Hurricane Sandy has created a concentrated emergency situation for data centers across a large geography of the Northeastern United States. Here is a video of a Con Ed transformer failing in Manhattan during the storm.
Last month I was asked to do a presentation about data center security for a Data Center Dynamics conference in Atlanta. In my presentation, I offered an explanation of how the traditional CIA fundamental security model projected onto functional dimensions of data center operations and the role of the data center to the Business. It also gave me an opportunity to rant about some of my data center pet peeves, such as cardboard and packing material on the computer room floor, and man-traps that are more like marching band traps. Much of this though was brought to focus onto what I think is a dangerously narrow view of data center availability and the actual impact on a Business’ risk governance plan.
CIA- The Fundamental Dimensions of IS Security
Let me begin with CIA. For those readers who are not IS security professionals, “CIA” is not the Central Intelligence Agency. Rather, CIA is the fundamental academic model of the full scope of IS security; Confidentiality, Integrity, Availability.
I was having a drink with an old friend of mine, who is a very prominent and globally sought after risk management professional, and we got around to talking about Disaster Recovery Planning Software. I asked him, “have you ever found one of those that you like?” His response was not positive.
Quite often, I am called by a potential Client needing help with DR planning, and who is at the make/break point of a relationship with a DR planning tool vendor. The conversation often goes something like this:
This morning I was reading a short piece by Gary Beach, Publisher Emeritus of CIO Magazine in which he asks if he’s “certifiably nuts” for encouraging broad-based, state-administered technology certification programs. The short answer from me- no, not really. I would though, like to support the spirit of Gary’s call with my own encouragement.
I’ve just returned from a meeting in Washington, DC in which we were assessing training material for certification on the new BICSI data center design best practices. Along with the fact that I’ve been approached lately with a number of site security assessment requests, it was interesting to review the guidance on data center location.
We have discussed data center location guidelines in this forum before, and with BICSI-002’s alignment with TIA-942, the contribution has been to bring guidance into a contemporary framework. We bring this up again because while such guidance for mission critical facility location with respect to environmental and human threats has been on the shelf for a long time, chances are very good that your data center is not in good standing with respect to these location guidelines.
For the record, we’ll run through the general list of property adjacencies that contribute risk to the site, in concentric fashion beginning with the closest proximity to the site.
As a part of the enterprise IT assessment process, and as a component for articulating the rationale for elevation of IT service capabilities to achieve alignment of IT with the strategic goals of the business, a description of the current level of IT maturity is a beneficial measure. ISACA is a global provider of information,…
Our regular readers will understand that we do not routinely report on vendor-specific industry events, but because of the increasing presence of virtualization as a foundational component in enterprise IT architecture, this week’s VMWorld in San Francisco is hard to ignore.
In a press release, VMware revealed a roadmap that is focused on IT services in support of Business. ¬†As expected, there is a lot of focus on the Cloud in this strategy. ¬†Earlier posts in this forum highlight how foundational the Cloud has become in enterprise IT roadmaps. ¬†What is more interesting in this announcement is the focus on IT as a service. ¬†In this post, we are focusing only on the content of VMware’s press release because of its statements about product strategy. ¬†It is recognized that additional color and content apply from the conference more broadly.
We are working on a book about one of our favorite topics: Data center tier models, availability, and the alignment of business with availability requirements. We plan to cover the models that enjoy the most mind-share, as well as models that are not talked about nearly as much, but yet are very relevant to the…
As someone with a strong operational ethic, one of my pet peeves is the colo site that resembles a monthly self-storage facility.¬† I’m referring here, to allowing (or tolerating) tenants storing boxes, material, and debris in their cages.
A colocation facility that has cardboard and other such material in customer cages shows very poorly.¬† That is, new customers touring the site as a potential future data center will not be impressed by the apparent state of operational controls when trash is visible in cages.
More importantly though, storage of cardboard and packaging material on the IT floor is a security risk.¬† This material is likely the most flammable of any present in the environment, and fire is an availability and safety exposure.
In my classes at the university, I sometimes give students a project to create a malware pet shop or malware zoo.¬† The purpose is to make the students more aware of the “biodiversity” that really exists out there in the malware world.¬† We also often talk about the increasing use of malware and other network-based attacks by governments against other governments or industries within a country.¬† Then of course there is the extension of that in the form of cyber terrorism.
Over the past few weeks there has been a lot of press for the Stuxnet (Trojan) worm.¬† What is interesting to share with you about this malware du jour is that rather than targeting personal information or productivity on a person’s PC, this critter is designed specifically to target control systems commonly used in manufacturing plants and other industrial facilities including critical public utility infrastructure.
Stuxnet exploits a previously undisclosed vulnerability in Windows to access management software for Siemens SCADA (Supervisory Control and Data Acquisition) systems that are commonly found in manufacturing, industrial, and utility systems.¬† These types of systems are typically not connected to the Internet, but the malware travels by USB device (e.g., a thumb drive).¬† Once the malware discovers the Siemens application software, it copies project files to an external web site.¬† Other actions are not yet reported, but it’s clear that with access to key control systems, serious disruption could be accomplished even beyond theft of manufacturing process information.¬† Stuxnet has the ability to upload code to programmable logic controllers (PLCs) in SCADA systems.¬† The PLCs determine how industrial systems operate.