Manage Learn to apply best practices and optimize your operations.

Implementing a data security policy beyond the corporate data center

BYOD and cloud applications are taking your data out of the data center. Time to treat the data center -- and affiliate services -- as IP guardians.

Just what is a data center for?

Is it there to house IT equipment in a manner befitting the hardware? I would say no. How about as an environment where the platform running the organization's applications can be implemented and managed? Again, I don't think this hits the mark.

How about a place that enables the organization to create and manage corporate intellectual property (IP) to the best financial benefit?

Yes, we're talking about a load of servers, storage and network equipment supported by uninterruptable power systems, environmental and cooling systems and auxiliary generators. But if we regard the data center in this light, we fail to support the business in the right way.

Today's data center ecosystem must be built and managed around the data and information hosted there. Forget about running a data center. It is far more likely that you'll manage a hybrid mix of the following:

  • The existing data center: A privately owned facility, with owned equipment managed by dedicated staff.
  • Colocation facility: A third-party owned and managed facility housing your organization's IT equipment, which your staff operates.
  • Hosted systems: A third party manages the dedicated hardware platforms; the various aspects of the software stack are managed by the service provider's staff or your staff.
  • Public commercial cloud: Paid-for platforms ranging across Infrastructure, Platform and Software as a Service (IaaS, PaaS and SaaS) with differing levels of control over the service's technical aspects.
  • Public free cloud: SaaS or Function as a Service (FaaS) offerings, where a function is taken on a best-efforts delivery basis. Examples of FaaS include Google or Bing Maps.

This mix of data centers means data and information will reside in various locations. No longer can an organization simply centralize all its data into a single storage area network. And this means a much broader data security policy than in earlier years.

The business cannot draw a line around a specific group of people and say, "This is our organization." Instead, an extended value chain of contractors, consultants, suppliers and their suppliers, logistics companies, customers and often your customers' customers require data and information flows that are often outside of the organization's direct control.

This is all made more complex by the bring your own device (BYOD) trend. BYOD is an unstoppable tide of end users expensing their own devices and expecting them to work with the enterprise's systems, as well as downloading consumer apps from app stores. BYOD adoption creates data and information in extra places unknown to the IT department, diluting the value of data and information it supports.

Managing the new data security reality

IT teams must accept that the data center itself is just part of the equation, and start to move to a data security policy that pays far more attention to the data and information the organization relies on.

Don't waste time looking at how to deploy firewalls -- first decide where this firewall should be positioned along the extended value chain. And don't apply security just at the application or hardware levels, as anyone who breaches that security layer can freely roam around the rest of the information held in that store.

Data and information now must be secured and managed at a far more granular level. Users should be identified by different types -- from an individual to their role within a team, to their level of corporate security clearance. Add in contextual knowledge, such as from where a person is accessing the data and from what sort of device. Then the data must be classified against an agreed security taxonomy, which can be as simple as adding public, commercial in confidence, for your eyes only and other tags.

To implement more control, use virtual private networks and hybrid virtual desktops. These technologies enforce protocols around how corporate assets are accessed. Through these touch points, organizations can apply information security, such as encryption of data at rest and on the move, data leak prevention and digital rights management (DRM), and information rules based on access rights for the person and their context.

Mobile device management (MDM) can help track what devices are connecting to the network, and can help to air-lock them from full access to systems until appropriate identification is made. MDM may require multi-level identification going well beyond the normal challenge-and-response username/password pair, maybe to include single-use access codes or biometrics.

With this data security strategy, information assets are only accessible by the right people in the right place. Even if someone else can get hold of the digital representation of the asset, it will be encrypted, and controlled by a DRM certificate where necessary.

When you think of IP management, what must be in place is not a data center, but an architectural platform that transcends the single facility into a hybrid mix of needs met by a range of facilities and providers. New systems, new applications and information security agreements make it all work. Much of this can now be done outside of the corporately owned data center, with managed security providers that operate on a subscription basis, instead of making huge capital investments.

About the author:

Clive Longbottom is the co-founder and service director of IT research and analysis firm Quocirca, based in the U.K. Longbottom has more than 15 years of experience in the field. With a background in chemical engineering, he's worked on automation, control of hazardous substances, document management and knowledge management projects.

Dig Deeper on IT compliance and governance strategies

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.