Mina Žele, Ph. D. Security Specialist, Astec: Risk assessment defines datacenter security requirements
March 2011 by Mina Žele, Ph. D. Security Specialist, Astec
With the growing amount of stored information and increasing complexity of data centres, the job of data centre manager to provide appropriate security measures is becoming a demanding task. Data centre outage due to environmental or technical reasons can have a devastating effect on business, not to mention the sensitivity and value of stored data that is appealing to hackers and internal users.
A Data centre manager is often faced with uncertainty, whether or not the data centre receives an appropriate protection in line with business needs, contractual and regulatory obligations. Risk management of data centres is becoming particularly important with the emergence of cloud computing technology. Namely, a customer organization requires cloud computing providers to proactively mitigate the risk that could have compromised their data. A systematic analysis and evaluation of vulnerabilities, threats and risks are strongly recommended in such a case, because it reveals the most critical weaknesses in organizational procedures and technical mechanisms implemented to protect the data centre. The benefit of risk assessment is that the results can be used to justify the costs and prioritization of investments to achieve a better level of information security and compliance with legislation.
Organizations often store data with highly diverse security requirements regarding availability, integrity and confidentiality that are required by business needs, contractual obligations or legislation. Risk assessment used to be a task of IT personnel who lacked the understanding of the relative value of data and consequently misestimate the consequences of data loss, unavailability or disclosure. Accurate risk estimation is the common effort of business managers, IT personnel and information asset owners that can be achieved by close cooperation of all actors. Since risk assessment can be quite a complex process involving the handling of large amount of data and producing complex results, the process can easily become uncontrollable. Therefore, using a special risk assessment tool is usually welcomed by business and data centre managers.
Risk assessment tools are one of the developing fields in information security, and are generally quite expensive, especially because they are mostly just one of the components for information security management. Therefore, it is important to use a tool that is really beneficial to your organization. CISOs and security consultants are strongly supporting the idea of risk assessment tools as “a must”; however, they will only become advantageous if they are adapted to an organizational risk assessment methodology. This includes configuration of access rights on the basis of employee role in the risk assessment process; customization of matrix used to calculate the risks; and choosing relevant threats and vulnerabilities from the available databases. The value of such risk assessment tools is that analysis and results interpretation is made separately for technical staff and business management. The data centre manager is provided with reports showing meaningful information on risk level and proposed actions to mitigate the risks. These reports can be presented to high management responsible for approving the strategy of information security development.
What makes a risk assessment tool really useful for you? First of all the tool should enable intuitive and fast risk assessment that does not require long training. This also implies that annual risk updating will be simple. Experience shows that ranking of input data (threat likelihood and level of threat impact) should be adjusted to human perception and must not be too granular. Qualitative ranking turns out to be more useful and it better describes the actual situation. The tool should support the methodology that is in line with guidelines of ISO/IEC 27005:2008 standard. Finally, it is important that the results are transparent and informative to business and technical staff with the possibility of being exported to other formats.
Therefore, risk assessment is a key process in monitoring and improving the security of data centres, with the goal of prioritization of investments in technical and organizational improvements of security.
Astec d.o.o. is exhibiting at Infosecurity Europe 2011, the No. 1 industry event in Europe held on 19th – 21st April at the prestigious venue of Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk