Last month I was asked to do a presentation about data center security for a Data Center Dynamics conference in Atlanta. In my presentation, I offered an explanation of how the traditional CIA fundamental security model projected onto functional dimensions of data center operations and the role of the data center to the Business. It also gave me an opportunity to rant about some of my data center pet peeves, such as cardboard and packing material on the computer room floor, and man-traps that are more like marching band traps. Much of this though was brought to focus onto what I think is a dangerously narrow view of data center availability and the actual impact on a Business’ risk governance plan.
CIA- The Fundamental Dimensions of IS Security
Let me begin with CIA. For those readers who are not IS security professionals, “CIA” is not the Central Intelligence Agency. Rather, CIA is the fundamental academic model of the full scope of IS security; Confidentiality, Integrity, Availability.
Confidentiality and Integrity project onto many of the best practices we use in applying good governance to data center operations. Confidentiality is the motivation behind obscuring the purpose of our data center facilities to the outside observer. If your data center has a neon sign with your company’s logo proudly displayed on the building or property then you’re not concerned with supporting confidentiality. If you’ve applied for listing on datacentermaps.com then similarly you’re not worried about attracting attention of those who would like to cause disruption to your business.
Confidentiality, of course, also projects prominently onto a data center’s access control techniques, devices, policies and procedures. There is certainly much that can be discussed about that, but that’s beyond the scope of this article.
The third leg of the IS security model is Availability. Availability is a term that gets a lot of attention in the data center world, but the role of availability to IS security is often unrecognized. The most obvious example of this is the common view of availability as “up-time.” If the facility is down, access to data is not possible. We invest exorbitantly to build facilities and systems that operate in a way that maximizes up-time. We invest exorbitantly again to operate these facilities and systems, justified by our confidence in delivering up-time. We build redundant paths for very high levels of power distribution, intense cooling, and robust plumbing paths. The energy consumed by the magnitude and inefficiency (because of the included redundancy, at least) of these facilities has earned data centers the distinction of one of the highest industrial consumers of energy to the degree of driving new legislation about energy consumption and carbon emissions.
Tears for Tiers
One key conclusion of my presentation (I realize it’s taken me a while to get to the point here) focused on something I call “Tears for Tiers.” The drive for high availability and maximization of uptime has driven a manic quest for Tier 3 and Tier 4 data center facilities (If you’re unfamiliar with what we’re talking about regarding tiers, you can find an explanation here). The cost of building, buying, and operating data centers takes a big leap when moving up the tier ladder from Tier 2 to Tier 3 and especially to Tier 4. ‘Big dollar multipliers for those higher levels. It’s true that almost every business one can imagine absolutely needs something more than three nines availability these days. However, when a business embarks on the path and the expense of owning and operating at Tier 3 or Tier 4 facility for the purpose of buying that third or fourth nine, there are still many, many single-event risks that are assumed. Assuming these risks runs counter to the good governance that so much time was spent to build.
What I’m getting at here, is that if you have a single data center facility,… ‘regardless of what Tier you’ve achieved, the whole thing can be for naught as a result of common threats. Fire, for example, is the big elephant in the room. Even if the building doesn’t burn down, a minor smoke/fire event can mean total replacement of your IT kit is necessary. An erroneous activation of the EPO is another, very common, catastrophic event that is exposed to common human error.
Data Centers are for Data
Data is a Business’ most valuable asset (or at least in the top two, depending on one’s point of view). Data is product. Data is money. Data is raw material. Data is business operations. Data is compliance. Data is any one or any combination of the above. The reason we invest money in data centers is solely because of the value of data and data processing. The amount of investment in the data center is a reflection of strategic decision-making around risk management and good governance and stewardship of the business.