IT Asset Protection: How One Colocation Provider Does It - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
DevOps // Project Management
News
8/18/2016
09:06 AM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

IT Asset Protection: How One Colocation Provider Does It

For colocation provider vXchnge, security isn't just a matter of strong defenses. It also involves planning for the worst.

10 IoT Security Best Practices For IT Pros
10 IoT Security Best Practices For IT Pros
(Click image for larger view and slideshow.)

Willie Sutton, an infamous bank robber from the 1920s through the 1950s, denied ever saying that he robbed banks "because that's where the money is." Nonetheless, this apocryphal declaration of the obvious could equally well apply to hackers and data centers.

After providing computing infrastructure and the power to run it, data centers have to prioritize security. Without security, a data center is a data breach, and that's not an enduring enterprise.

Information technology professionals know this well. Anyone who has visited data center of any size can attest to the evident security measures. These are not places you can just walk into for a tour of the server racks.

But not all data centers handle their responsibilities to clients with equal diligence.

When MetricStream, a provider of Governance, Risk, and Compliance (GRC) services for enterprises, sought a colocation provider for its cloud-based applications, it chose vXchnge, which operates 15 colocation data centers across the US.

A colocation provider offers infrastructure, power, and security for the site, along with a local network, while its customers provide and manage their own hardware and networking.

vXchnge, in July, earned the ISO/IEC 27001 certification, which evaluates the company's Information Security Management System (ISMS), across all of its data centers.

Sameer Aghera, product manager at vXchnge, said in a phone interview that his company is the first edge colocation company to be ISO/IEC 27001 certified. The company's facilities also adhere to other standards, specifically SSAE 16 Type II, SOC 2 Type II, HIPAA/HITECH, and PCI DSS 3.1.

For MetricStream's customers in banking and healthcare, like Pfizer, Societe Generale, and UBS, all of that matters.

(Image: vXchnge)

(Image: vXchnge)

"MetricStream deals with compliance and regulatory issues on a daily basis," said Aghera. "They came to us originally to look for a colocation provider that put security at the forefront."

Aghera said that when most people consider data center security, they look at the physical security measures in place, like doors and access controls. At the company's newest facility in Philadelphia, he said, there are six levels of security that one must pass through to reach actual hardware.

Customers often ask about access control logs, he said, to understand the comings and goings of employees at vXchnge facilities. "Our internal customer platform allows customers to go in and see which employee entered the data center."

But there's more to it than that. "We use people and policies to manage our security program," said Aghera. "The most important thing for us is that we see security as a company-wide initiative that affects all levels of the business."

In practice, that means every new employee takes security awareness training and takes a refresher course annually, said Aghera. There's a dedicated ISMS team with stakeholders from across the company that meets regularly.

vXchnge differentiates itself through its people, processes, and policies, he said. "Policies are probably one of the more underrated parts of data center security."

The company's policies cover physical security, information security, network security, and HR security. This allows the company to take a proactive approach by having incident response plans, disaster recovery plans, and business continuity plans to deal with any issues that arise.

"Where a lot of our competitors maybe are not as robust as us is they don't have these plans in place if something happens," he said.

[Can automation improve your business? Read 10 Ways Bots Can Improve Your Business Processes.]

Another point of differentiation, Aghera claimed, is the company's use of real-time RFID-based asset tracking, which customers can use to understand the status of hardware in vXchnge facilities.

Vidyadhar Phalke, CTO of MetricStream, told InformationWeek in an interview that in the GRC market, while data may not be highly confidential ERP data, it's nonetheless sensitive information about internal controls, internal audits, and evidence of what failed.

"In a nutshell, it's sort of your dirty laundry."

What MetricStream looked for in a colocation provider, said Phalke, was a very clearly articulated segregation of duty. "Any IT organization needs to look at clearly defining where the boundaries for the IT organization stop and the data center kicks in."

Such clarity provides reassurance, an essential component in regulated industries, and also in cloud computing. "In the cloud world, it becomes cloudy, and that grayness makes things hard to decipher when something serious happens," said Phalke.

Phalke said vXchnge has a strong understanding of where boundaries start and stop, and also cited its flexibility in terms of being ready for client visits with only an hour's notice.

There's no easy way to test how vXchnge's practices compare to those of competitors, because many security incidents are never made public. But Aghera said vXchnge reports security incidents as part of its annual audits, and the company has not reported any such incident over the past year.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
Why It's Nice to Know What Can Go Wrong with AI
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  11/11/2019
Slideshows
Top-Paying U.S. Cities for Data Scientists and Data Analysts
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/5/2019
Slideshows
10 Strategic Technology Trends for 2020
Jessica Davis, Senior Editor, Enterprise Apps,  11/1/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll