ISACA Journal
Volume 5, 2,017 


Information Security Matters: Information Security in the Multi-Modal Era 

Steven J. Ross, CISA, CISSP, MBCP 

Podcast  New!
ISACA Journal Volume 5 Podcast:  Information Security in the Multi-Modal Era

Data centers used to be so simple. Big room. Big boxes. People rushing around pushing buttons and hanging tapes. Men were men and dinosaurs roamed the earth. Now it is all gone, including the sexism. In this century, so far, data centers have been dark, forbidding, small rooms—large closets, really—with small machines that have big appetites for power and cooling. And no people at all, at least not where the computers are. And now, even that sort of data center is disappearing.

Where is it going?

The answer is, “Lots of places,” including third-party colocation (colo) centers, managed services in vendors’ data centers (or their colo sites), and the cloud, where- and whatever that is. At any given moment, organizations are finding that their applications and the data associated with them are running in many different venues, all at the same time. This is the dawn of the multi-modal era; data center staff must adjust or be left behind. And so must security professionals.

Access Control in Multi-modal Environments

There are many causes of the movement away from central, business-owned data centers—technological, economic, sociological and geographic causes. I would rather focus on the effects, specifically, those regarding information security, recoverability and control. As information resources, both data and software, move beyond the confines of the organizations that own them, there is necessarily more potential access to those resources by people other than those employed by the organizations.

Who are those guys?1

At the most basic level, they are somebody else’s employees. They are “touch labor.”2 They are technicians managing tasks such as backups, patching and general upkeep of customers’ IT infrastructure. They are the people who manage a public cloud, which, stripped to its essentials, is nothing but a series of linked data centers operated as a utility. They are security professionals managing firewalls, encryption keys, threat detection and incident response. Some of these categories of people require access to their customers’ data; others must never have that access. The task for an organization’s own information security professionals is to recognize the difference and take appropriate measures to control all these external and unknown persons. Quis custodiet ipsos custodes? (Who guards the guardians?) must be dealt with at increasing levels of abstraction. Who, indeed, guards the guardians guarding the guardians guarding the…?

Recent history has shown us that physical access to computing equipment can circumvent all logical access controls.3, 4 For decades, when we said “access control” we meant logical restrictions, with physical access to equipment limited to a relatively few mandarins. The barrier was a locked and monitored door to a data center. That may still be the case in a colo where, if an organization has a locked cage, there is some assurance that only visiting customer employees can get access.

If there are only a few racks in a shared row, the lock on the cabinet door is not as reassuring. And even with the locks, many customers engage colo employees to install new devices, withdraw tape backups and perform other activities that require physical presence.

The Outsourcing Challenge

At one level, the challenge of securing data and other electronic resources inside remote physical equipment is simply an extension of the problems of outsourcing, with which some organizations have dealt for years.5 What is strikingly different today is that organizations are outsourcing different platforms, infrastructures, applications and control functions to different providers all at the same time. At any point in time, an organization may simultaneously have some of its information resources in its own data center, in a colo, at services accessed over the Web and in multiple clouds. In most cases, this was not planned; it developed over the years. And as the upcoming year passes, the mix will change.

Whatever the distribution of systems, it is likely that there will be interactions among the systems. Thus, the challenge for security specialists and operations personnel generally is to develop the capability to see and oversee all of them at the same time. For example, if an organization is experiencing an attack on a system hosted at a colo, it would be important to know if the attack spreads to related systems being hosted in another data center or in a cloud.

A Cloud of Clouds

Note the use of “a cloud” and not “the cloud” in the previous sentence. Many of us have become so used to dealing with cloud-supported services as a concept that we have lost touch with the reality that an organization may use several of these services. Thus, organizations need a virtual console6 that can provide simultaneous visibility into all the enterprise’s environments. What users view is, for many organizations, not one cloud, but a cloud of clouds, once again raising the meta-level of control. Each cloud needs to be secured individually and as an ensemble.

One advantage of a multi-modal architecture is that, leaving aside the spread of a virus or worm, enterprisewide downtime is quite unlikely. A power outage, for instance, in one servicer’s data center is not going to affect the others, all in locations far from one another. On the other hand, many current IT disaster recovery plans anticipate an all-or-nothing outage in a single central data center. Disaster recovery planning is going to have to be rethought for multi-modal environments, an excellent topic for a future article.

Of course, organizations will always have internal data centers, at least as long as employees work on organizational premises. There needs to be one ring that rules them all, with a nod to J. R. R. Tolkein.7 That would be the data center that connects all the people inside the building with all the systems they use, wherever those systems may be. That data center may be no more than a closet with file servers and network connectivity, but it will be there and it, too, will need the same sort of security as bigger data centers have had in the past and still do today.

As I see it, the future will bring competition among multi-modal service providers (MMSPs). In fact, that is occurring today as some of the larger colo/hosting vendors branch out into cloud-based services. What remains to be seen is when, not if, they realize that security is a strategic differentiator among them.


1 A question made famous in the movie Butch Cassidy and the Sundance Kid, USA, 1969, asked by the heroes multiple times with increasing frustration at their inability to evade the long arm of the law
2 A rather inelegant phrase for people doing actual work on computers and storage, using their hands
3 Kushner, D.; “The Real Story of Stuxnet,” Spectrum, IEEE, 26 February 2013,
4 Perlroth, N.; “In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back,” The New York Times, 23 October 2012, The same delivery method was used for the original Shamoon. It is not clear whether Shamoon 2 was delivered the same way.
5 Tiow, B. L.; “A Security Guide for Acquiring Outsourced Service,” SANS Institute, 19 August 2003, There is no shortage of literature on this subject and very little has changed over the years. See, for example, this article published in 2003.
6 I am not referring to Nintendo’s tool of that name.
7 J. R. R. Tolkien (1892-1973) was an English author, poet and university professor. He is best known as the author of The Hobbit, The Lord of the Rings and The Silmarillion, among other fantasy novels.

Steven J. Ross, CISA, CISSP, MBCP
Is executive principal of Risk Masters International LLC. Ross has been writing one of the Journal’s most popular columns since 1998. He can be reached at


Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.