Enterprise IT Watch Blog


December 2, 2010  11:56 AM

Marines Respond: “Corps’ networks are secure”

Michael Morisy Michael Morisy Profile: Michael Morisy

Following up on our piece explaining how to access certain Marine Corps’ password-protected materials, we received another e-mailed response to a few of our questions which shed a little on the situation. In addition, in a surprisingly transparent move, password protection was completely removed from many of the documents. We should note, however, that while the e-mail below states no documents from after 2005 were available, we found one (unclassified) manual from October 2007.

The e-mail in full below.

Continued »

December 2, 2010  9:44 AM

The keys to stopping the next WikiLeak from sinking your company

Michael Morisy Michael Morisy Profile: Michael Morisy

WikiLeaks’ data dumps have been called “unprecedented” a number of times in the past few weeks and months, as hundreds of thousands of pages of once internal documents have found their way to the web. Unfortunately, data leakage is nothing new, and has cost millions if not billions over the years in stolen identities, lost revenue and fines. What is new is how the data leakage has been disseminated: Not over shadowy back channels or black markets, but out in the open in the public eye. WikiLeaks now seems poised to give the same treatment to a private company, but even if they weren’t, someone else will or already is using similar attack vectors at major companies around the world. The only difference is that in the WikiLeaks case, the public is made well aware of it after the fact.

Here are some tips to helping minimize possible damage on your own network.

Continued »


December 1, 2010  9:12 AM

Data Center Round-Up

Michael Morisy Melanie Yarbrough Profile: MelanieYarbrough

Buy versus Build Dilemma

Users responded with a middle-ground instead: Buy existing unused space and build within. Technochic’s company removed the raised flooring and installed chimney racks. Now they’re able to install racks as they go, saving money on cooling costs and diminishing the initial investment for a new data center space. Labnuke99 had a similar experience finding that happy middle ground; now his company has a personally owned, designed and managed solution without the monthly cost of a data center lease.

Who knew that Goldilocks was about data centers…

Consider This

So many aspects of operation fall under the data center’s jurisdiction. How do you wrap your head around a task as daunting as designing and developing a data center? IT Knowledge Exchange members didn’t even flinch at this one, instead offering great insight and a spectrum of concerns necessary to creating an efficient data center checklist.

Green is the new black when it comes to data center operations, so be sure to consider how to improve your current cooling costs and methods. Every decisions affects another decision: Your backup methods and policies affect the amount of power your servers need which affects cooling costs. Then there are more fundamental checkpoints such as ensuring that the new data center is compatible with existing hardware and software.

Member BigKat got specific, listing the necessary nitty gritties: Regularly updated list of hardware and software, including model and version numbers and vendors’ contact and contract numbers; procedures for requesting and installing temporary keys to authorize new computers; and an up-to-date list of in-house IT contact information for support.

Rechil and StevenG7 emphasized the importance of KISS: Keep it simple, stupid. Steve lived it:

I was involved in the design of a large “simple” enterprise data center 12 years ago; in 12 years the total downtime (both scheduled & unscheduled) was about one hour. It was replaced by a new “tier 3″-class data center costing 20 times more and 20 times more complex; and it’s 20 times less reliable. (During a t-storm this summer, none of the 3 redundant generators could be started; it took 7 hours to restore power to the floor). It is so needlessly complex that none of the designers or vendors have been able to figure out why it is so unreliable.

Carlosdl was kind enough to compile some great resources from right around ITKnowledgeExchange:

IT Answers

Guides

Vent Session: Data Center Edition

From bosses to lack of foresight, it seems the main hindrance in the data center (and all of IT) is money. Whether you’re building a new data center or managing a well-seasoned one, looking ahead to problems that may snowball will be your best pathway to cost-efficiency.

Still Want More?

Check out these data center pros on Twitter for updates and resources:

@datacenter: Google anything on the data center these days, and chances are you’ll get a handful of links to Data Center Knowledge. Check out Rich Miller on twitter for bite-sized updates on all thing data center.

@DataCenterGuru: Gabe Cole on data center design, development, financing and operations. What more could you ask for in 140-character bits?

@datacenterpulse: For multimedia updates on what’s going on in the data center globally.

