Should physical security and virtual data center security be considered together or apart?
The processes that are behind the devices. People will install the patches, they will install the card readers, they will install the biometrics, they will install a lot of things, but they never document how to implement these things to meet their compliance requirements. If you have a card reader or you have biometrics, but if anyone and their brother can call up the guard and the guard adds them to the list, that's not really a control mechanism.
If the air-conditioning repair guy shows up and says I need to get in there, and the guard adds him to the list. Then the air-conditioning guy is on the list. Who really authorized that? There needs to be a process that is attributable towards checks and balances that ensure that the people who have access to the data center are supposed to have access. People build these huge data centers and they do a lot of hardening of the facilities, but they don't put a lot of thought behind those processes that make those things function the way they should. In a previous interview, you mentioned that a lot of companies are trying to build their data centers into fortresses. Is that still the case?
Companies spend an awful lot of money hunkering down. My motto is, don't hunker down; spread out. And if you spread out, then you decrease your risk profile by making it much more difficult to do significant damage in a single event.
Often times, when people are designing security protocols, they fail to take into consideration the existence of the back up when their doing their risk assessment. If the mindset of the security guy is that this data center is the crown jewel, there are some things you have to worry about, but it's not nearly as important to the operation of the data center. Especially if you consider that there are other data centers out there than can pick up the slack.
My theory is that you don't hunker down, spread out, don't spend all that money hardening your target. Spend it on background checks for you employees if you have to. That's my soapbox.