been implemented, the new audit found. Roles and responsibilities for data center and Enterprise Security Office personnel have not been sufficiently defined for security incident response, according to the report, and the office has not documented standard operating procedures for managing information security incidents.
On the disaster recovery front, the state has made additional progress and performed disaster recovery tests of all platforms, restored isolated environments for two agencies and plans to invite customers to participate in future annual tests. However, the report says, it “does not currently have sufficient capacity and infrastructure to restore all agency applications and data” and “priorities among agencies have not been established to ensure that the state’s most critical applications are recovered first.”
The report makes 11 clear recommendations, starting with the need to clarify the information security roles of data center personnel pertaining to security requirements defined in the information security plan and overall responsibility for security at the data center. The audit also recommends improved tracking of remediation efforts to mitigate critical vulnerabilities detected by scans, and that the state periodically reconcile installation of anti-malware and patch management agents on Windows servers with applicable servers in its inventory to ensure full coverage.
Notably, the report says that the office of the CIO should request funding from the state legislature to replace networking and security equipment as part of an ongoing program as opposed to for individual projects.