How Automated Verification for Data Centers Improves Security
If your data center is relying on manual methods to know that security is working as it should, the time is right to move to the higher efficiency and lower risk provided by automated verification.
No matter the type of mission, organization size or whether security is in-house or outsourced, perhaps the most sensitive and critical areas of an enterprise are its data center and communications operations.
The impact of a security breach is unacceptable in any part of an organization’s operations, but a breached data center can have implications ranging from a damaged corporate reputation, to the organization being put out of business.
Once breached, the depth and severity of the breach can be hard for a corporate security team to either measure or contain.
A data center houses numerous computer systems and associated components, such as telecommunications and data storage equipment. It almost always includes redundant or backup power supplies, essential data communications connections, environmental controls such as air conditioning and fire suppression, and surveillance and access control devices inside and outside the facility.
Most importantly, it contains data that often has compliance and regulatory controls over it, with steep penalties for falling out of compliance.
Increasingly, enterprises are going beyond traditional centralized data centers and smaller regional data centers, and are employing edge data centers to deliver services more efficiently to users. With users located around the world, time and latency sensitive applications have driven an awareness for IT departments (or security departments.) to optimize computing, content and users in order to deliver an efficient and safer experience.
For example, gaming facilities require low latency and high bandwidth for surveillance cameras — an ideal candidate for an edge data center located near the source of the data instead of a centralized data center located elsewhere.
Likewise, a large corporate bank may operate with edge data centers that manage data for specific banking functions (e.g. mortgages) which are located around the U.S., away from a corporate office, but still connected to the corporate firewall and its IT and cybersecurity functions.
The advantages of such edge data centers can include lower bandwidth costs, better access to content providers and carriers, the benefit of less expensive space away from expensive primary markets and more.
It’s not that centralized data centers are going away, it’s more that edge data centers complement them and deliver services most efficiently in places and applications where data growth allows for local storage, processing and use. Applications, where the data must always be consolidated in a central location, will continue to benefit from using central data centers.
Regardless of the type of data center, there is the obvious requirement for physical and logical security for the facility, its authorized staff, remote telecommunications and other infrastructure. While many organizations are taking advantage of outsourced Cloud-based data centers for handling segments of their operations, those utilizing edge data centers can employ these as a form of on-premises data centers located closer to the user, with the same corporate security needs extended to the edge.
Because the edge data center is the last handoff before the user is touched, what is handled through that data center is a target-rich environment of user information, application data and other confidential materials.
Data Center Compliance Requirements
Some major requirements for data center operations are compliance with standards such as TIA 942, SSAE-18, PCI DSS (Payment Card Industry), and SOC 2 Compliance. SSAE-18 (Statements on Standards for Attestation Engagements No. 18) and SOC 2 requires an auditor to obtain a written assertion from data center management regarding the design and operating effectiveness of the data center controls.
SSAE-18 also requires a service organization to provide a service auditor with a data center risk assessment that highlights the center’s key internal risks. The risk assessment helps ensure that the data center’s controls are regularly reviewed, addresses appropriate risks and are updated as necessary to mitigate changing risks.
PCI DSS is the standard to protect payment card data, and it can be complicated. PCI DSS compliance is required for any organization that stores, processes or transmits cardholder data, including data centers. It not only requires using secure passwords, keeping systems patched up and even having employee background checks, but also requires extensive video surveillance. Ensuring that video is recording and being stored properly is a requirement that auditors are required to examine.
The nature of compliance, regardless of standards, is that it defines the normal state of operations. Passing an audit is simply an indication that at a specific point in time the state of operations is within the compliance standard. But the underlying need is to always be compliant, and for that to happen automated verification is needed.
Ensuring that a data center follows industry standards, security protocols, and is in compliance means regular internal and external audits, some of which can take hundreds of hours when done manually. That strategy is not only time-consuming, it is prone to errors.
In addition, many organizations that employ surveillance systems at data centers are required by regulations, industry standards, or internal compliance standards to retain video evidence for a period of time (typically 30 to 90 days). Auditors for industry standards such as PCI and others are now required to confirm that organizations systematically retain video data for the required retention period in order to achieve compliance certification.
An automated verification solution for physical security controls can help a data center with automated audits and reports ensure that proper security procedures are in place and being followed. Depending on the size and scale of an organizations’ data centers, producing evidence to show compliance can take an organization dozens (if not hundreds) of hours to manually produce that data. The University of California estimated over 260 hours of manual effort to cover the physical security controls in its compliance requirements.
Automated system and data verification solutions ensure that data center video surveillance systems are fully functioning, all of the time. This technology enables data centers to discover, map and instrument their video network; and provides performance metrics, dashboard status, bulletins, summary reports, real-time detection, remote alerting and a troubleshooting database, all of which help a data center to achieve compliance with PCI, TIA 942, SSAE-18, and SOC 2, and more.
For all data centers, another key consideration is ongoing sustainable cyber-hygiene. According to the Center for Internet Security (CIS), the first step in establishing cyber-hygiene is to know what is on your network. With many physical security deployments, there are multiple generations and manufacturers of the equipment used — leading to a lack of understanding of what is on the network and what it is doing there.
An additional advantage of an automated system and data verification solution is that it can automatically inventory what is on the network (including its physical location). This provides the reporting framework to look at what firmware revision is on each device (security holes are often fixed by firmware updates, thus making it a high priority to know what version number your system is on), if default passwords are being used and other aspects of maintaining the physical security network to prevent cyber-breaches.
With automated data verification, data centers can improve physical surveillance and security reliability and performance, gain critical insight into physical security systems, capture valuable operational performance information, eliminate lapses in security coverage and automate reporting for compliance and auditing.
Most importantly, physical security is maintained at the highest possible level, preventing physical safety issues and loss of brand reputation. In summary, if your data center is relying on manual methods to know that security is working as it should, the time is right to move to the higher efficiency and lower risk provided by automated verification.
Bud Broomhead is CEO of Viakoo, a provider of real-time business analytics solutions.
Security Is Our Business, Too
For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.
A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!