A multi-tiered approach
Take a multi-tiered approach to data centre security, not just in the technology deployed, but the processes used as well, says MPA New Zealand's Tony S Krzyzewski.
In a world where the techniques required to protect systems have gone beyond the simple deployment of an antivirus application, a multi-tiered approach to information security within the data centre becomes an essential requirement if information is to be protected from loss, leakage or unauthorised manipulation.
All too frequently we see organisations adding information security controls as an afterthought, rather than considering information security as an essential core piece of their data centre architecture.
Consider the controls to protect the confidentiality, integrity and availability of information, not only at the technical level, but also at the all-to-often overlooked policy, procedure and process level when implementing data centre systems. This will not only enhance the level of protection offered to your information but will also reduce the personnel overhead required long term to efficiently manage your systems.
Having well defined, easily understood, and readily available high level policies as the foundation gives you a clear understanding of what you are trying to protect, establishes the baseline for any protection mechanisms and allows you to define the controls required in order to ensure that these information security protection mechanisms are functioning as expected.
Once policy has been defined it is possible to identify the technology that will allow it to be complied with. This technology will vary depending on specific information protection requirements within your organisation, and may include malicious code protection, both at the host and perimeter level, application and database change control and monitoring, user access control and monitoring, application whitelisting, encryption systems and information leakage control systems.
With protection technology identified, the establishment of clearly defined procedures and system-specific processes go a long way towards ensuring all of the people involved in the protection of your vital information resources are working in a coordinated manner.
These procedures and processes need to be fully documented and available to all staff involved in the management of your systems. Information systems personnel are renowned for their unwillingness to document systems once implemented but this step cannot be overlooked if you are to have effective management of systems in place.
There are two levels of control in ensuring you know everything is operating correctly.
The first, an absolutely essential part of your operational management system, is the requirement to continuously monitor, log and report on events that are occurring with relation to your information and how it is being accessed.
These reports should be a combination of automated system reports and random spot checks on how effectively the system controls are operating. It is far better to detect process, system and technical issues before they become a major security event and anything you learn from the regular reports can be fed straight back into the processes to further enhance security.
The second control you need to consider is an independent technical security audit of the technology and associated processes you have in place. This audit, preferably performed annually, provides a new set of eyes to look at how your protection mechanisms are actually functioning, whether they meet best practice guidelines, whether any unidentified vulnerabilities exist, and where further improvements can be made.
Tony S Krzyzewski is director and chief technical officer for MPA New Zealand and Kaon Security, leaders in security technology and professional serivces.