Industry Outlook is a regular Data Center Journal Q&A series that presents expert views on market trends, technologies and other issues relevant to data centers and IT.
This week, Industry Outlook asks Will Blattner about the risks that data center operators face and how they can protect their businesses. Will is an IT systems specialist who has been with TSC Advantage since early 2013, helping the team deliver innovative services to the company’s client base in both the public and private sectors. Before joining TSC Advantage, Will worked for Apple as a technician and business solutions guru. He previously owned a private IT consulting business that provided IT services to clients including small businesses, startups, law firms, medical offices and non-profits.
Industry Outlook: What are the biggest risks in the data center?
Will Blattner: Data centers safeguard huge quantities of data from so many different customers. We're talking about petabytes of information, including payment-card industry (PCI) data, personally identifiable information (PII), electronic protected health information (ePHI) and, of course, sensitive intellectual assets. All this information is housed in a single location. These large-scale operations can be tantalizing targets for malicious hackers, data center insiders or competitive intelligence adversaries looking to exploit various physical or insider threats as well as data security controls. Data centers also contend with the added risk of customer-controlled systems being an integral part of their environments.
IO: How can data center professionals protect their organizations?
WB: As with all organizations entrusted to protect sensitive data, data centers need to offer their teams proper education, training and awareness programs that teach staff members to recognize and protect against the various threats directed at them. From social engineering to exploiting physical security, evolving threats make it crucial for data centers to expand their thinking about security into an approach that is more comprehensive or holistic, and not just limited to traditional software or hardware defenses. Data center professionals need to think like the enemy.
IO: What role can cyber insurance play in safeguarding a data center?
WB: Insurance can serve as a valuable tool and can help defray the costs associated with business interruption, legal fees and privacy liability. But it is also important to mention that cyber insurance should always be complemented with higher due diligence and an active philosophy that aims to prevent an incident from occurring in the first place. No amount of insurance will bring back sensitive data once it has been exfiltrated.
IO: Are industry compliance standards enough to help keep the data center safe?
WB: Standards such as those set by the International Organization for Standardization (ISO) are a great starting point and a good way for providers to review their policies. But every environment is different, and every company has a different culture. Security policies must be tailored to the specific operation and organization. No single standard is enough to protect an operation of any size, especially not a data center.
IO: Shadow IT is becoming a big security concern; what should data center professionals know about it?
WB: Shadow IT is a huge concern for businesses of all sizes. There is only one real solution for the problem: give your employees the resources they need along with easy-to-use integrated systems and, most importantly, clear policies to guide their use. IT is changing faster than ever. When businesses resist change, their staffs will find other ways to get work done—often compromising security in the process. It's time for enterprises of all sizes to get on board with the post-PC era.
IO: Will integrating cloud services pose new security concerns? What are those concerns?
WB: There are many questions to consider when integrating cloud services into a business. Many of them are security and control related: Where is my data? How is it stored? Who else has access? What kind of vetting is performed on all new hires? What are the physical security vulnerabilities of this vendor?
When a business evaluates a potential cloud service provider (CSP), it needs to thoroughly vet the provider's business operations and IT environment. It may not be a bad idea to become familiar with the mission of the Cloud Security Alliance and use its standards to evaluate possible CSPs. There are usually compromises when moving any system (to the cloud or otherwise), but enterprises have to weigh these compromises against the limitations of legacy IT strategies.
IO: Looking ahead, what are some of the major solutions that will affect the data center and security?
WB: Again, it comes down to the approach taken toward security rather than the actual technical solution end of things. Sure, newer security technology is always around the corner. There are new businesses popping up all the time with new ways to detect malware, advanced persistent threats (APTs) and other risks. At the same time, the malicious parties are always finding new ways in. The special new box you put in your server rack is not security. What will really set the best secure providers apart from the rest is meticulous assessment and reassessment of their operations. Time will tell who is really keeping an eye on security and who is just focusing on delivering services.
IO: How can data centers continue to meet the demands of both the users and the business without sacrificing security?
WB: Data centers and cloud providers are under more pressure than ever to deliver the latest and greatest services. To deliver the quality of service their customers want with the security their customers need, these businesses must evaluate their entire operations. This means completing heavy-duty, defensive, in-depth assessments of all areas of their business—not just data security. Of course they need to tackle the obvious assessments like penetration testing, but they also need to evaluate business operations and policies, physical security and hiring practices. Most of all, the one area often overlooked is the relationships these providers have with third parties. Contracts aren’t enough. Data center and cloud providers need to run similar risk assessments on any third-party vendors or partners with whom they do business.