Q. I am evaluating server management solutions and want to ensure that the mechanism for managing my data within these products is secure. What sorts of questions should I ask regarding security when evaluating server management products?A comprehensive server management platform (also known as a data-center automation platform) is responsible for managing the full life cycle of server and application infrastructure. This responsibility includes the following: provisioning the initial operating system and distributed applications; managing ongoing change related to the operating system, applications, patches and configurations; and maintaining consistency against server, security and application configuration policies.Today, staff members organized into disparate operational groups, such as Windows, Unix, Security, etc., manage data centers manually, largely with a collection of vendor-specific tools and home-grown scripts. Collaboration between these groups is difficult due to the different toolsets they use and the varying security policies applied to each group. Introducing a data center automation platform for provisioning, change and compliance can tremendously improve productivity and configuration stability.However, a data center automation platform can also be an entryway for hackers and malicious insiders to access and manipulate sensitive server data - and not just from the outside. While there has been tremendous focus on protecting the perimeter of data centers with security infrastructure such as firewalls, it is a well-known fact that insiders perpetrate 80% of security breaches.In a data center, security is traditionally an "all or nothing" model. Users either have unnecessary privileges or insufficient access to servers; the trusted administrators often have full access to all servers, while support teams often have little or no access to appropriate servers. The result is that data center security consists of a hard outer shell with little internal structure. Implementing a data center automation platform will let you address many of the insider security issues that plague operations, from establishing the appropriate level of security access for all administrative personnel to ensuring that all communication related to administrative activity is encrypted and centrally logged. It is therefore imperative that IT managers carefully evaluate both the security architecture of a data-center automation platform and the benefits it offers for controlling insider security.Questions to ask about core product securityIs the solution based on agents or agentless? Low-end patching solutions can be agentless. However, a secure data center automation platform for software updates, patching, and deep compliance scanning and remediation must be an agent-based solution.Are the core components of the solution secure? The core components of a solution that stores software, patches, build policies, and compliance policies must be secure so that a malicious user cannot compromise its content and distribute infected software or configurations to target servers.Questions to ask about insider securityDoes the product support strong authentication and single sign-on? Products should support\u00a0Kerberos\u00a0or another public-key infrastructure (PKI), often requiring integration with existing security mechanisms such as certificate servers or LDAP servers. A secure communication infrastructure is critical to any data center automation platform to prevent information "leak" and to ensure data integrity among all infrastructure components of the platform.Is all communication with agents encrypted?Does the product implement role-based access control? Role-based access control (RBAC) defines roles and maps users to the roles. Access privileges are then associated with roles. For example, separate roles allow security teams to define policies and operations teams to execute them. A good RBAC solution is key to addressing the challenges related to insider security by providing the right level of access to servers across users and roles.Does the solution implement a strong cross-platform security model? Implementing a solution for only Windows or Unix or Linux is not acceptable for a data center automation platform. As an example, the solution should be able to leverage Kerberos-based Windows Active Directory for strong authentication while simultaneously leveraging existing PKI for Unix servers.Is all activity centrally logged? Central logging provides a full audit trail of all administrative activity, allowing users to clearly track actions and map them back to individual users. This is a core component of any secure data center automation platform.Does the product integrate well with existing hardware and software security infrastructure?\u00a0 A data center automation platform must integrate with established management policies and existing security hardware. Examples include encryption standards, firewalls, VPN infrastructure and LDAP.Questions\u00a0to ask about third-party validationHas a third-party security company reviewed the product's security infrastructure? Having a reputable security company audit a data center automation platform's security architecture and also perform penetration testing is a critical step in establishing the validity and reliability of a solution's security model. Look for solutions that have already had their security model certified by an independent security firm.ConclusionIf a thief is in the house, don't give him the keys to the safe.Ensuring that your data center automation platform is secure is the most important project an organization can undertake to address insider security while establishing a secure data center change and automation platform. A data center automation platform that can manage the activities of the community on privileged systems improves insider security. Implementing role-based access control improves collaboration between operations and other groups and is equally important from a security perspective.Vijay Manwani is a co-founder and the Chief Technology Officer of BladeLogic, a developer of data center automation software. Manwani is responsible for BladeLogic's overall product strategy and direction. Previously, he led all phases of the company's development efforts which resulted in BladeLogic's current product leadership position. Before BladeLogic, Manwani was an entrepreneur-in-residence at Battery Ventures where he spent the bulk of his time working to launch BladeLogic. Earlier, he was the CTO at Breakaway Solutions where he was responsible for all technology initiatives in the ASP and eBusiness lines of businesses. Prior to Breakaway, Manwani was the CTO and co-founder of Eggrock Partners, an ASP\/eBusiness-consulting firm that was acquired by Breakaway Solutions.