@DCThinkTank: Hang out and chat about what’s going on in data center news all over the world and the Internet.

@ecoINSITE: Green data centers are all the rage. Get the latest info and, well, insight.

Or check out some of the lists from @DataCenter for specific groups of data center-related information:

Melanie Yarbrough is the assistant community editor at ITKnowledgeExchange.com. Follow her on Twitter or send her an email at Melanie@ITKnowledgeExchange.com.


November 30, 2010  9:59 AM

Google Cache is the new WikiLeaks

Michael Morisy Michael Morisy Profile: Michael Morisy

While WikiLeaks has been garnering headlines for leaking tens of thousands of pages of sensitive documents, there’s a quieter internal leaker that has so far gone unnoticed: Google Cache and lax security practices at the United States Marine Corps. Thanks to an anonymous tipster, we discovered dozens of  internal documents (and possibly many, many more) available to anyone via the simple Google Query: “site:cio.usmc.mil“.

What the results show are various documents, presentations and other files that are tucked securely away on the United States Marine Corps’s IT servers … unless you click for the Google Cached version which often shows you a complete copy of the spreadsheet, PowerPoint or Word document. Sometimes the Cached version calls on an image still on the military’s secure servers, but simply clicking “Cancel” when prompted for a username and password takes you to the un-redacted documents. It’s basic Google Hacking at its most elementary, and more advanced cyber sleuths might find more.

While we didn’t see any classified or highly sensitive documents in our own searches, we did find:

Continued »


November 22, 2010  1:00 PM

Data center in a box: Want fries with that?

Michael Morisy Michael Morisy Profile: Michael Morisy

It’s been a common sight at trade shows for a few years now: The data center in a box, letting the proud owner haul 2000 cores or petabytes of data around the country on a moment’s notice in a utilitarian, affordable package. Sun’s sells themMicrosoft’s got ‘em and Intel’s been pushing a data center-in-a-box standard to chop prices and, presumably, stuff more of its chips in them.

Data centers-in-a-box are a nice, tidy package, as Jeremiah Owyang explained when the products first cropped up a few years back:

This first one is the new Sun Data Center in a box, called Project Blackbox seen on 237 in East Palo Alto. This data center is what marketers call a “Solution Sell” when you bundle up services, hardware, software and support and repackage and apply to a business pain. These data centers contain web services, routers, networking equipment, storage, and sometimes remote power. You just plug it in for remote locations, high growth areas, or even for disaster computing needs (if your primary data center goes down, drop one of these in asap).

The products are relatively inexpensive, dependable, predictable and come in the same packaging each time. In other words, a lot like fast food. And like fast food, Continued »


November 22, 2010  6:21 AM

Start from scratch: Data center security policy template

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Security policies are all too often made to be overly-complex and difficult to manage. Done incorrectly,  policies can hinder more than they help. If you’re looking to pull together some security policies for your data center or elsewhere inside your organization, here’s a template you can use to help clarify what’s expected of everyone involved:

Introduction: A brief overview of the topic.

Purpose: The high-level strategy and goals of the policy.

Scope: The departments, employees and systems that are covered by the policy.

Roles and responsibilities: Who is involved and what each person must do to support the policy.

Policy statement: The actual policy outlining what can or cannot be done.

Exceptions: The departments, employees and systems that are not covered by the policy.

Procedures: Specific steps on how the policy is being implemented and enforced. Key word here is “specific.”

Compliance: Metrics and other methods used for measuring adherence within the policy.

Sanctions: Consequences for policy violations.

Review and evaluation: Specifics on when the policy must be reviewed for accuracy, applicability and compliance purposes (i.e. HIPAA/HITECH ACT, PCI DSS, state breach notification laws, etc.).

References: Regulatory code sections and information security standards that the policy quotes or references.

Related documents: Other policies, procedures and security standards that relate to the policy.

Revisions: Ongoing changes made to the policy document.

Notes: Anything else that can help with future policy administration.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.


