For colocation provider vXchnge, security isn't just a matter of strong defenses. It also involves planning for the worst.
Willie Sutton, an infamous bank robber from the 1920s through the 1950s, denied ever saying that he robbed banks "because that's where the money is." Nonetheless, this apocryphal declaration of the obvious could equally well apply to hackers and data centers.
After providing computing infrastructure and the power to run it, data centers have to prioritize security. Without security, a data center is a data breach, and that's not an enduring enterprise.
Information technology professionals know this well. Anyone who has visited data center of any size can attest to the evident security measures. These are not places you can just walk into for a tour of the server racks.
But not all data centers handle their responsibilities to clients with equal diligence.
When MetricStream, a provider of Governance, Risk, and Compliance (GRC) services for enterprises, sought a colocation provider for its cloud-based applications, it chose vXchnge, which operates 15 colocation data centers across the US.
A colocation provider offers infrastructure, power, and security for the site, along with a local network, while its customers provide and manage their own hardware and networking.
vXchnge, in July, earned the ISO/IEC 27001 certification, which evaluates the company's Information Security Management System (ISMS), across all of its data centers.
Sameer Aghera, product manager at vXchnge, said in a phone interview that his company is the first edge colocation company to be ISO/IEC 27001 certified. The company's facilities also adhere to other standards, specifically SSAE 16 Type II, SOC 2 Type II, HIPAA/HITECH, and PCI DSS 3.1.
For MetricStream's customers in banking and healthcare, like Pfizer, Societe Generale, and UBS, all of that matters.
"MetricStream deals with compliance and regulatory issues on a daily basis," said Aghera. "They came to us originally to look for a colocation provider that put security at the forefront."
Aghera said that when most people consider data center security, they look at the physical security measures in place, like doors and access controls. At the company's newest facility in Philadelphia, he said, there are six levels of security that one must pass through to reach actual hardware.
Customers often ask about access control logs, he said, to understand the comings and goings of employees at vXchnge facilities. "Our internal customer platform allows customers to go in and see which employee entered the data center."
But there's more to it than that. "We use people and policies to manage our security program," said Aghera. "The most important thing for us is that we see security as a company-wide initiative that affects all levels of the business."
In practice, that means every new employee takes security awareness training and takes a refresher course annually, said Aghera. There's a dedicated ISMS team with stakeholders from across the company that meets regularly.
vXchnge differentiates itself through its people, processes, and policies, he said. "Policies are probably one of the more underrated parts of data center security."
The company's policies cover physical security, information security, network security, and HR security. This allows the company to take a proactive approach by having incident response plans, disaster recovery plans, and business continuity plans to deal with any issues that arise.
"Where a lot of our competitors maybe are not as robust as us is they don't have these plans in place if something happens," he said.
[Can automation improve your business? Read 10 Ways Bots Can Improve Your Business Processes.]
Another point of differentiation, Aghera claimed, is the company's use of real-time RFID-based asset tracking, which customers can use to understand the status of hardware in vXchnge facilities.
Vidyadhar Phalke, CTO of MetricStream, told InformationWeek in an interview that in the GRC market, while data may not be highly confidential ERP data, it's nonetheless sensitive information about internal controls, internal audits, and evidence of what failed.
"In a nutshell, it's sort of your dirty laundry."
What MetricStream looked for in a colocation provider, said Phalke, was a very clearly articulated segregation of duty. "Any IT organization needs to look at clearly defining where the boundaries for the IT organization stop and the data center kicks in."
Such clarity provides reassurance, an essential component in regulated industries, and also in cloud computing. "In the cloud world, it becomes cloudy, and that grayness makes things hard to decipher when something serious happens," said Phalke.
Phalke said vXchnge has a strong understanding of where boundaries start and stop, and also cited its flexibility in terms of being ready for client visits with only an hour's notice.
There's no easy way to test how vXchnge's practices compare to those of competitors, because many security incidents are never made public. But Aghera said vXchnge reports security incidents as part of its annual audits, and the company has not reported any such incident over the past year.