There's no such thing as total security

There's no such thing as total security

“The only truly ‘secure’ computer is one that’s been dropped into the middle of the Pacific Ocean”

Written by Phil Alsop, Editor, DCS Europe Published Wednesday, 23 May 2018 08:09

A few years ago, I attended a roundtable event at which the topic for discussion was the Cloud.

Naturally, Cloud security was part of the debate – with end users apparently reluctant to trust their data to a third party. I still remember one of the participants, a senior security expert at one of the world’s largest IT vendors, explaining, “The only truly ‘secure’ computer is one that’s been dropped into the middle of the Pacific Ocean”.

In other words, there’s no such thing as total security.

It took a long time for the IT industry to admit this guilty secret, preferring to pretend that businesses that spent sufficient amounts of money on a whole variety of security software packages would be safe from the worst excesses of the malicious forces hell-bent on bringing the corporate world to its knees.

Happily, this increasingly hard to maintain stance has now been replaced by the much more realistic admission that, yes, your organisation is certain to be targeted and, at some stage, breached but, with the right combination of data protection software (both preventing many attacks and ensuring disaster recovery/business continuity after a successful attack), the harmful impact can be minimised.

Before we take a brief look at the external security attacks which might target the data centre, it’s worth remembering that the human factor remains the single most controllable aspect of IT and data centre security.

Firstly, and most importantly, your employees must be educated, and constantly reminded, of the various security hazards they will encounter while working with a computer – most importantly in terms of emails.

Individuals needing the ‘loan’ of your bank account, banks requiring you to confirm all of your security details, candid pictures of film stars… the message should be quite clear: anything that looks too good to be true always is, whether it’s in the email itself or a ‘tempting’ attachment, so don’t open or respond to these phishing style attacks.

While it might seem harsh to penalise an employee that does ignore the rules, it might be worth rewarding all those who do manage to avoid any email-related security issues.

Staying with the human theme – I think it’s still true to say that the majority of data breaches that do occur come from within an organisation, rather than externally. This means that data access policies need to be well thought-out, constantly reviewed and updated and, however uncaring it might sound, the minute you know that an employee has decided to leave, it might well be worth looking at their recent IT activities and certainly monitoring their activities up until their departure date. Some might call it snooping, but it’s really only common sense.

When it comes to the security threats from outside the data centre/overall business, the simple fact is that the hackers will always be one step ahead – after all, it’s very difficult to defend against an attack until you know its nature. Once this truth is accepted, there’s still every chance to thwart all but the most intricate or newest security hack by deploying a comprehensive combination of the various security software offerings that exist.

Thanks to the Cloud, you now have the option to deploy much of this armoury in the form of security-as-a-service. One potential advantage with this approach is that the products being used to defend your business will be updated more frequently than any on-premises software you might deploy. Certain security breaches succeed precisely because software – security or otherwise – hasn’t been updated regularly.

No matter how comprehensive the security perimeter guarding your data centre and IT infrastructure, you will suffer a security breach sooner or later. And here you have the chance to minimise the impact – whatever the attack – by implementing a robust disaster recovery/business continuity plan. A ransomware attack freezes access to databases that are the lifeblood of your business. Properly mirrored or backed up, what’s the worry, as you can simply failover to one of these ‘alternative’ databases, that has been updated in as near real-time as is possible and/or affordable.

The same thought process needs to govern the increasingly attractive options of putting your IT infrastructure in colocation facilities and many of your applications in the Cloud and accessing external, managed services. In all cases, make sure that the provider of the facility, Cloud or managed service has a sufficiently resilient infrastructure in place to minimise the impact of any data breach. And, where possible, use a least two suppliers so that you have a failover option. In other words, your primary data centre infrastructure might be with Data Center Provider A at site A, but make sure that your back-up infrastructure is located either at that Provider A’s site B, or with another colocation provider.

‘Multi-Cloud and ‘hybrid’ are becoming the IT buzz words right now. And one interpretation of these approaches can be simplified to the old adage: ‘Don’t put all your eggs in one basket’. This applies to potential security risks as much as for cost, infrastructure and application optimisation purposes.

In the real world, money is always the limiting factor when it comes to data centre and IT infrastructure, along with the available expertise. Risk assessments, combined with the affordable budget, and the skills resource, dictate what can or cannot be implemented. Huge corporations can afford the very best in terms of both infrastructure and expertise; but most organisations have to make some kind of a compromise.

The good news is that companies who make the running of data centres and IT services their everyday business – colocation providers – can offer you a level of security and business continuity services that would be simply unaffordable if you had to do it yourself.

So, whether it’s your website being paralysed, your data being stolen, or just a ‘common or garden’ virus, there’s every chance that you’ll be better off handing over to the experts, rather than going it alone. More and more end users are beginning to realise that, rather than worry about handing over the security of their infrastructure and data to a third party, they should be actively embracing the peace of mind, and improved security, it can bring.