Enterprise IT Watch Blog

November 30, 2010  9:59 AM

Google Cache is the new WikiLeaks

Michael Morisy Michael Morisy Profile: Michael Morisy

While WikiLeaks has been garnering headlines for leaking tens of thousands of pages of sensitive documents, there’s a quieter internal leaker that has so far gone unnoticed: Google Cache and lax security practices at the United States Marine Corps. Thanks to an anonymous tipster, we discovered dozens of  internal documents (and possibly many, many more) available to anyone via the simple Google Query: “site:cio.usmc.mil“.

What the results show are various documents, presentations and other files that are tucked securely away on the United States Marine Corps’s IT servers … unless you click for the Google Cached version which often shows you a complete copy of the spreadsheet, PowerPoint or Word document. Sometimes the Cached version calls on an image still on the military’s secure servers, but simply clicking “Cancel” when prompted for a username and password takes you to the un-redacted documents. It’s basic Google Hacking at its most elementary, and more advanced cyber sleuths might find more.

While we didn’t see any classified or highly sensitive documents in our own searches, we did find:

Continued »

November 22, 2010  1:00 PM

Data center in a box: Want fries with that?

Michael Morisy Michael Morisy Profile: Michael Morisy

It’s been a common sight at trade shows for a few years now: The data center in a box, letting the proud owner haul 2000 cores or petabytes of data around the country on a moment’s notice in a utilitarian, affordable package. Sun’s sells themMicrosoft’s got ’em and Intel’s been pushing a data center-in-a-box standard to chop prices and, presumably, stuff more of its chips in them.

Data centers-in-a-box are a nice, tidy package, as Jeremiah Owyang explained when the products first cropped up a few years back:

This first one is the new Sun Data Center in a box, called Project Blackbox seen on 237 in East Palo Alto. This data center is what marketers call a “Solution Sell” when you bundle up services, hardware, software and support and repackage and apply to a business pain. These data centers contain web services, routers, networking equipment, storage, and sometimes remote power. You just plug it in for remote locations, high growth areas, or even for disaster computing needs (if your primary data center goes down, drop one of these in asap).

The products are relatively inexpensive, dependable, predictable and come in the same packaging each time. In other words, a lot like fast food. And like fast food, Continued »

November 22, 2010  6:21 AM

Start from scratch: Data center security policy template

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Security policies are all too often made to be overly-complex and difficult to manage. Done incorrectly,  policies can hinder more than they help. If you’re looking to pull together some security policies for your data center or elsewhere inside your organization, here’s a template you can use to help clarify what’s expected of everyone involved:

Introduction: A brief overview of the topic.

Purpose: The high-level strategy and goals of the policy.

Scope: The departments, employees and systems that are covered by the policy.

Roles and responsibilities: Who is involved and what each person must do to support the policy.

Policy statement: The actual policy outlining what can or cannot be done.

Exceptions: The departments, employees and systems that are not covered by the policy.

Procedures: Specific steps on how the policy is being implemented and enforced. Key word here is “specific.”

Compliance: Metrics and other methods used for measuring adherence within the policy.

Sanctions: Consequences for policy violations.

Review and evaluation: Specifics on when the policy must be reviewed for accuracy, applicability and compliance purposes (i.e. HIPAA/HITECH ACT, PCI DSS, state breach notification laws, etc.).

References: Regulatory code sections and information security standards that the policy quotes or references.

Related documents: Other policies, procedures and security standards that relate to the policy.

Revisions: Ongoing changes made to the policy document.

Notes: Anything else that can help with future policy administration.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.

November 19, 2010  6:23 AM

Data centers are fair game for policies, too

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

When we think of security policies, visions of “acceptable use” and “passwords” often come to mind. But policies are much more than that – especially considering the complexities associated with data centers. Policies outline this is how we do things around here regardless of the specific topic. When it comes to information security and managing data center-related risks, there are numerous policies that could apply:

  • Access controls
  • Audit logging
  • Authentication
  • Key management (you know, those old-fashioned physical keys you use to lock and unlock stuff in your data center)
  • Media disposal
  • Mobile device encryption
  • Web security (for your CCTV management system, UPSs, KVMs, etc.)
  • Wireless networks

You don’t necessarily need to create dedicated policies on these topics just for the data center. Instead, simply include the data center and related systems within the scope of the appropriate policy. This will keep your number of policies to a minimum and simplify policy management. Given all the headaches, politics and technical complexities of managing a data center, the last thing you need to do is create more stuff to keep up with. In a follow-up post, I’ll outline a security policy template that can work well in this situation.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.

November 18, 2010  3:20 PM

AS VMware moves into data centers, worlds collide

Michael Morisy Michael Morisy Profile: Michael Morisy

“I think data center manager is a mislabel,” the IT manager tells me. It’s a surprising statement, since he’s actually in charge of managing a data center. But he insists.

“It’s server management. The fact that they live in a data center … It’s just marketing stuff.” He won’t let me use his name, but this IT manager – we’ll call him Frank – has the credentials to talk. He works at a big organization that produces a lot of data.

“What two years ago was a one or two terabyte allocation request is now a 10 or 30 terabyte allocation,” he said. Storage may be cheap, but it’s not cheap in those quantities, and so he’s now forced to tell departments to re-run simulations and tests because it’s actually cheaper to spend the thousand dollars to re-run the tests than to store than 10 to 30 terabytes … forever.”

