I always enjoyed Eddie Izzard’s assertion that people writing software would deliberately leave a “back door” into their programs, just in case they needed to get back in later. Providing you could correctly guess the password – “Jeff” is favourite, as software engineers are usually called Jeff Jeffity Jeff (says Izzard) – then breaking into Pentagon computers was all too easy.
Of course, in his show “Glorious,” Eddie Izzard plays this to hilarious effect. But as funny as the sketch is (and maybe you have to be there), 2014 turned out to be no laughing matter as cyber security issues more or less dominated the headlines. Quoting Gerard Stegmaier, a privacy and data security partner at the law firm Goodwin Procter, Fortune magazine wrote “Cyber security has moved from the data center to the boardroom.”
I’d say it went further than that as the media had a feeding frenzy on the subject. “Whether it was insider threats, anonymous, or nation-state hackers, 2014 was a bad year for anyone whose job is to protect sensitive data from unsanctioned access,” said Kevin Jones, senior IT security architect for Thycotic, in a Cybersecurity report by Forbes.
The very public attack on Sony and the “pillaging of its data”, followed by the company’s climb down over the release of The Interview, not only brought to very public awareness the relatively new idea of Cyberespionage, but it also heightened corporate fears that nation states could wage effective economic war from the comfort of their own living rooms. All that is needed is a decent broadband connection and you can stop business in its tracks.
Unsurprisingly, the subject of cyber security has been raising its head more and more often as we speak to companies about the automation of their data centers. In every sense, customers have quickly moved the conversation along from features and benefits, to the rigor with which the DCIM applications are being compiled and tested.
This obviously has ramifications for the many companies which supply products and services in this growing sector, not the least of which is the significant expense attached to doing this job properly. In making their decision about which manufacturer to engage with, customers are looking for confidence that their supplier of choice has sufficient resource to ensure the ongoing security, maintenance and patching of the software – in addition to the first cost of procuring and installing the application.
At Schneider Electric, we know about this stuff. With the acquisition of Invensys one year ago, the company was propelled into the global top tier of software vendors – an interesting transformation for a business which has its roots in industrial manufacturing.
A few years ago, a data center colleague confided that rather than make dashboards network-available, he’d opted to display them on a screen and then relay the information via a CCTV feed, so that it could only be viewed passively with no interactivity. It was his way of not only preventing data feeds from leaving the corporate domain, but also of stopping any individuals from interfering with operations.
It should therefore be a great consolation to users and potential users of on-premise DCIM that the software server resides inside the firewall, so any potential breach of security should have already been dealt with. In fact, DCIM is no more or less secure that your network is already. And since there is no real need to connect it to the internet, in its current form on-premise DCIM does not introduce any new vulnerability to the network.
What that says to me is that companies that have well defined processes and policies around security should have no real concerns about the introduction of DCIM to its data centers. Conversely, those that voice concerns about DCIM probably have bigger worries they’re not talking about.