Wanna Keep A Secret?
Security is mostly a state of mind, but creating that good feeling can be very expensive. Banks, for instance, are absurdly easy to rob. Yet every bank branch features foot-thick steel vault doors (usually left open during business hours), bulletproof glass (only at drive-up windows) and uniformed guards (most of whom couldnt chase down a three-legged turtle). All of this window dressing serves to convince people that a bank is a safer place than a mattress to store money, and that translates into big deposits for the banks.
The same principle holds true in the data-hosting business. If you want people to store their business-critical data on your servers instead of their own, you have to provide overwhelmingly obvious evidence that your place is more secure than theirs.
"In the past, operating systems and hardware [including servers] were the focus for a companys security concerns. [With outsourcers,] someone else is managing the data. The comfort issue of having in-house storage is still important," says Doug Chandler, an analyst for International Data Corp.
But today, he adds, security technology has reached the point where the focus should be not on the physical location of data, but more on the process and implementation of protection.
Two years ago, ServerVault founder and CEO Patrick Sweeney II set out to build an "ultrasecure" data-hosting facility. The customers he wants are the holdouts against outsourcing. Their potential business is much bigger than the small change of all dot-coms combined.
"We are attracting companies who already have set a precedent for high levels of security, and, because of that, they have never before considered outsourcing possible. These include banks, insurance companies, financial organizations, companies with medical-related databases, etc.," says Sweeney.
These customers share needs for 100 percent availability, the highest defenses against intrusion, and ultimate protection against physical disasters. Completed in January 2001, ServerVaults first data center offers a peaceful nights sleep to even the most paranoid of customers.
Securing the Perimeter The Dulles, Va., data center is surrounded by a wrought-iron fence designed to withstand a 25,000-pound impactsuch as from a fast-moving car. The fence is monitored constantly by a microwave-based system. Any contact with the fence triggers alarms and causes multiple video cameras to zero in on the point of disturbance.
The gatehouse entrance is staffed by armed guards recruited and trained by Navy SEAL Team-Four founder Pat Tray. These are not your typical semiretired rent-a-cops. Most are former elite-force military types who receive specific training to immunize them against the social-engineering techniques used by terrorists, spies and hackers.
Armor sheathing protects incoming data and utilities conduits. Three Internet service providersincluding a wireless connectionback up ServerVaults 100 percent uptime guarantee.
Once Inside, It Gets Even Tougher There are no ravenous Dobermans inside the fence, but security remains tight. More armed guards monitor doors to sensitive areas such as the server farm, network operations center and core router facility.
Biometric finger scanners at key access points positively identify authorized personnel. The scanners measure body heat and capillary activity, so an intruder would be foiled even if he cut the thumb off an employee and tried to pass a fake fingerprint.
Even authenticated customers arent allowed inside the server room. They have to be content with video views supplied by cameras mounted on the hats of ServerVault employees. Three-quarters of ServerVaults employees hold top-secret government clearances, and all are subjected to intensiveand expensivebackground checks before being hired.
Even the servers are searched before theyre placed in the data center, and they are monitored continually to prevent tampering.
Perpetual Power The vital switch room at ServerVaults data center is housed in a state-of-the-art concrete vault designed by German security specialist Lampertz and installed by Lee Technologies Group.
Lee Technologies has specialized in mechanical and power systems for high-availability IT facilities since 1984. A company spokesperson describes the ServerVault installation as "the pinnacle of our 15 years experience."
"We basically told Lee Technologies to build the facility theyve always wanted to build," says Phil Dolan, marketing chief for ServerVault.
The "Lampertz Room" is designed to resist fire, flood, electromagnetic interference and explosives. Auto-sealing doors and vents protect the equipment inside from smoke, humidity, fire-fighting chemicals and other hazards in the event of disaster in other parts of the data center.
Lee Technologies also included twin Caterpillar diesel electric generators and redundant German-made uninterruptible power supplies capable of powering the nearby city of Herndon, Va., for up to 12 days.
Routers for All Reasons ServerVault selected routing and switching equipment from several vendors based on highly specific application needs.
"We found that Cisco makes the best medium-end routers," says John Broome, ServerVaults chief network officer. "Juniper [Networks] routers provided the best flat-out performance at the edge of the network," particularly when loaded with ServerVaults customized packet filtering, auditing and other security overhead. "Alcatels switches provide Layer 2 isolation features that prevent one customers machine from accessing anothers," he adds.
Server-to-Server Security One of the hazards of co-location is that a hacker who gains access to one server may be able to trash other servers in the same farm. ServerVault covers that base with host-based intrusion-detection systems.
"Along every communications path, there are multiple intrusion-detection and -prevention modules," says Broome. While declining to specify all of the techniques used, he cites TripWire, a system monitor/alert suite that logs every change made to every servers configuration. It also broadcasts alerts to monitor screens located throughout ServerVaults facility, and it enables swift reversal of unauthorized or unintended changes.
Customers Feel Secure Acumen Solutions is one happy ServerVault customer. The IT services firm specializes in operation support solutions for global communications services providers. Its worldwide consultants deal with clients sensitive internal information, so the security of interoffice communications was of paramount importance.
"We outsourced [to ServerVault] storage, e-mail and our public Web site as a way of saving resources. We didnt want to incur the overhead," says David Joubran, president of Acumen.
As an added bonus, ServerVault helped Acumen evaluate and upgrade its internal security policies and procedures. ServerVaults staff "helped us establish a level of security," notes Joubran. ServerVault walked through the work process with Acumens staff to establish the specific levels and areas that needed more attention. "We created a system of checks and balances," he says.
ServerVault may have a niche handling security for other managed service providers. Document-management specialist Cardobe Technologies outsourced its document storage, Web-site management and the external network that its customers use to access their documents to ServerVault. Why build and manage an ultraexpensive, ultrasecure data center when you can rent one?