Contents | June 2007 | Volume 2, Issue 4
Under Lock and Key: Data Center Security
Modern information security is much more than passwords and data encryption. Effectively protecting the confidentiality, integrity, and availability of information in the current environment requires constant vigilance and multiple levels of security. Because state systems contain confidential data, including citizen social security numbers, agencies invest significant resources to carefully guard it. Since data center services (DCS) responsibility transitioned to IBM’s Team for Texas (TFT), the need for comprehensive data security remains high. To meet the stringent requirements, a combination of controls will be used to protect state data assets.
Security Documentation
Security designs and administrative controls (written policies, procedures, standards, and guidelines) are important features of any security program. Security designs describe the overall approach to security and form the foundation for all security activity. Administrative controls describe the conduct of day-to-day operations and expectations of employees, vendors, and contractors. Three TFT deliverables jointly address these functions for Texas data center services.
- The Security Design Document (SDD) outlines the overall DCS security program at a high level. It includes the security architecture of the consolidated data centers, the plan to implement the architecture, and the principles and requirements necessary to support the architecture. The SDD is scheduled for completion on June 30, 2007.
- The DCS Policies and Procedures Manual (PPM), Section 4.11, Physical Access and Security, and Section 4.12, Logical Access and Security, describe the policies and procedures directing day-to-day security operations. Section 4.11 contains information on physical security, such as how access to the data center building will be controlled. Section 4.12 describes how logical security, such as the administration of IDs and network security, will be managed. IBM and DIR are developing processes for administering and managing privileged ID functions. Privileged IDs are user IDs that allow access to modify system components. This information will be included in Section 4.12 when finalized and approved by DIR. The Policies and Procedures Manual, delivery two, contains the currently published security procedures. This information can be referenced by DCS agencies and TFT on the Domino Document Manager or through QuickPlace. Agency staff who do not have access to these document libraries should contact their customer representative.
- The Information Security Controls (ISeC) Document, explains technical specifications and standards. The ISeC document is the most in depth of the security control documents, and includes such details as password protocols, the timeframe for passwords to expire, and the specifications to be used in server build outs within the consolidated data centers. It also describes patch management, operating system security controls, vulnerability scanning and assessments, access control, compliance, and security incident management. The final ISeC will also include agencies’ current technical standards and responsibilities, planned future standards and responsibilities, and the gaps in between. The ISeC is scheduled for completion later this summer.
Future Security Standards
One goal of data center consolidation is to create a secure infrastructure that can be managed at the enterprise level. The TFT Security Team will assess the current state of security in the agencies, establish a common security standard for the enterprise, and determine what gaps exist between the current and future states. During data collection and due diligence for the DCS procurement, agencies gathered significant information about current approaches to security management. The TFT Security Team is reviewing this information and will contact agency customer representatives over the summer to collect additional data necessary for their assessment process. The new protocols will be included in the ISeC document and implemented in the consolidated data centers, placing all agencies on an equal security standard.
For More Information
DIR holds monthly briefings on DCS security. These briefings provide an overview of security activity, discussion of security roles, and a forum for answering security-related questions. All agency staff involved with data center services are welcome to attend.
Briefings are held on the third Friday of each month from 1:30 to 3:30 p.m. in Room 103 of the William P. Clements Building (300 West 15th Street in Austin). For data center services security questions or to RSVP for the briefing, please send an e-mail to datacenteragency@dir.state.tx.us.
“What Did You Say?” Acronyms Explained
While acronyms serve a useful purpose—to simplify and shorten references to complex terms—they can also confuse when all team members do not share the same vocabulary. Here are a few new or common data center services acronyms and their definitions.
SDM – Service Delivery Manager. This TFT employee is the single point of contact for services at an agency. The SDM operates as a project manager for the agency’s data center services, handling, tracking, and escalating issues, problems, changes, and procurement requests. Many SDMs support only one agency, allowing them to focus on understanding the agency, its customers, and its technical operations. TFT recently increased the number of these positions in their organizational structure to better coordinate operations and communication among the different teams serving each agency.
