JP Callahan, a former counter-intelligence agent with the U.S. Department of Defense, runs data center security for Verizon Business, the company's data center hosting arm. SearchDataCenter.com caught up with Callahan at Data Center Decisions 2006.
Should physical security and virtual data center security be considered together or apart?
Callahan:They need to be considered as mutually supporting programs. Physical security and network access has the same problems as the logic applied. Often times, the logical proof and the physical proof have such different lexicons and have such a different vocabulary that they never really get together. And you wind up having to bridge all the gaps during audits. In this age of compliance and assurance, whether it's HIPAA or Sarbanes-Oxley (SoX) or National Institute of Standards and Technology (NIST), every audit of the IT system has some physical security component, so it's absolutely vital that the physical security program be crafted around the logical security controls.
Are there any new technologies that have changed or will change the way you look at data center security? Like virtualization, for example?
Callahan: Virtualization; it's primarily geared towards the logical side. It has does have security implications. You could be running a Mac machine with a Mac OS underneath, and on top of it overlaying a Windows or a Linux. Or you could have a Linux and run Solaris. And basically what you're doing is building what they refer to as a "sandbox" where you're "playing in the sandbox." If you want to test something that involves configuring a system, you don't have to completely crash the box and bring it back up. From a security perspective, if someone were to get into that virtual sandbox it's a real easy fix to go back to your baseline, because changes that a bad buy would make in that environment don't necessarily make it through the next reboot.
When designing a new data center or re-designing an existing one, what is the most important security measure that people overlook?
Callahan: The processes that are behind the devices. People will install the patches, they will install the card readers, they will install the biometrics, they will install a lot of things, but they never document how to implement these things to meet their compliance requirements. If you have a card reader or you have biometrics, but if anyone and their brother can call up the guard and the guard adds them to the list, that's not really a control mechanism.
If the air-conditioning repair guy shows up and says I need to get in there, and the guard adds him to the list. Then the air-conditioning guy is on the list. Who really authorized that? There needs to be a process that is attributable towards checks and balances that ensure that the people who have access to the data center are supposed to have access. People build these huge data centers and they do a lot of hardening of the facilities, but they don't put a lot of thought behind those processes that make those things function the way they should.
In a previous interview, you mentioned that a lot of companies are trying to build their data centers into fortresses. Is that still the case?
Callahan: Companies spend an awful lot of money hunkering down. My motto is, don't hunker down; spread out. And if you spread out, then you decrease your risk profile by making it much more difficult to do significant damage in a single event.
Often times, when people are designing security protocols, they fail to take into consideration the existence of the back up when their doing their risk assessment. If the mindset of the security guy is that this data center is the crown jewel, there are some things you have to worry about, but it's not nearly as important to the operation of the data center. Especially if you consider that there are other data centers out there than can pick up the slack.
My theory is that you don't hunker down, spread out, don't spend all that money hardening your target. Spend it on background checks for you employees if you have to. That's my soapbox.