Continued »

November 17, 2010  1:28 PM

Data Center Infrastructure: The more you buy, the more you save

Melanie Yarbrough Profile: MelanieYarbrough

A recent report from IDC predicts that data center power and cooling costs will level off by 2014. For once, rather than blaming the economy, data center admins can thank the recession for the predicted cost plateau. As David Reinsel, group VP of Storage Systems at IDC puts it:

The interest and adoption in storage efficiency technologies continue to increase as IT managers are forced to store more data on fixed or declining budgets.

Due to mandatory budget squeezes during the downturn, the enterprise – and, thus, vendors – took a vested interest in ways to better utilize existing storage capacity. Don’t put those feet up just yet, Reinsel goes on to say that the plateau, while tangible, is also temporary. With data growth affecting everyone from Facebook to Apple to Wipro, capacity requirements will cause energy costs to rise once again. Thus, the enterprise will have to take advantage of technologies such as data deduplication, compression and thin provisioning. Further proof that companies are taking increased efficiency seriously? External storage shipments increased 38% and hard drive disk shipments increased 10% from 2008 to 2009.

The big guys are going to come out the big savers from this momentary lapse in cost increase or, as my dad likes to say, “Save more money the more you spend.” According to Reinsel, “Definitely the larger the data center, the more it has to gain from efficiency strategies. Cloud data centers also benefit directly from having the most efficient running data centers.” When budgets are tight, however, any amount of savings – whether it be in the form of budget dollars or server capacity – is significant.

Melanie Yarbrough is the assistant community editor at ITKnowledgeExchange.com. Follow her on Twitter or send her an email at Melanie@ITKnowledgeExchange.com.

November 17, 2010  8:36 AM

Who exactly is responsible for data center security?

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Given our discussion of data centers this month, I reflected back on the data center environments I’ve seen over the past few years and have drawn some interesting conclusions regarding security in/around the data center:

1. Sometimes the physical security team owns the responsibility of securing the data center, but often a physical security manager or team doesn’t exist.

2. When IT is put in charge of data center security, it’s quite commonplace that very little physical security is present (it gets in the way).

3. When physical security does exist, the data center is typically fully locked down with relatively stringent policies and processes regarding the who, how, and why related to people coming and going to/from the premises.

4. When no one takes responsibility for locking down the data center, it’s often the compliance manager or internal auditor who ends up mandating that things be secured.

There’s often no clear responsibility and little accountability related to data center security. But when you think about it, that’s not really any different than vulnerability patching, the software development lifecycle, periodic and ongoing information security testing, proactive system monitoring and so on, right? Thus the cycle of business risks and job security continues. The key? Awareness, communication and striving for control over data center security.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.

November 15, 2010  4:56 PM

Is getting work done killing data center careers?

Michael Morisy Michael Morisy Profile: Michael Morisy

I re-watched the Jack Lemon classic The Apartment, and data center professionals trying to get a leg up in their own careers could learn a lot from the schmoozy, clumsy corporate-climbing C. C. Baxter.

One would think it’s a great time to be a data center guru: Facebook just invested half a billion in their new data center upgrades and Apple spent a billion on its own new one. And it’s not just the mega-companies that are investing: The industry is exploding, so that analysts worry about a data center spending crisis down the road. While that might be bad for companies, it should be great for the professionals powering those behemoths. Right?

Unfortunately, it looks like some data center pros are just too busy to look after their own careers, according to recent analysis by Lauren Horowitz and SearchDataCenter. Even as salaries have been increasing (slowly), data center careers are stalling.

Doing more with less, that tired mantra of the recession:

“I’m torn between my operational role and becoming more strategic,” said David Fouts, a data center systems administrator at Capital Region Medical Center in Jefferson City, Mo. “ Just finding time for larger projects and staying on top of them” is a challenge, he said.

For many data center professionals, the task of keeping the trains running can easily subsume more strategic projects.

So where do we go from here? Well, as the fumbling Baxter learned, hard work will only take you so far. An insurance middle manager, he could prime performance and cut costs, but what ultimately helped his career was renting out his apartment to executives looking for a discreet midweek getaway. While I won’t suggest turning your bachelor pad into a house of ill repute, creating your own getaways is not just a way to retain your sanity, it’s a way to keep your career on track.

As Lauren’s article notes, infrastructure expertise is important, but it’s also an increasingly low-level, outsourced skill. What is sticking around, analysts predict, are hybrid jobs that can not only manage the day-to-day but also plot strategic roles for their department.

Have any getaway tips you’ve found help clear your head from the day-to-day to see the big picture? Leave them in the comments or shoot me an e-mail.

Michael Morisy is the editorial director for ITKnowledgeExchange. He can be followed on Twitter or you can reach him at Michael@ITKnowledgeExchange.com.

November 15, 2010  4:32 PM

Don’t write off the data center just yet

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Contrary to the marketing hoopla we’re being force fed, once all the “cloud” hype settles down the data center as we know it is still going to be around. So, there’s no better time than now to get your physical security and IT ducks in a row to ensure everything in and around the data center stays in check.

Here are several pieces I’ve written on data center management than can help you get rolling:

Several of these pieces are from another trade rag I write for called Security Technology Executive, a great resource for all things data center related.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.

November 15, 2010  10:25 AM

A Data Center to Call Your Own: Building on a budget

Melanie Yarbrough Profile: MelanieYarbrough

If you thought your data center was overrun with data, imagine holding all of the information of over 500 million people, from the things they like to who they’re having a complicated relationship with this week. That’s right, the monster that is Facebook is running out of servers. Their solution? Continued »

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: