HI guys and girls,
Our service provider has indicated that they are moving their data center to another. We work with sensitive PI and we therefore want the move to be without any data loss and downtime.
Can you help me with the various security requirements that we can demand. What should we think about?
The physical security points have been thought of, but are there other security concepts that I have not thought of?
Your help is appreciated
@ZippFire, start by determining which elements of the CIA triad (Confidentiality, Integrity, Availability) would be applicable to the data in consideration here, and how they should be prioritized in this operation, after which you should be able to gauge the appropriate requirements and then communicate these to the provider to ensure compliance.
You could refer to guidelines and standards provided by NIST and SANS, among others, also making sure that you've considered regulations that are applicable to the type of data being held, as well as what's enforced where it's being held.
The answer would depend upon the migration strategy.
I've mainly seen these types of relocations executed as a "lift and shift". In this scenario speed is the most focused upon metric and security can be an afterthought.
If I was performing this type of operation myself; I would focus upon a reliable communications link with secure authentication, and encryption in motion, between the old and new sites. Once this is in place you can migrate piece meal and put your efforts in to maintaining availability.
To do it well, including meeting availability constraints, would basically mean treating the "new" data center as an extension of the old environment in the short term. Over time gradually phasing out the old data center.
Also think about your current contract. You may need to review it to see if this move is covered. You may need an addendum to the contract to cover the move-think SLA's. If nothing exists to cover the move from an SLA perspective I would encourage your management to be proactive in getting that executed.
They are under contract with your organization. Whatever they are contracted to perform, protect or keep available to your org still holds true. My expectation is that they will go hot at the new location. Then, using a cluster, will replicate the current environment at the new then decommission the old. Removing any downtime and keeping with the SLA's that were mentioned earlier. That being said, verify that the new site falls under the purview/laws of your country. Verify you possess any new ip's or destination addresses to eliminate and downtime if you need to send data to your new location.
The most important thing that stands out to me are:
1) Interruption of service
2) Continued protection of PI
Again, they are contracted already, you cannot dictate anything that isn't in the contract. You can hold them to it though. IMHO of course.
I suggest you need to look at the continuity of operations issues. This is, in a sense, a disaster scenario (albeit in a thankfully controlled manner!)
For continuity, we have done our due diligence and gotten all of our necessary requirements down through risk analyses and business impact analyses; we understand our business and what it requires to keep pumping. This offers a perfect opportunity to plan a Reconstitution event -- when the Data Center has been blown away, how do we keep on keeping on?
Another aspect of this planning scenario (often an overlooked one) is what is called digital continuity. The UK National Archives have an excellent series on this very topic:
A few of my thoughts.
Your first recourse should be to your contract. Look at the section of changes and examine if the move requires your approval. Then I'd look at the liability and indemnity clauses in the event of loss or damage. You'd also want check that the service provider had backed off it's contract with appropriate insurance.
Then you'd want to examine the spec of the new facility. Asking about Uptime Institute tier and ISO 27001 certification gives a reasonable indication of how robust the facility is before you dig down into the detail. ISO certified and at least tier 3 should give you some comfort. Then at a lower level you'd be looking at the comms and power resilience and fail over arrangements.
In terms of the move it rather depend on if physical infrastructure is being moved of just VMs, containers and data.