Story image

A multi-tiered approach

12 Aug 14

Take a multi-tiered approach to data centre security, not just in the technology deployed, but the processes used as well, says MPA New Zealand's Tony S Krzyzewski.

In a world where the techniques required to protect systems have gone beyond the simple deployment of an antivirus application, a multi-tiered approach to information security within the data centre becomes an essential requirement if information is to be protected from loss, leakage or unauthorised manipulation.

All too frequently we see organisations adding information security controls as an afterthought, rather than considering information security as an essential core piece of their data centre architecture.

Consider the controls to protect the confidentiality, integrity and availability of information, not only at the technical level, but also at the all-to-often overlooked policy, procedure and process level
when implementing data centre systems. This will not only enhance the level of protection offered to your information but will also reduce the personnel overhead required long term to efficiently manage your systems.

Having well defined, easily understood, and readily available high level policies as the foundation gives you a clear understanding of what you are trying to protect, establishes the baseline for any protection mechanisms and allows you to define the controls required in order to ensure that these information security protection mechanisms are functioning as expected.

Once policy has been defined it is possible to identify the technology that will allow it to be complied with. This technology will vary depending on specific information protection requirements within your organisation, and may include malicious code protection, both at the host and perimeter level, application and database change control and monitoring, user access control and monitoring, application whitelisting, encryption systems and information leakage control systems.

Control it

With protection technology identified, the establishment of clearly defined procedures and system-specific processes go a long way towards ensuring all of the people involved in the protection of your vital information resources are working in a coordinated manner.

These procedures and processes need to be fully documented and available to all staff involved in the management of your systems. Information systems personnel are renowned for their unwillingness to document systems once implemented but this step cannot be overlooked if you are to have effective management of systems in place.

There are two levels of control in ensuring you know everything is operating correctly.

The first, an absolutely essential part of your operational management system, is the requirement to continuously monitor, log and report on events that are occurring with relation to your information and how it is being accessed.

These reports should be a combination of automated system reports and random spot checks on how effectively the system controls are operating. It is far better to detect process, system and technical issues before they become a major security event and anything you learn from the regular reports can be fed straight back into the processes to further enhance security.

The second control you need to consider is an independent technical security audit of the technology and associated processes you have in place. This audit, preferably performed annually, provides a new set of eyes to look at how your protection mechanisms are actually functioning, whether they meet best practice guidelines, whether any unidentified vulnerabilities exist, and where further improvements can be made.

Tony S Krzyzewski is director and chief technical officer for MPA New Zealand and Kaon Security, leaders in security technology and professional serivces.

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
The disaster recovery-as-a-service market is on the rise
As time progresses and advanced technologies are implemented, the demand for disaster recovery-as-a-service is also expected to increase.
Apax Partners wins bidding war for Trade Me buyout
“We’re confident Trade Me would have a successful standalone future," says Trade Me chairman David Kirk
The key to financial institutions’ path to digital dominance
By 2020, about 1.7 megabytes a second of new information will be created for every human being on the planet.
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
NVIDIA sets records with their enterprise AI
The new MLPerf benchmark suite measures a wide range of deep learning workloads, aiming to serve as the industry’s first objective AI benchmark suite.
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.