cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ZippFire
Newcomer II

Relocation of a datacenter, what Security principals

HI guys and girls,

 

Our service provider has indicated that they are moving their data center to another. We work with sensitive PI and we therefore want the move to be without any data loss and downtime.

Can you help me with the various security requirements that we can demand. What should we think about?

 

The physical security points have been thought of, but are there other security concepts that I have not thought of?

 

Your help is appreciated


Jeroen van de Weerd

Loose lips sink ships....
8 Replies
Shannon
Community Champion

@ZippFire, start by determining which elements of the CIA triad (Confidentiality, Integrity, Availability) would be applicable to the data in consideration here, and how they should be prioritized in this operation, after which you should be able to gauge the appropriate requirements and then communicate these to the provider to ensure compliance.

 

You could refer to guidelines and standards provided by NIST and SANS, among others, also making sure that you've considered regulations that are applicable to the type of data being held, as well as what's enforced where it's being held.

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
sdurbin
Newcomer III


The answer would depend upon the migration strategy.

 

I've mainly seen these types of relocations executed as a "lift and shift". In this scenario speed is the most focused upon metric and security can be an afterthought.

 

If I was performing this type of operation myself; I would focus upon a reliable communications link with secure authentication, and encryption in motion, between the old and new sites. Once this is in place you can migrate piece meal and put your efforts in to maintaining availability.

 

To do it well, including meeting availability constraints, would basically mean treating the "new" data center as an extension of the old environment in the short term. Over time gradually phasing out the old data center.

Flyslinger2
Community Champion

Also think about your current contract.  You may need to review it to see if this move is covered. You may need an addendum to the contract to cover the move-think SLA's.  If nothing exists to cover the move from an SLA perspective I would encourage your management to be proactive in getting that executed.

r3daction
Newcomer II

They are under contract with your organization. Whatever they are contracted to perform, protect or keep available to your org still holds true. My expectation is that they will go hot at the new location. Then, using a cluster, will replicate the current environment at the new then decommission the old. Removing any downtime and keeping with the SLA's that were mentioned earlier. That being said, verify that the new site falls under the purview/laws of your country.  Verify you possess any new ip's or destination addresses to eliminate and downtime if you need to send data to your new location.

 

The most important thing that stands out to me are:

 

1) Interruption of service

2) Continued protection of PI

 

Again, they are contracted already, you cannot dictate anything that isn't in the contract. You can hold them to it though. IMHO of course.

EIAKPKP452
Newcomer II

Don't forget the lower-layer topology changes that will need to be addressed in your firewall/IPS/SSL Decrypt/Applications Gateways, etc. I'm sure you've thought of that, but one problem I've seen with this type of change is the delayed removal of ACLs and configurations related to the old environment. Good Luck!

Adam
j_M007
Community Champion

I suggest you need to look at the continuity of operations issues. This is, in a sense, a disaster scenario (albeit in a thankfully controlled manner!)

 

For continuity, we have done our due diligence and gotten all of our necessary requirements down through risk analyses and business impact analyses; we understand our business and what it requires to keep pumping. This offers a perfect opportunity to plan a Reconstitution event -- when the Data Center has been blown away, how do we keep on keeping on?

 

Another aspect of this planning scenario (often an overlooked one) is what is called digital continuity. The UK National Archives have an excellent series on this very topic:

http://www.nationalarchives.gov.uk/information-management/manage-information/policy-process/digital-...

 

  1. So, think Confidentiality, Integrity and Availability: all cornerstones of our profession.
  2. Implement best practices from the Business Continuity field. In fact, if your organization doesn't have a mature business continuity presence, I suggest you hire some fine members from DRI International (drii.org), DRI Canada (https://www.dri.ca/index.php?DRIC_lang=english) or The Business Continuity Institute (thebci.org).
  3. This is NOT merely an IT issue. This affects the whole business. The CEO needs to be the champion of this because she or he has to make everybody play nice. The CEO will appreciate the CIO or the Chief Continuity Officer's guidance; but the buck has got to stop with the Chief Executive.

A few of my thoughts.

Steve-Wilme
Advocate II

Your first recourse should be to your contract.  Look at the section of changes and examine if the move requires your approval.  Then I'd look at the liability and indemnity clauses in the event of loss or damage.  You'd also want check that the service provider had backed off it's contract with appropriate insurance.

 

Then you'd want to examine the spec of the new facility.  Asking about Uptime Institute tier and ISO 27001 certification gives a reasonable indication of how robust the facility is before you dig down into the detail.  ISO certified and at least tier 3 should give you some comfort.  Then at a lower level you'd be looking at the comms and power resilience and fail over arrangements.

 

In terms of the move it rather depend on if physical infrastructure is being moved of just VMs, containers and data.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
adubey2321
Viewer II

nice