IT Asset Protection: How One Colocation Provider Does It


In this informative webinar on August 30th you will hear security experts discuss practical ways t

For colocation provider vXchnge, security isn't just a matter of strong defenses. It also involves planning for the worst.

Willie Sutton, an infamous bank robber from the 1920s through the 1950s, denied ever saying that he robbed banks "because that's where the money is." Nonetheless, this apocryphal declaration of the obvious could equally well apply to hackers and data centers.

After providing computing infrastructure and the power to run it, data centers have to prioritize security. Without security, a data center is a data breach, and that's not an enduring enterprise.

Information technology professionals know this well. Anyone who has visited data center of any size can attest to the evident security measures. These are not places you can just walk into for a tour of the server racks.

But not all data centers handle their responsibilities to clients with equal diligence.

When MetricStream, a provider of Governance, Risk, and Compliance (GRC) services for enterprises, sought a colocation provider for its cloud-based applications, it chose vXchnge, which operates 15 colocation data centers across the US.

A colocation provider offers infrastructure, power, and security for the site, along with a local network, while its customers provide and manage their own hardware and networking.

vXchnge, in July, earned the ISO/IEC 27001 certification, which evaluates the company's Information Security Management System (ISMS), across all of its data centers.

Sameer Aghera, product manager at vXchnge, said in a phone interview that his company is the first edge colocation company to be ISO/IEC 27001 certified. The company's facilities also adhere to other standards, specifically SSAE 16 Type II, SOC 2 Type II, HIPAA/HITECH, and PCI DSS 3.1.

For MetricStream's customers in banking and healthcare, like Pfizer, Societe Generale, and UBS, all of that matters.

"MetricStream deals with compliance and regulatory issues on a daily basis," said Aghera. "They came to us originally to look for a colocation provider that put security at the forefront."

Aghera said that when most people consider data center security, they look at the physical security measures in place, like doors and access controls. At the company's newest facility in Philadelphia, he said, there are six levels of security that one must pass through to reach actual hardware.

Customers often ask about access control logs, he said, to understand the comings and goings of employees at vXchnge facilities. "Our internal customer platform allows customers to go in and see which employee entered the data center."

But there's more to it than that. "We use people and policies to manage our security program," said Aghera. "The most important thing for us is that we see security as a company-wide initiative that affects all levels of the business."

In practice, that means every new employee takes security awareness training and takes a refresher course annually, said Aghera. There's a dedicated ISMS team with stakeholders from across the company that meets regularly.

vXchnge differentiates itself through its people, processes, and policies, he said. "Policies are probably one of the more underrated parts of data center security."

The company's policies cover physical security, information security, network security, and HR security. This allows the company to take a proactive approach by having incident response plans, disaster recovery plans, and business continuity plans to deal with any issues that arise.

"Where a lot of our competitors maybe are not as robust as us is they don't have these plans in place if something happens," he said.

[Can automation improve your business? Read 10 Ways Bots Can Improve Your Business Processes.]

Another point of differentiation, Aghera claimed, is the company's use of real-time RFID-based asset tracking, which customers can use to understand the status of hardware in vXchnge facilities.

Vidyadhar Phalke, CTO of MetricStream, told InformationWeek in an interview that in the GRC market, while data may not be highly confidential ERP data, it's nonetheless sensitive information about internal controls, internal audits, and evidence of what failed.

"In a nutshell, it's sort of your dirty laundry."

What MetricStream looked for in a colocation provider, said Phalke, was a very clearly articulated segregation of duty. "Any IT organization needs to look at clearly defining where the boundaries for the IT organization stop and the data center kicks in."

Such clarity provides reassurance, an essential component in regulated industries, and also in cloud computing. "In the cloud world, it becomes cloudy, and that grayness makes things hard to decipher when something serious happens," said Phalke.

Phalke said vXchnge has a strong understanding of where boundaries start and stop, and also cited its flexibility in terms of being ready for client visits with only an hour's notice.

There's no easy way to test how vXchnge's practices compare to those of competitors, because many security incidents are never made public. But Aghera said vXchnge reports security incidents as part of its annual audits, and the company has not reported any such incident over the past year.

0 Comment

Leave a Reply

Captcha image


  • 5300c769af79e

    Galaxy S6 Active Gets Marshmallow Update Today

    AT&T has approved the update to Android 6.The update will arrive as software build UCU3CPE4 through a file that is roughly 1.
  • 5300c769af79e

    Oracle Application Users Still In Planning Stage Of Cloud Strategies

    Some of those IT shops are planning for hybrid cloud implementations, Johnson said.These additions to the Oracle Cloud Platform offer customers both multi-tenant and single tenant environments and include Oracle Bare Metal Cloud Services, Oracle Ravello Cloud Service, Oracle Container Cloud Service, and enhancements to other cloud services, according to Oracle.
  • 5300c769af79e

    Gartner Predicts 2017: Threat and Vulnerability Management

    Download Find out what Gartner sees coming on the front lines of cybersecurity in 2017Gartner analysts have good news for enterprise security managers: there are better ways available to manage threats and vulnerabilities.Learn about new approaches that can protect your business more effectively in 2017, including:- Adopting a threat-centric approach based on leveraging threat intelligence to direct and prioritize patching and vulnerability management- Committing to implementing bug bounty programs and crowdsourced penetration testing as an alternative to traditional commercial penetration tests, which are consultant-based engagements with high costs for project managements and report creation- Address the right vulnerabilities in the right way to keep your business safe
  • 5300c769af79e

    3 New Moto G Phones Coming 'Soon'

    5-inch full HD display, 13-megapixel camera, 3,000 mAh battery, and octacore processor—all available in the fourth-generation Moto G.Boasting all the same features as the Moto G, the Moto G Plus adds a little something extra: a 16-megapixel camera with laser focus and phase detect autofocus for sharp, clear photos, day or night.