Security procedures are key to data center security, expert says

JP Callahan, a former counter-intelligence agent with the U.S. Department of Defense, runs data center security for Verizon Business, the company's data center hosting arm. In this interview, he says that data center security procedures are the key to keeping your data center safe.

Adam Trujillo, Assistant Editor

Should physical security and virtual data center security be considered together or apart?

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.



J.P. Callahan

They need to be [considered] as mutually supporting programs. Physical security and network access has the same problems as the logic applied. Often times, the logical proof and the physical proof have such different lexicons and have such a different vocabulary that they never really get together. And you wind up having to bridge all the gaps during audits. In this age of compliance and assurance, whether it's HIPAA or Sarbanes-Oxley (SoX) or National Institute of Standards and Technology (NIST), every audit of the IT system has some physical security component, so it's absolutely vital that the physical security program be crafted around the logical security controls. Are there any new technologies that have changed or will change the way you look at data center security? Like virtualization, for example?

More on data center security:

Verizon security chief says protect your data first

Data center physical security fast guide

Virtualization; it's primarily geared towards the logical side. It has does have security implications. You could be running a Mac machine with a Mac OS underneath, and on top of it overlaying a Windows or a Linux. Or you could have a Linux and run Solaris. And basically what you're doing is building what they refer to as a "sandbox" where you're "playing in the sandbox." If you want to test something that involves configuring a system, you don't have to completely crash the box and bring it back up. From a security perspective, if someone were to get into that virtual sandbox it's a real easy fix to go back to your baseline, because changes that a bad buy would make in that environment don't necessarily make it through the next reboot. When designing a new data center or re-designing an existing one, what is the most important security measure that people overlook?
The processes that are behind the devices. People will install the patches, they will install the card readers, they will install the biometrics, they will install a lot of things, but they never document how to implement these things to meet their compliance requirements. If you have a card reader or you have biometrics, but if anyone and their brother can call up the guard and the guard adds them to the list, that's not really a control mechanism.

If the air-conditioning repair guy shows up and says I need to get in there, and the guard adds him to the list. Then the air-conditioning guy is on the list. Who really authorized that? There needs to be a process that is attributable towards checks and balances that ensure that the people who have access to the data center are supposed to have access. People build these huge data centers and they do a lot of hardening of the facilities, but they don't put a lot of thought behind those processes that make those things function the way they should. In a previous interview, you mentioned that a lot of companies are trying to build their data centers into fortresses. Is that still the case?
Companies spend an awful lot of money hunkering down. My motto is, don't hunker down; spread out. And if you spread out, then you decrease your risk profile by making it much more difficult to do significant damage in a single event.

Often times, when people are designing security protocols, they fail to take into consideration the existence of the back up when their doing their risk assessment. If the mindset of the security guy is that this data center is the crown jewel, there are some things you have to worry about, but it's not nearly as important to the operation of the data center. Especially if you consider that there are other data centers out there than can pick up the slack.

My theory is that you don't hunker down, spread out, don't spend all that money hardening your target. Spend it on background checks for you employees if you have to. That's my soapbox.

Dig Deeper on Enterprise data storage strategies

All
News
Get Started
Evaluate
Manage
Problem Solve

Evaluate read-intensive and write-intensive SSD use cases

What Linux storage benchmarking tools are best?

Five debunked myths about SSD issues

Micro data centers garner macro hype and little latency

Micro data centers garner macro hype and little latency

Future data center systems await memory innovation

Hyper-converged systems will underpin hybrid cloud, says Dell EMC exec

Make the bed, enterprise OpenStack deployment is moving in

Test yourself on new data center storage architecture

Software-defined memory trends yield speed, high performance

Persistent memory trend preps for launch, but no takeoff yet

Before you deploy OpenStack, address cost, hybrid cloud issues

Evaluate read-intensive and write-intensive SSD use cases

What Linux storage benchmarking tools are best?

Software-defined memory spurs mix of IT challenges, opportunities

Building a disaster recovery architecture with cloud and colocation

Five debunked myths about SSD issues

Weigh vendors, tools in software-defined storage products

Software-defined memory spurs mix of IT challenges, opportunities

Four options to optimize SSD performance in the data center

Five debunked myths about SSD issues

The evolution of data center storage architecture

How should I go about shipping hard drives?

Data storage companies add intelligence to on-site arrays

Please create a username to comment.

July Patch Tuesday brings three public disclosures

Authenticating email in Exchange for brand protection

Taking stock of Windows Server management tools

VMworld 2018 conference coverage

Set up Hyper-V nested virtualization for production

Use an IT outage communication plan to recover from a host crash

Evaluate Google Cloud TPUs for machine learning apps

Overcome app deployment challenges in a multi-cloud strategy

Microsoft bills Azure network as the hub for remote offices

Related Resources

Dig Deeper on Enterprise data storage strategies

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.