Does your data center protection rely on the fortress approach? What about the valuables outside the walls?
Traditional approaches to protecting the data center relied on securing and hardening the facility, network and infrastructure. As the use of public and private clouds emerges, data center protection requirements are becoming broader.
In medieval times, the castle was the fortress of security and protection. Put everything you value behind the thick walls, strong door, and moat. Just the threat of the castle prevented most intrusions. Eventually, that wasn’t enough. The diversity of the population and the valuables outside the castle walls made it essential to devise other security measures. In that light, how many of us do not have locks on our doors or employ a security safe in some way?
The fortress-of-protection approach is traditional for the data center. Although hardening of the data center has been an appropriate focus, organizations today are embracing the cloud and other external services. This implies looking at security matters which are outside the traditional data center scope of work, in addition to the data center itself; it means developing a comprehensive enterprise security strategy. The alternative is to trust external resources to provide adequate protection. Blind trust is not assurance, in my opinion.
The focus on security and protection of enterprise data centers takes an increased priority in today’s context of rapid change. Suitably addressing risk and compliance is hard enough under normal circumstances, let alone adding the concerns of cloud or initiatives like a major data center transformation.
In this light, you should consider these three focal areas for IT Assurance and Protection:
- Understand threats and vulnerabilities – This is the focus that most enterprises understand best, but address the least. Denial, ignorance, or the overwhelming nature of threats and vulnerabilities are all causes of a lack of focus. I hope you’ll agree that an unlocked door (to use the castle paradigm above) demands action, and your enterprise should take immediate steps if there are security gaps in your physical systems, network, access control, applications, authentication, encryption, or risk management processes. In this age of IT, the threats and vulnerabilities raised by mobility, social networking, public and managed cloud, and the sharing of IT resources between enterprises must be added to the traditional threats that we’ve focused on for years.
- Address legal and regulatory matters – In this focal area, organizations address compliance issues that need clarification and adherence. This is increasingly visible in the enterprise, as IT Assurance is recognized as a key enabler of policy as well as a potential vulnerability. The security of business or government data cannot be assumed to be in place; businesses and government entities must focus on this just as much as their IT departments. This is a good focal area to think out of the box: What has changed in IT that could be impacted by legal or regulatory drivers? What has changed in legal and regulatory spaces that affect IT?
A good example is the effect of recent legislation on enterprises involved in healthcare in the USA. The Affordable Care Act of 2010 is changing or has the potential to change the portfolio, infrastructure, and interfaces of many data centers. And, of course, these businesses must also ensure that they comply with the current requirements of current requirements of HIPAA, and many other healthcare and legal regulations. When you look at your own organization, is IT prepared to address the security and integrity issues of these rules? Is the enterprise aware of the exposure? Is your Sarbanes-Oxley compliance being audited against newer technologies like mobility and cloud?
- Develop or revise command and control – As a part of your IT Assurance focus, perform a governance evaluation to determine changes needed to ensure that security/continuity programs are operating effectively and support the enterprise. Some of this may take the form of reviews; much of it is ongoing “command and control” type of governance. This spans from the ongoing monitoring of activity, to addressing breaches/attacks/intrusions, to supporting an IT Assurance strategy. As examples of the latter: do you review IT architecture changes for security, access, and intrusion potential? Do you assign or contract someone to attempt intrusion as a test of adequacy? Do you have controls in place to ensure that public cloud usage involves appropriately encrypted data, with your enterprise holding the key? Is social media releasing proprietary information?
Clearly, the protection of the data center remains an essential component of the strategy of any enterprise, whether commercial or governmental. And it extends beyond the walls of the enterprise.
Data center security requires a viewpoint that encompasses threats, vulnerabilities, and the legal, regulatory, and governance issues that can emerge from virtualization and the cloud. It means identifying internal and external risks that currently exist as well as those that may emerge in the future. Many enterprises are prepared to handle this internally; many are not. An IT Assurance partner is a wise choice in many cases.
Central to the effectiveness of data center protection is a sound governance, risk, and compliance (GRC) program; effective security management; and an optimized security technology solution. This is where HP is positioned to assist, with our newly announced HP Data Center (DC) Protection Services suite.
Learn how HP Security and Risk Management solutions can help you develop intelligent security for your data center.