Story image

A multi-tiered approach

12 Aug 14

Take a multi-tiered approach to data centre security, not just in the technology deployed, but the processes used as well, says MPA New Zealand's Tony S Krzyzewski.

In a world where the techniques required to protect systems have gone beyond the simple deployment of an antivirus application, a multi-tiered approach to information security within the data centre becomes an essential requirement if information is to be protected from loss, leakage or unauthorised manipulation.

All too frequently we see organisations adding information security controls as an afterthought, rather than considering information security as an essential core piece of their data centre architecture.

Consider the controls to protect the confidentiality, integrity and availability of information, not only at the technical level, but also at the all-to-often overlooked policy, procedure and process level
when implementing data centre systems. This will not only enhance the level of protection offered to your information but will also reduce the personnel overhead required long term to efficiently manage your systems.

Having well defined, easily understood, and readily available high level policies as the foundation gives you a clear understanding of what you are trying to protect, establishes the baseline for any protection mechanisms and allows you to define the controls required in order to ensure that these information security protection mechanisms are functioning as expected.

Once policy has been defined it is possible to identify the technology that will allow it to be complied with. This technology will vary depending on specific information protection requirements within your organisation, and may include malicious code protection, both at the host and perimeter level, application and database change control and monitoring, user access control and monitoring, application whitelisting, encryption systems and information leakage control systems.

Control it

With protection technology identified, the establishment of clearly defined procedures and system-specific processes go a long way towards ensuring all of the people involved in the protection of your vital information resources are working in a coordinated manner.

These procedures and processes need to be fully documented and available to all staff involved in the management of your systems. Information systems personnel are renowned for their unwillingness to document systems once implemented but this step cannot be overlooked if you are to have effective management of systems in place.

There are two levels of control in ensuring you know everything is operating correctly.

The first, an absolutely essential part of your operational management system, is the requirement to continuously monitor, log and report on events that are occurring with relation to your information and how it is being accessed.

These reports should be a combination of automated system reports and random spot checks on how effectively the system controls are operating. It is far better to detect process, system and technical issues before they become a major security event and anything you learn from the regular reports can be fed straight back into the processes to further enhance security.

The second control you need to consider is an independent technical security audit of the technology and associated processes you have in place. This audit, preferably performed annually, provides a new set of eyes to look at how your protection mechanisms are actually functioning, whether they meet best practice guidelines, whether any unidentified vulnerabilities exist, and where further improvements can be made.

Tony S Krzyzewski is director and chief technical officer for MPA New Zealand and Kaon Security, leaders in security technology and professional serivces.

The new world of edge data centre management
Schneider Electric’s Kim Povlsen debates whether the data centre as we know it today will soon cease to exist.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
How HCI helps enterprises stay on top of data regulations
Increasing data protection requirements will supposedly drive the demand for Hyper-Converged Infrastructure solutions across the globe.
Vodafone and PNSol champion new ‘invisble network’ broadband project
"As an industry, we've increased the speed of broadband to one gigabit and beyond, which is a remarkable achievement, but we now have to look beyond speed."
Top 3 cloud computing predictions – what’s in store for 2019?
Virtustream's Deepak Patil shares his predictions for how cloud computing will evolve in 2019.
London’s pricy data centres allow Frankfurt to overtake
According to a new report, data centre pricing in the UK is among the highest in Europe, which is seeing other countries prosper.
Rubrik welcomes $261m funding for new market expansion
The company intends to use the funds from new investor Bain Capital Ventures will go toward future innovation and expansion.
Survey finds retailers 'bullish' on hybrid cloud adoption
The retail industry takes no prisoners and that’s made clear in its 'on the pulse' adoption of new technologies.