CSA – Client Services Advocate. This TFT employee helps agencies with strategic planning for data center services. CSAs support several agencies and help agencies identify cross-agency similarities as well as opportunities to effectively share resources.
DND, DAD, and RTA – Deliverable Notification Document, Deliverable Acceptance Document, and Recommendation to Approve. These documents track the acceptance status of IBM deliverables. The DND and DAD verify DIR’s official acknowledgement (DND) or approval (DAD) of a Team for Texas deliverable. A signed RTA documents an agency’s recommendation that DIR approve a deliverable. Based on criticality, deliverables are designated with either a DND or DAD. RTAs are assigned to key deliverables like agency Transition Plans and Transformation Plans.
TFT – Team for Texas. This term includes IBM and its main subcontractors: Unisys, Xerox, and Pitney Bowes. Various abbreviations of Team for Texas have surfaced, but the only official acronym is TFT.
DCS – Data Center Services. This includes all in-scope services for the IBM contract. “DCS” can also be used to describe people, tools, or activities related to the contract (e.g., the DCS team, the DCS portal).
SRM – Service Responsibility Matrix. This set of spreadsheets outlines specific work tasks and designates which party (agencies or TFT) has responsibility for them. SRMs are distributed to agency customer representatives as they are completed and will become part of the Policies and Procedures Manual, Section 8.
ADC – Austin Data Center. This facility, in conjunction with the San Angelo Data Center, will house consolidated agency operations. For more information on the ADC, see “ Opening Soon” on page 4.
DDM – Domino Document Manager. This is the main document library for data center services. It holds the Policies and Procedures Manual and contains very powerful search tools to find specific information. The DDM is being rolled out to agencies and the Team for Texas. Agency staff should contact their customer representatives to gain access to the DDM; Team for Texas staff should contact their supervisors.
Opening Soon: The Austin Data Center
IT directors and agency staff have been touring the new Austin Data Center (ADC) in anticipation of its August opening. The ADC, in conjunction with the San Angelo Data Center, will host the consolidated operations of the 27 DCS agencies, including server, mainframe, print/mail, and support center functions. Agency operations will be consolidated over 24 to 36 months starting in August 2007. Until fully migrated to the consolidated facilities, an agency’s operations will remain in the agency’s data center.
The ADC is a “built for purpose” facility designed with the latest technology in mind. Construction started in late December 2006, with Phase 1 completed in early April and Phase II completed in mid-May. The third phase is scheduled for completion in mid- July. Everything in the building, from the floor to the ceiling, was designed and built to meet State of Texas DCS requirements. The facility includes computer room raised floor, office (cubicle) environments, and loading docks for deliveries. The design incorporates state-of-the-art physical and logical security features including tightly controlled data access, security monitoring, segregated and secured virtual LANs (VLANs), network redundancy, and host and network intrusion detection. Two power grids from Austin Energy and three UPS (uninterruptible power supply) units service the building. Additionally, there are dual power paths to every network, server, mainframe, and tape storage unit so critical services can be maintained in the event of an equipment failure.
The ADC also includes the latest energy and lighting efficiency features. The facility has a 93 percent energy efficiency rating, near the highest grade currently available and substantially surpassing the 85 percent efficiency levels found in typical facilities across the industry. Additionally, Team for Texas manages the ADC as a “lights dim” facility, with the lights in the computer operations areas off most of the time. This allows the building to operate at 23 percent below the state energy allowance for its size.
With over 70,000 square feet, the ADC has space for the current 27 DCS customer agencies and room to grow. The facility will support approximately 200 on-site Team for Texas employees. For security, employees will be required to pass background checks (depending on security clearance) and will have ID badges to access the building and personal identification numbers (PINs) for restricted areas.
