I’m a CIO. Get my IT out of here…securely

Photo: Cory M. Grenier

In our first article about the key things you need to consider when contemplating a move away from owning and running your own datacentres we focused on the importance of location. That inevitably led to an appreciation of the importance and role of security in the decision.
Listening to companies contemplating the move of some, or all of their systems away from their own data centres, be it to a co-location facility, a hoster or into the public cloud, it is clear that the fundamental, nagging concern is…how safe will my data be? This isn’t just whether it is safe from a cyber-attack of some form, physical theft or natural disaster, but also about wider issues of information governance.

If physical security is your biggest concern not all data centres are built equal. Take The Bunker in England for example. Buried deep in two nuclear bunkers surrounded by razor wire and patrolled by dogs these are clearly very physically secure locations. There are others of a similar nature like Bahnof in Sweden or Mount10 in Switzerland.

Some providers like Firehost, which has just been renamed Armor, market themselves very strongly on their security credentials which go way beyond physical security. Frankly, even 5 years ago, there was a big gap between what hosters and co-location providers thought was their responsibility for data security and what end users expected. So, while robust firewalls and comprehensive defence against DDoS attacks are obvious must-haves, coherent policies around access to systems and the protection of virtual server instances is something that has been learned slowly and sometimes painfully. It is best to check that you, the hoster and, where appropriate, the underlying data centre operator are all in step because data security is only as good as your weakest link.

Of greater import, but probably less appreciated is the whole issue of information governance. Where is the data stored? Who has access? How is the data handled? You will have legal and best practice policies surrounding the handling of information and increasingly there will be regulatory compliance and data sovereignty issues. Clearly you, as the data owner need to assure yourself that your co-location, hosting or cloud provider is geared up to meet your needs, but there is probably more the data centre industry should be doing to help their customers overcome some deep seated concerns.

Most data centres I have visited have had extensive, multi-layered physical security. Most have had significant virtual security functionality in place and would claim to be compliant with key information governance legislation. But anecdotal evidence suggests that looks can sometimes be deceptive. Most security relies on the implementation of sound policies by well trained and motivated staff. It is in the on-going implementation that problems often occur. Even if you don’t need an underground bunker or the tightest information governance and security arrangements it is always advisable to eye-ball the operations of your potential provider to look for those tell-tale signs that staff aren’t always adhering to best practice.

We will use this end point to start our next piece looking at the issues of people risk in the data centre as we move through the areas you need to consider before you move your precious data and systems out from your own data centres.

This post first appeared on the old Cassini Reviews website.