Story image

A multi-tiered approach

12 Aug 2014

Take a multi-tiered approach to data centre security, not just in the technology deployed, but the processes used as well, says MPA New Zealand's Tony S Krzyzewski.

In a world where the techniques required to protect systems have gone beyond the simple deployment of an antivirus application, a multi-tiered approach to information security within the data centre becomes an essential requirement if information is to be protected from loss, leakage or unauthorised manipulation.

All too frequently we see organisations adding information security controls as an afterthought, rather than considering information security as an essential core piece of their data centre architecture.

Consider the controls to protect the confidentiality, integrity and availability of information, not only at the technical level, but also at the all-to-often overlooked policy, procedure and process level when implementing data centre systems. This will not only enhance the level of protection offered to your information but will also reduce the personnel overhead required long term to efficiently manage your systems.

Having well defined, easily understood, and readily available high level policies as the foundation gives you a clear understanding of what you are trying to protect, establishes the baseline for any protection mechanisms and allows you to define the controls required in order to ensure that these information security protection mechanisms are functioning as expected.

Once policy has been defined it is possible to identify the technology that will allow it to be complied with. This technology will vary depending on specific information protection requirements within your organisation, and may include malicious code protection, both at the host and perimeter level, application and database change control and monitoring, user access control and monitoring, application whitelisting, encryption systems and information leakage control systems.

Control it

With protection technology identified, the establishment of clearly defined procedures and system-specific processes go a long way towards ensuring all of the people involved in the protection of your vital information resources are working in a coordinated manner.

These procedures and processes need to be fully documented and available to all staff involved in the management of your systems. Information systems personnel are renowned for their unwillingness to document systems once implemented but this step cannot be overlooked if you are to have effective management of systems in place.

There are two levels of control in ensuring you know everything is operating correctly.

The first, an absolutely essential part of your operational management system, is the requirement to continuously monitor, log and report on events that are occurring with relation to your information and how it is being accessed.

These reports should be a combination of automated system reports and random spot checks on how effectively the system controls are operating. It is far better to detect process, system and technical issues before they become a major security event and anything you learn from the regular reports can be fed straight back into the processes to further enhance security.

The second control you need to consider is an independent technical security audit of the technology and associated processes you have in place. This audit, preferably performed annually, provides a new set of eyes to look at how your protection mechanisms are actually functioning, whether they meet best practice guidelines, whether any unidentified vulnerabilities exist, and where further improvements can be made.

Tony S Krzyzewski is director and chief technical officer for MPA New Zealand and Kaon Security, leaders in security technology and professional serivces.

Edge computing market to provide ‘lucrative opportunities’
The market is set to skyrocket in the coming years, paving the way for emerging market players.
Opinion: 3 ways cloud & colocation providers can use renewables
Schneider Electric’s John Powers discusses the renewable revolution that is underway and how providers can jump on board.
Former CBRE data centre head joins EkkoSense board
Data centre expert Mark Acton will be strengthening the board as a non-executive director.
$50b modular data centre market driven by edge computing
Findings from a new research report have been released by Global Market Insights that show a burgeoning market.
Telia Carrier launches new PoP in SUPERNAP Italia data centre
Today Telia Carrier announced a new Cloud Connect PoP in the SUPERNAP Italia data centre near Milan, Italy.
Verizon makes major step towards Multi-Access Edge Compute
In a trial environment in California, the wireless provider achieved full virtualisation of baseband functions.
Interview: Edge computing - the force powering hyperconverged infrastructure
Scale Computing CEO Jeff Ready talks offerings, plans for the future, and a look as edge computing as the next tech innovation.
Symantec, Ixia combine efforts to secure hybrid networks
Ixia’s CloudLens and Symantec Security Analytics now feature complete integration, which allows Symantec customers to gain real-time visibility into their hybrid cloud environments.