Ping, Power and Pipes

Mar 1, 2005 12:00 PM, By Jacqueline Emigh

Jewelers and bankers are both well known for concealing shiny valuables inside of vaults. Less conspicuously, other companies are now doing much the same thing by keeping mission-critical information — their own big “sparklers” — tucked away inside special facilities called “data centers.” Because these gems of corporate knowledge are computer-based, the data center requires vigilant physical and information security.

“One of the largest misconceptions is that data centers house only huge mainframe (computer) dinosaurs. Those days are gone forever,” says Chad Decatur, data center manager for Information Technology Resources (ITR).

Today's data centers feature rack upon rack of small computers, known as servers, running a mixed bag of operating systems ranging from Microsoft Windows to Linux and other breeds of Unix.

The purpose of the data center has been changing dramatically through the years. A few decades ago, data centers were more or less dedicated to spitting out the punch cards that were once integral to payroll and other financial applications.

Today, financial applications still linger as a key data center concern, particularly as companies begin to comply with the Sarbanes-Oxley Act and a barrage of other relatively new federal and state regulations.

Now, however, servers inside the data center are also playing host to software programs that are directly related to the company's core business.

At some companies, for instance, electronic commerce is the core business, observes James Callahan, MCI's director of data center security.

“If you want to buy a sweater online, and you can't get the Web page to load, then you're going to move on to somebody else's Web site to buy that sweater,” Callahan says.

Some of the protected systems handle voice communications, too. For instance, the Automobile Association of America (AAA) uses a data center for hosting its “call center,” the facility where incoming phone calls get answered.

9-1-1 emergency operations also rely on data centers, says Marcio Saito, chief technology officer at Cyclades Corp.

As in the past, though, today's data centers are not even necessarily located on an enterprise's own grounds. Many corporations opt instead to contract with outside specialists known as outsourcers.

“It's our job as outsourcers to fix a company's ‘pain points,’” Callahan says.

Under some types of arrangements, generally known as co-location (or co-lo) deals, enterprises pay only for the use of the outsourcers' facilities, relying on their own staff to manage the corporation's data security and software applications.

Depending on the specific situation, personnel can deal with these issues either “remotely” — meaning from within a corporate building, for example, over a computer network — or “on-site,” meaning directly inside the outsourcing facility.

“In co-location, outsourcers provide what we call ‘ping, power, and pipes’ — in other words, network connectivity, electricity and racks for holding the servers,” Callahan says. “Customers populate the rented space in our data center with their own computer equipment, and then service this equipment themselves.”

Why might a customer choose co-lo over “managed hosting”? One good reason is that co-lo can be less costly. Yet outsourcers also cite a range of other scenarios.

Some co-lo customers have simply outgrown their on-site data center facilities, either in terms of computing or networking capabilities. The customer's business model also plays a role. Companies that “go co-lo” do not tend to have information technology (IT) as their core business, Callahan says.

Even when corporations select managed hosting, however, they still need to create appropriate security policies — and they must be able to tell whether an outsourcer can support those policies with its personnel and technology.

“A data center is a lot like a bank vault in some respects. But customers don't go into a bank vault and check the thickness of the walls, for example — and that's what they do here, essentially,” Callahan says.

On the other hand, particularly in the United States, some companies in a variety of industries are so adamant about maintaining direct control that they will not outsource their data centers, experts say.

What sorts of security policies are best suited for data centers? “Be ever mindful about network access control lists and passwords. Historically, there haven't been rigid enough controls in the data center environment,” Saito advises.

Companies should apply these watchwords to both information security and physical security. “Just because a person works in the ‘database group,’ this doesn't mean he or she should be given computer access to all the servers that are running databases. There should be some real justification as to why that particular person needs to be able to use that particular database,” Saito says.

“You're starting to see more rigorous controls now,” Saito continues. “But in the past, if a person's authorization was removed for some reason, it often took him just a handshake, a smile and a wink to get it back again.”

Real justification should be demanded for physical access, too. “Inside a lot of enterprises, people are wandering around the data center who ought not to be there at all,” Decatur says.

Beyond the hazards associated with lost or damaged information, data centers tend to be environmentally inhospitable. Wires and cables can subject employees to accidents, and employers to the prospect of resulting lawsuits.

Furthermore, data center facilities tend to be kept very cold to prevent the computers inside from overheating. “Plus, nowadays, the noise levels alone can make these rooms almost uninhabitable,” Decatur adds.

Meanwhile, certain security technologies are now emerging which are fairly specific to data centers. For instance, sensor-driven systems based on the new IPMI industry standard can come in quite handy for managing and monitoring computer systems over the Internet. “You can even gauge temperatures remotely,” Saito says.

From the standpoint of physical access control, the most state-of-the-art systems for data centers tend to combine contactless cards — for minimizing wear-and-tear — with biometrics, for more reliable identification. In another departure from run-of-the-mill information security, some data centers also contain man-traps.

In many senses, solid policies and procedures for data center security actually boil down to sound common sense. For policies to be carried out effectively, however, security professionals need to know all they can about technologies, outsourcing facilities, and other options available for protecting the crown jewels of the corporation.

FOR THE RECORD

About the Companies

For information, circle the Reader Service number (listed below) or visit securitysolutions.com

Cyclades Corp.	60
Information Tech. Resources	61
MCI	62

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue