Since the functions of the data center have evolved from storing and processing data to becoming a key component for data security and privacy, some smaller companies are forced to make tough decisions in order to survive. This is due to the barrage of privacy laws obligating organizations to protect personally identifiable information (PII) and personal health information (PHI), such as the U.K. Data Protection Act, Personal Information Protection and Electronic Documents Act, Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act (HIPAA).
These laws have led many companies to reassess the areas housing the systems with PII or PHI and implement more stringent physical, logical and process controls. The burden has fallen heavily on companies that provide outsourced processing services for larger international companies, such as benefits administration, marketing and recruiting services, just to name a few. In this tip, let's review two different options for securely processing and handling personally identifiable information (PII).
The costs of building a data center
To meet the additional privacy obligations as well as keep pace with the maturing technological environment, these companies storing PII often build their own data centers from unused office space. Many small- and medium-sized organizations understand that they cannot afford to build a purpose-built data center, and as a result, they may just leverage unused space. Converting space in an office to a data center, however, can be costly on several levels and the landlord may not allow it.
The infrastructure cost considerations include climate control, electricity demands, alternative power implementation, reinforcing interior office walls and fire detection and suppression. Maintenance has to be factored. How much down time can be tolerated? Depending on the answer, redundancy will need to be built into the equation.
The security costs can be overwhelming as well. Common data center security solutions include cameras, alarms, motion sensors and multifactor authentication. While organizations focus their resources on appropriate collection, processing and retention of data to meet regulatory obligations, less focus may be paid to physical aspects. As a result, the constructed data centers may not be designed to meet certain security standards, such as multifactor access and 24x7x365 monitoring and alerting of physical and environmental controls.
Compounding the problem for many companies are the U.S. regulatory bodies, such as the Financial Industry Regulatory Authority (FINRA), Federal Deposit Insurance Corporation (FDIC) and Federal Financial Institutions Examination Council (FFIEC). They have all published information on the oversight of third-party service providers in regards to the protection of data. Essentially, they say the primary organization has a responsibility to ensure their information is protected, even if it is sent to an outsourcer for processing.
The U.S. is not alone; the European Commission's Directive on Data Protection (Safe Harbor) is intended to ensure that personal data on European citizens is appropriately protected overseas. These restrictions can potentially expose inadequate data center controls the outsourcer has in place if it is a small operation with a limited budget for controls.
Even worse, many of the typical "mom-and-pop" operations who traditionally leveraged the closet or storage room as their data center may end up being classified as high-risk vendors to conduct business with. If a company does not have the proper controls implemented, it is no surprise if they lose data. Proof of this can be found in the 2009 Fourth Annual US Cost of a Data Breach Study, sponsored by PGP Corp. and the Ponemon Institute, where 88% of data breaches were caused by insider negligence. This can be financially devastating to a small company.
The hosted data center option
Considering the costs of building a data center, a good solution for a small organization may be to use a hosted facility for its data center needs. A hosted data center is a professionally run facility that rents out racks to smaller companies to store their equipment. That way, you can leverage the benefits of a professional, large scale data center without having to absorb the financial burden of building and maintaining their own. Power, security and environmental controls are handled by the data center company. There is a cost for renting the space, but compared to a company trying to implement a satisfactory solution on its own, the hosted option is cheaper and less of a hassle.
Many hosted data centers are designed with availability and security in mind, which includes dedicated security staff, professional management of the environmental systems, alternative power and fire suppression and detection, which blunts some of the biggest issues with data centers built within office space. In addition, most should be ISO 27001 compliant. This provides them with an internationally recognized certification of their controls.
Some hosted data centers offer other services as well, such as managed hosting of hardware, so smaller companies don't have to worry about the support and maintenance of the systems. The trend towards hosting continues to grow in popularity. SunGard Inc., one of the leading IT service companies with hosted data centers in several countries around the world, has reported compound growth exceeding 20% annually. Another data center management company, Digital Realty Inc., reported in their 2nd quarter earnings 22% year-over-year growth.
What all of this boils down to is utilizing a hosted data center can allow a small organization to implement large-scale security and availability controls over the data, which can potentially help them stay competitive and compliant. Regulatory authorities expect the same level of security anywhere the data resides.
About the author:
Joe Malec is a Security Analyst in the financial services industry where he focuses on third party service provider assessments in the US and abroad and has over 15 years of experience in information technology. Mr. Malec is a conference speaker and has appeared on TV and radio to discuss IT security issues. He has published multiple articles on topics including compliance, privacy and ethics in IT security. He is also the St. Louis chapter president of the Information Systems Security Association. He can be reached at email@example.com
Send comments on this technical tip to firstname.lastname@example.org.