From a data security standpoint, how does one make a decision between On-site and Off-site data centers? What are some of the strategic considerations for a growing company with growing data?
On-site vs. Off-site Data Centers
From a data security standpoint, how does one make a decision between On-site and Off-site data centers? What are some of the strategic considerations for a growing company with growing data?
Security matters regardless of on-site or off-site. The security model needs to conform to whatever industry regulations you're under. The controls, procedures, and monitoring of enforcement of those features are all critical no matter where the data is.
Off-site may present a slightly more complex implementation of those features in some cases. If the company owns both sites and staffs both sites, maybe not. But if it's a hosted facility, then security measures have to hand off between company and supplier. Things like documentation of physical security measures and SAS70 reports may be needed from the hosting provider to demonstrate that the outsourced facility complies with the overall corporate goals.
Gary Aulfinger • CTO/Chief Storage Architect • Electronic Vaulting Services • www.evscorporation.com
I think as long as the backup solution has a good level of encryption, both, in flight and at rest the off site data centre is a no brainer. All good data centres have a reasonable level of physical security, however even if a whole vault is stolen, if it cant be unencrypted it is less of an issue.
That said there are many enterprises and government clients that would never consider an off site (Off network) disk backup no matter what the encryption level. I would always suggest that off site is best, but often security policies that don't account for the quality of some backup solutions will not allow this to happen.
I agree with Gary that physical security measures are a must, not just strong encryption. In addition to physical security, it's paramount that there are documented security processes in place, regardless of whether you outsource backup or Do-It-Yourself (DIY). Human beings are almost always the weak link in security. How many times have you seen someone write down their password in plain site? How many times have you?
Security is not just an encryption method, nor is it simply a locked cabinet or man-trap entrance to a data center. Security must be developed within the culture of a company, from the top down. I've seen plenty of "IT professionals" store unencrypted passwords on their mobile devices as well as send them in clear text via email, leaving their company or customer completely exposed to risk.
Many companies and products, such as our SecureVault Powered by Asigra, employ security techniques such as only allowing connections from certain IP addresses, hash keys, etc. in addition to the FIPS-140 certified encryption. But chances are, if someone went through the effort of stealing a vault from a data center, they already had knowledge of the passwords required to unencrypt some, if not all of the data.
Most SAS70 reports I've read only covered physical security of the data center. If you're only looking for a colocation provider, physical security may be enough, since you will not provide them with any passwords to your network. If you're looking for any type of managed service for your technology, make sure to read the SAS70 report and look for documentation of their security procedures in addition to the physical and logical aspects of security.
Each component of security, from physical to logical to procedural, are just as important as the next. Should any become a weak link, you no longer have security.
Security is an ongoing process of risk mitigation, not a final destination. Secure processes for each touch point with a Member's infrastructure are documented, monitored, reported and audited on a regular basis, always looking to eliminate any possible weak links.
As a provider of managed backup and recovery, our SAS70 audit specifically reviews each step of our process, from onboarding of a new Member to our support ticketing system to their full disaster recovery testing. With the end of SAS70 nearing and SSAE16 on the horizon, you might be surprised at how many small and mid-sized companies experience difficulty in successfully completing this new audit. Follow this link to learn more about our SAS70 audit.
For those who choose the DIY method, hiring a security consultant to create a security-minded culture for your business is a diligent step towards protecting your company, yourself and your reputation.
Gregory R. Tellone
Chief Operating Officer
American Business Continuity Centers, LLC.
www.ContinuityCenters.com
Follow a Backup Hero
Last edited by continuitycentr; 01-28-2011 at 06:26 AM.
Posting Permissions
Reply With Quote