November 19, 2010  6:23 AM

Data centers are fair game for policies, too

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

When we think of security policies, visions of “acceptable use” and “passwords” often come to mind. But policies are much more than that – especially considering the complexities associated with data centers. Policies outline this is how we do things around here regardless of the specific topic. When it comes to information security and managing data center-related risks, there are numerous policies that could apply:

  • Access controls
  • Audit logging
  • Authentication
  • Key management (you know, those old-fashioned physical keys you use to lock and unlock stuff in your data center)
  • Media disposal
  • Mobile device encryption
  • Web security (for your CCTV management system, UPSs, KVMs, etc.)
  • Wireless networks

You don’t necessarily need to create dedicated policies on these topics just for the data center. Instead, simply include the data center and related systems within the scope of the appropriate policy. This will keep your number of policies to a minimum and simplify policy management. Given all the headaches, politics and technical complexities of managing a data center, the last thing you need to do is create more stuff to keep up with. In a follow-up post, I’ll outline a security policy template that can work well in this situation.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.


November 18, 2010  3:20 PM

AS VMware moves into data centers, worlds collide

Michael Morisy Michael Morisy Profile: Michael Morisy

“I think data center manager is a mislabel,” the IT manager tells me. It’s a surprising statement, since he’s actually in charge of managing a data center. But he insists.

“It’s server management. The fact that they live in a data center … It’s just marketing stuff.” He won’t let me use his name, but this IT manager – we’ll call him Frank – has the credentials to talk. He works at a big organization that produces a lot of data.

“What two years ago was a one or two terabyte allocation request is now a 10 or 30 terabyte allocation,” he said. Storage may be cheap, but it’s not cheap in those quantities, and so he’s now forced to tell departments to re-run simulations and tests because it’s actually cheaper to spend the thousand dollars to re-run the tests than to store than 10 to 30 terabytes … forever.”

Continued »


November 17, 2010  1:28 PM

Data Center Infrastructure: The more you buy, the more you save

Michael Morisy Melanie Yarbrough Profile: MelanieYarbrough

A recent report from IDC predicts that data center power and cooling costs will level off by 2014. For once, rather than blaming the economy, data center admins can thank the recession for the predicted cost plateau. As David Reinsel, group VP of Storage Systems at IDC puts it:

The interest and adoption in storage efficiency technologies continue to increase as IT managers are forced to store more data on fixed or declining budgets.

Due to mandatory budget squeezes during the downturn, the enterprise – and, thus, vendors – took a vested interest in ways to better utilize existing storage capacity. Don’t put those feet up just yet, Reinsel goes on to say that the plateau, while tangible, is also temporary. With data growth affecting everyone from Facebook to Apple to Wipro, capacity requirements will cause energy costs to rise once again. Thus, the enterprise will have to take advantage of technologies such as data deduplication, compression and thin provisioning. Further proof that companies are taking increased efficiency seriously? External storage shipments increased 38% and hard drive disk shipments increased 10% from 2008 to 2009.

The big guys are going to come out the big savers from this momentary lapse in cost increase or, as my dad likes to say, “Save more money the more you spend.” According to Reinsel, “Definitely the larger the data center, the more it has to gain from efficiency strategies. Cloud data centers also benefit directly from having the most efficient running data centers.” When budgets are tight, however, any amount of savings – whether it be in the form of budget dollars or server capacity – is significant.

Melanie Yarbrough is the assistant community editor at ITKnowledgeExchange.com. Follow her on Twitter or send her an email at Melanie@ITKnowledgeExchange.com.


November 17, 2010  8:36 AM

Who exactly is responsible for data center security?

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Given our discussion of data centers this month, I reflected back on the data center environments I’ve seen over the past few years and have drawn some interesting conclusions regarding security in/around the data center:

1. Sometimes the physical security team owns the responsibility of securing the data center, but often a physical security manager or team doesn’t exist.

2. When IT is put in charge of data center security, it’s quite commonplace that very little physical security is present (it gets in the way).

3. When physical security does exist, the data center is typically fully locked down with relatively stringent policies and processes regarding the who, how, and why related to people coming and going to/from the premises.

4. When no one takes responsibility for locking down the data center, it’s often the compliance manager or internal auditor who ends up mandating that things be secured.

There’s often no clear responsibility and little accountability related to data center security. But when you think about it, that’s not really any different than vulnerability patching, the software development lifecycle, periodic and ongoing information security testing, proactive system monitoring and so on, right? Thus the cycle of business risks and job security continues. The key? Awareness, communication and striving for control over data center security.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: