Executive Roundtable: Is the Cloud More Secure Than the Enterprise?

Welcome to our 11th Data Center Executive Roundtable, a quarterly feature showcasing the insights of thought leaders on the state of the data center industry, and where it is headed. In our First Quarter 2018 roundtable, we examine four topics: The security of cloud platforms and service provider facilities versus on-premises data centers, the pace of innovation in data center delivery and supply chain management, the impact of the GDPR and data center privacy regulation, and how the rise of the Internet of Things and edge computing will impact data center infrastructure.

Here’s a look at our distinguished panel:

• Randy Rowland, President of Data Center Services at Cyxtera.
• Dana Adams, Vice President and GM of Data Centers at Iron Mountain.
• Joel Stone, Senior Vice President and Chief Operating Officer at RagingWire Data Centers.
• Eric Ballard, Vice President, Network & Cloud at Stream Data Centers.
• Samir Shah, Chief of Staff at BASELAYER

The conversation is moderated by Rich Miller, the founder and editor of Data Center Frontier. Each day this week we will present a Q&A with these executives on one of our key topics. We begin with a discussion about the security of cloud platforms and service provider facilities versus on-premises data centers.

Data Center Frontier: The long-predicted migration of enterprise IT workloads into third-party data centers appears to be gaining momentum. A key argument for keeping data and applications on-premises has been security. With the ongoing series of corporate data compromises, can service provider facilities – whether cloud or colocation – now make the case that they are more secure than the on-premises data center?

Dana Adams, Iron Mountain: We definitely see the migration of the corporate enterprise data center taking place with less and less resistance from internal stakeholders. This is partly driven by virtualization and the push to public and private cloud environments for increased cost efficiency, and partly driven by higher standards for security and compliance that are difficult to achieve in a sub-scale, on-premise legacy data center.

Just like data center operations, data center security and compliance are not typically the core competencies of the end user, whereas they are for a provider like Iron Mountain. A good data center services provider will ensure that physical security and compliance are woven into the design, construction and operations program for their data centers, and conduct regular monitoring through a combination of internal and external audits. Documentation and controls mapping should be standardized, which helps customer audits run smoothly. Our customers are often pleasantly surprised with how easy we have made their compliance certifications for them.

Samir Shah, BASELAYER: Service providers can offer a value proposition focused on security by addressing several key areas in their deployment models.

The first area to highlight is physical security. We’ve seen success working with service providers who deploy modular data centers to provide physical separation between customers. A layered approach allows for access based on individual needs. Note that the Department of Defense (DoD) has weighed in on physical security by creating a standard (ICD 705 Version 4.1) to help ensure robust infrastructure.

The second security focus area for a service provider is to leverage their diverse customer base to stay current on various security standards. As a result, best practices employed by large enterprises trickle down to mid/small customers who otherwise would not have access to these capabilities based on their lack of scale. Lastly, service providers should use analytics to capture anomalies which take place in their data center environments. As an example, we’ve seen service providers track changes in firmware code size to detect attacks on critical systems (generators, chillers, switchgear, etc.).

The clear trend for the industry is increased trust in moving highly sensitive workloads to shared environments. A great example of this took place earlier this year when the DoD moved classified data to Amazon’s cloud to centralize department data and systems. We believe this to be the first in many similar announcements from security focused end users.

Randy Rowland, Cyxtera: Data center security is of utmost importance. Colocation providers can absolutely make the case for enhanced security over on-premises data centers. But when it comes to security, picking the right colocation provider is about more than physical security certifications and compliance audits. There’s a much greater risk that bad actors will compromise your colocation facilities via its network.

To effectively defend against both physical and virtual threats, a holistic approach to IT infrastructure security is needed – one that is defined around users, their roles in the organization, and the resources they need to access to perform their job. By looking at your data center security holistically, ensuring your operations and cyber security team are working as one, you’ll be better placed to secure data against threats.

Eric Ballard, Stream Data Centers: Over the past couple of years, we no longer hear business suggesting that the decision for data center space is between building their own vs. colocation. The decisions now are all around colocation and cloud and what the future enterprise strategy looks like. We have seen companies move from a CapEx heavy model to an OpEx model. With this move, service providers have to prove that they are more secure and will provide the level of services that are required by the enterprise.

As a premier colocation provider, security is one of our core competencies and we are believers that companies should focus on their core competencies. We craft our internal policies and procedures and then validate them using multiple third-party auditors to achieve a multitude of certifications such as SOC2-Type2, PCI-DSS, HIPPA, ISO 27001, etc.

With a focus on physical security and a rigid enforcement and testing of security policy and procedure we can absolutely make the case that we are more secure.

Joel Stone, RagingWire: There are two kinds of data center security – cybersecurity, which protects the computer systems, applications, and data; and physical security, which prevents unauthorized access to or malicious actions in the data center facility. From a cyber perspective, the enterprises can implement the same cyber procedures and technologies in a colo facility that they can in an on-premises data center. So that’s a benefit. The physical security is typically a big improvement for an enterprise when they move to colo, as the colo facility will be able to leverage its scale and expertise to implement multi-layered, advanced security systems and officers as well as robust operational security processes.

At RagingWire, we typically have more points of security between the parking lot and server floor than what is required to access a TOP SECRET Sensitive Compartmented Information Facility (SCIF) in most U.S. government buildings. By hiring in-house, full-time, well-trained security guards who often have backgrounds in the military or law enforcement and outfitting them with sophisticated monitoring systems, every point in our facilities is watched diligently and attentively 24/7/365.

Our high-tech security barriers are in place at the perimeter of the site, with anti-ram barrier arms (that can stop a 15,000-pound truck traveling at 30 mph), anti-climb fences, badge access doors with code requirements, biometric readers, anti-tailgate access control turnstiles, high-def cameras that analyze suspicious behavior, and other devices we are constantly evaluating for their effectiveness in keeping our customers, employees, and equipment safe from harm.

NEXT UP: The pace of innovation in data center delivery and supply chain management.

Keep pace with the fact-moving world of data centers and cloud computing by following us on Twitter and Facebook, connecting with me on LinkedIn, and signing up for our weekly newspaper using the form below: