Who exactly is responsible for data center security?

Given our discussion of data centers this month, I reflected back on the data center environments I’ve seen over the past few years and have drawn some interesting conclusions regarding security in/around the data center:

1. Sometimes the physical security team owns the responsibility of securing the data center, but often a physical security manager or team doesn’t exist.

2. When IT is put in charge of data center security, it’s quite commonplace that very little physical security is present (it gets in the way).

3. When physical security does exist, the data center is typically fully locked down with relatively stringent policies and processes regarding the who, how, and why related to people coming and going to/from the premises.

4. When no one takes responsibility for locking down the data center, it’s often the compliance manager or internal auditor who ends up mandating that things be secured.

There’s often no clear responsibility and little accountability related to data center security. But when you think about it, that’s not really any different than vulnerability patching, the software development lifecycle, periodic and ongoing information security testing, proactive system monitoring and so on, right? Thus the cycle of business risks and job security continues. The key? Awareness, communication and striving for control over data center security.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.