Issue link: http://cp.revolio.com/i/257227
www.datacenterjournal.com 12 | THE DATA CENTER JOURNAL time, the U.K. government was committed to getting private-sector companies to take on some of their data management. at was a culture shock: the companies didn't seem ready for the sort of attention that government security would pay to their de- tailed processes, and they placed too much emphasis on physical security. For their part, government security officers were unused to passing on risks to commercial companies, in spite of carefully worded contracts. e result—in at least one case— was a company having to review its data separation arrangements before the transfer of data could go ahead. is was the backdrop to a new requirement in U.K. government security professionalism: the effective assessment of third-party and contractor security. New required skills included legal and regulatory awareness, data auditing, and, not least, risk management and risk assessment. It took some time to move entirely from Hamil- ton's model of castle-like data centers to the new reality of contracted services, and to the recognition of the fluidity of data, which nearly everyone had assumed was secure-just because government owned it. A few years on, a new pressure to save government spending emerged: offshor- ing—that is, the contracting of certain gov- ernment services to countries with cheaper wage bills but also with different laws. ere were few concerns about routine processes being sent abroad, but those anxious to ensure the best value could easily overlook new security issues surrounding the passing of data to people who were not subject to home laws and regulations. Whenever the accountants became impatient (because they felt that the data being passed abroad was not sensitive), they could not deny that there was a new tangle of disparate and even conflicting data law to be considered before effective offshoring could go ahead. Even so, the pressures to offshore were great, and I would sometimes need to make it very clear that public and legal expecta- tions of how data was to be managed could be undermined by too hasty a cost-saving measure. Some data-management organiza- tions in foreign countries eventually woke up to the security and legal inhibitors of taking on their cheaper services. I remem- ber some colleagues enjoying trips to data centers in India, where companies were keen to address those concerns and ensure that risks were managed in ways acceptable to government customers. Ideally, it would be unnecessary to visit a contractor's data center at all, since in theory, all risks would be passed over to them under the terms of a well-worded contract and memorandum of understand- ing. But customers of traditional front-end services (such as governments) have some right to expect that their data won't be handled in ways that are less safe or less accountable than their subjects have been accustomed to. So some rights of inspection and audit ought to be written into any con- tract. e sheer volumes of data that will be passed to the contractor will of course make it difficult and impractical to oversee every element, so sampling is a necessity. If you are in a situation where you need to check the realities behind a third-party data center, here are some things to look out for. Control systems—is includes both physical and logical controls. Do they do what they claim? It should be possible to get a data controller to completely run through a process to demonstrate that the data is being managed in accordance with your contract. If it isn't, then perhaps more work is needed. Reporting systems—Do these meet your needs and expectations? It will be use- ful to get a data controller to run through the process of reporting, say, a breach of security to see how it fits your needs. Staffing arrangements—It is impos- sible to maintain absolute control over the behavior of contractor staff any more than your own staff. But what systems does the contracting company have in place for the recruitment (and dismissal) of staff at its data center? Do they meet your own standards? Access control—How does the company maintain controls on physical and logical access, and what happens if anything goes wrong? A company may be keen to show you its monitoring arrangements, but remember that this isn't the whole story. Even with great technology, trusted staff share passwords to save time, or they share access passes to areas in order to bypass an access-control process. How might these controls be pulled together in ways that can be effectively audited and certified? It may be difficult to require your providers to comply with a particular standard, but I believe that compliance with ISO 27001 (information security management) and/or ISO 22301 (business continuity) provide significant benefits. ough not yet well known in the U.S., these standards are increasingly sought out and accepted worldwide as a new paradigm for information security. What makes them special is their require- ment for transparent documentation of a wide range of security controls, along with regular audit and assessment. ese standards also ensure a proper assignment of responsibilities and recognize risk- managed approaches, both of which are increasingly important in the management of multi-layered security environments like data centers. n about the author: John G. Laskey is a security researcher for the InfoSec Institute and a U.S.-based security consultant. ...by design. At STARLINE, our busway systems can be customized to meet your exact specifi cations at any time. From a wide variety of specialized plug-in units, to multiple feed options, our single-minded focus is easy to see. To learn more about the choices that STARLINE Track Busway gives you, visit StarlinePower.com or call us at +1 724-597-7800.