Tuesday, February 24, 2015

Data Centre Security

Data Centre Security – Part 1

When I worked on a data center security program for a major vendor, two things came into perspective. One was how much is not too much and the other was can we continue making changes without affecting the sales.
This program was the result of Australian government’s regulatory requirements and had a strict deadline to meet and those requirements if unmet had penalties in place. With enormous pressure coming from the CxO’s who have immense interest in the outcome we a team of 6 from security and governance/compliance jumped into a review program with an open mind.
In the first few weeks, an interesting fact identified was there were no high level data center “specific” security policy as part of the enterprise and to make things worse there were 10+ contractors working on an ad hoc basis who deal with hardware, delivery, installation, cabling, racks, power heating and cooling along with the facilities management being outsourced to an interstate company.
One might expect this to happen in early 90’s and must be some small or medium business, but this was as real as it got in 2011 for a major software vendor. The previous audits never brought up any issues since no incidents identified and also BAU and projects were running on schedule with no incidents.
My first reaction was how will we propose changes without affecting the natural work flow which had brought income for years. Seeing the current risk as an opportunity to improve the security posture as well as a means to improve sales by setting standards I took this as a challenge. With what I had learnt in my experience and implementing TOGAF, the key is to involve every important superuser/employee/contractor to see what you see and feel. This might sound very dramatic but it does help in bringing all the stakeholders and contractors to the same page as yours.
Strongly believing in policies being set, my first report as a consulting architect was to have a workshop involving stakeholders and contractors. I briefed both parties individually and set the expectations straight as in no one is at fault but as a team this regulatory requirement can be met. This is very important because everyone is responsible individually as well as a group to make it right.
I proposed the following changes,
  • Corporate security policy to include data centre
  • Asset classification, control and management as part of the 2nd level policy
  • Extending organizational security to include data centre policies
  • Disaster recovery with emphasis on Business continuity as part of the data centre policies
  • GRC policies to align to government requirements which should include data centres
  • Operational security to include Apps and Data based in Data centre
  • Data center physical and environmental security policy
This being done, side by side we convinced the CSO to see the benefits and fund our program. With great difficulty the project was successful and by 2013 the primary data centre was fully compliant and was considered one of the well managed programs of the enterprise.

Data Centre Security – Part 2

How was it done.
The first step after approval of our findings was to work with the PMO to sort of slow down the current projects affecting the requirements and also have the enterprise architecture to kick-start the ADM process to include the data center policies and procedures at an high level. With this done our team started setting workshops with facilities management and data center contractors to update their policies and work flow to reflect the new policies the company has set in place.
One of the major stakeholders was the enterprise security team which had very loose ends in data center program. It was never an issue because the outsourcing model never held 3rd party responsible for the noncompliance as every state had their own way of interpreting state rules and laws.
Since this vendor had base in 4 different states it was difficult to maintain policies pertaining to single GRC policy and each reported compliance in their own terms. But setting aside all these this security program consolidated data and physical security to where the headquarters was and also delineated policy to be held at the head office.
What is important at this stage is to understand that when it comes to setting a policy at an enterprise level, no matter what smaller level policies exists it is important to apply the set theory concept which benefits all the stakeholders and at the same time complies with the law.
Points to take are,
  • Enterprise architecture needs to be updated
  • National/Federal law supersedes state laws and requirements
  • All stakeholders at the enterprise level are important whether they fund the program or not
  • PMO office is as important as the program itself
  • Security is a key component of the whole enterprise
  • Stakeholder commitment at all stages
  • Security publications needs to be up to date within the company which applies to employees and contractors

No comments:

YouTube Channel