Dimensions of Security in the Data Center

Last month I was asked to do a presentation about data center security for a Data Center Dynamics conference in Atlanta.  In my presentation, I offered an explanation of how the traditional CIA fundamental security model projected onto functional dimensions of data center operations and the role of the data center to the Business.  It also gave me an opportunity to rant about some of my data center pet peeves, such as cardboard and packing material on the computer room floor, and man-traps that are more like marching band traps.  Much of this though was brought to focus onto what I think is a dangerously narrow view of data center availability and the actual impact on a Business’ risk governance plan.

CIA- The Fundamental Dimensions of IS Security

Let me begin with CIA.  For those readers who are not IS security professionals, “CIA” is not the Central Intelligence Agency.  Rather, CIA is the fundamental academic model of the full scope of IS security; Confidentiality, Integrity, Availability.

No Thanks to DR Planning Software (so far)

I was having a drink with an old friend of mine, who is a very prominent and globally sought after risk management professional, and we got around to talking about Disaster Recovery Planning Software.  I asked him, “have you ever found one of those that you like?”  His response was not positive.

Quite often, I am called by a potential Client needing help with DR planning, and who is at the make/break point of a relationship with a DR planning tool vendor.  The conversation often goes something like this:

IT Certifications: Is there a Role for the State?

This morning I was reading a short piece by Gary Beach, Publisher Emeritus of CIO Magazine in which he asks if he’s “certifiably nuts” for encouraging broad-based, state-administered technology certification programs.  The short answer from me- no, not really.   I would though, like to support the spirit of Gary’s call with my own encouragement.

Data Center Location, Location, Location

Location, Location, LocationI’ve just returned from a meeting in Washington, DC in which we were assessing training material for certification on the new BICSI data center design best practices.   Along with the fact that I’ve been approached lately with a number of site security assessment requests, it was interesting to review the guidance on data center location.

We have discussed data center location guidelines in this forum before, and with BICSI-002’s alignment with TIA-942, the contribution has been to bring guidance into a contemporary framework.  We bring this up again because while such guidance for mission critical facility location with respect to environmental and human threats has been on the shelf for a long time, chances are very good that your data center is not in good standing with respect to these location guidelines.

For the record, we’ll run through the general list of property adjacencies that contribute risk to the site, in concentric fashion beginning with the closest proximity to the site.

VM and IT Services

Our regular readers will understand that we do not routinely report on vendor-specific industry events, but because of the increasing presence of virtualization as a foundational component in enterprise IT architecture, this week’s VMWorld in San Francisco is hard to ignore.

In a press release, VMware revealed a roadmap that is focused on IT services in support of Business. ¬†As expected, there is a lot of focus on the Cloud in this strategy. ¬†Earlier posts in this forum highlight how foundational the Cloud has become in enterprise IT roadmaps. ¬†What is more interesting in this announcement is the focus on IT as a service. ¬†In this post, we are focusing only on the content of VMware’s press release because of its statements about product strategy. ¬†It is recognized that additional color and content apply from the conference more broadly.

Data Center Cage as Storage Facility

As someone with a strong operational ethic, one of my pet peeves is the colo site that resembles a monthly self-storage facility.¬† I’m referring here, to allowing (or tolerating) tenants storing boxes, material, and debris in their cages.

A colocation facility that has cardboard and other such material in customer cages shows very poorly.  That is, new customers touring the site as a potential future data center will not be impressed by the apparent state of operational controls when trash is visible in cages.

More importantly though, storage of cardboard and packaging material on the IT floor is a security risk.  This material is likely the most flammable of any present in the environment, and fire is an availability and safety exposure.

Stuxnet- an Example of Malware as a Weapon

In my classes at the university, I sometimes give students a project to create a malware pet shop or malware zoo.¬† The purpose is to make the students more aware of the “biodiversity” that really exists out there in the malware world.¬† We also often talk about the increasing use of malware and other network-based attacks by governments against other governments or industries within a country.¬† Then of course there is the extension of that in the form of cyber terrorism.

Over the past few weeks there has been a lot of press for the Stuxnet (Trojan) worm.¬† What is interesting to share with you about this malware du jour is that rather than targeting personal information or productivity on a person’s PC, this critter is designed specifically to target control systems commonly used in manufacturing plants and other industrial facilities including critical public utility infrastructure.

Stuxnet exploits a previously undisclosed vulnerability in Windows to access management software for Siemens SCADA (Supervisory Control and Data Acquisition) systems that are commonly found in manufacturing, industrial, and utility systems.¬† These types of systems are typically not connected to the Internet, but the malware travels by USB device (e.g., a thumb drive).¬† Once the malware discovers the Siemens application software, it copies project files to an external web site.¬† Other actions are not yet reported, but it’s clear that with access to key control systems, serious disruption could be accomplished even beyond theft of manufacturing process information.¬† Stuxnet has the ability to upload code to programmable logic controllers (PLCs) in SCADA systems.¬† The PLCs determine how industrial systems operate.