A wise man once said that we shouldn’t look for bargains when it comes to brain surgery or parachutes.  While the security of your data may not be a literal life-or-death issue, it may very well be a factor when it comes to the life (or death) of your company.  The land industry is (appropriately) famous for its hypersensitivity to discretion.  I learned that while on the field side myself, and the lessons learned back then have become a cornerstone of TotaLand today.  Speaking of lessons learned, the following is based on my experience and knowledge gained in going through the steps and processes required for our SSAE 16 compliance audits.

 

First of all, let’s clarify what we mean by security.  There are actually three broad areas under that umbrella—access control, access availability and data protection (from loss).  As the term implies, access control is simply a reference to the ability to control who has what type of access to your data.  You may want for one individual to be able to view and create data, but not to delete, while you may want another one to have no access at all—with many variations in between.  You get the idea.

 

Again, as the term implies, data protection refers to the risk that your data could be lost (or corrupted) in a singular event.  This event could either be malicious or simply the result of hardware failure or carelessness.  Data protection is easily addressed with redundancy, which can be local, remote, or both.  Local backups (i.e. within a rack, datacenter or server room) facilitate speedy results, regarding both backups and particularly restores, but your data is exposed to the aforementioned singular disastrous event.  Remote backups (i.e. at a different physical location, ideally at least 40 miles away) add cost and take longer, particularly when it comes to a restore, but are an absolutely critical component of data security.  Obviously, a combination of both local and remote backups provides the most complete and efficient data loss prevention combination.

 

Access availability (sounds redundant, doesn’t it?) refers to the idea that, although your data may be safely backed up somewhere, it is worthless if it cannot be restored and used in the same fashion as before the loss of the primary data.  For a commercial application such as TotaLand, backing up all of your data may not be sufficient when it comes time to recover from a disaster.  If you have to start with new hardware, think of the time it could take to configure them all over again.  One of the many benefits of virtualization is the ability to have all of that information stored along with your data.  TotaLand uses about a dozen or so virtual servers, so having the ability to ‘spin up’ those servers in the case of a ‘metal up’ restore is an incredible time saver while providing some serious peace of mind.

 

Now that we have loosely defined what security means, let’s consider the three broad categories of security used to achieve the desired result—physical, network and personnel.  Physical security refers to the obvious--physical access to servers, storage devices and other hardware on the network.  The most secure datacenters incorporate biometric identification, armed guards, locked racks, controlled admittance, etc.  While seemingly more to do with reliability rather than security, the complete physical security package will include redundant power sources (multiple grids for datacenters, backup power generators, A & B outlets within each rack, multiple power supplies on servers and appliances) as well as multiple communication sources (providers).  Finally, physical security also includes the degree to which you limit or control access to client computers within your office.

 

In general, network security refers to firewall and password settings, even policies such as scripting forced screen locks for both client computers and smart phones.  Network security could be (and often is) the subject of lengthy white papers all in itself, and that level of detail is beyond the scope of this article.

 

Finally, and usually the most overlooked, is personnel security.  There is simply no way around having to trust your personnel, at least to some extent.  As such, it should be standard practice to require anyone who will have access to and/or control of your data to undergo background checks and drug screening.  You should have written policies addressing both onboarding and separation of personnel, and more importantly, these policies need to be enforced.

 

As noted above, TotaLand is SSAE 16 Type II compliant, which is no easy task.  Search for it (or SAS 70) on the web to get more details, but I can tell you that the process is very rigorous and ongoing—and we are proud to be able to offer this level of professionalism and commitment to security to our clients.

 

So how does that relate to the “brain surgery and parachutes” quip at the beginning of the article?  One might be tempted to think that, since TotaLand is such a secure and reliable package, that we might not be ‘bargain’ priced.  Actually, the opposite is true—we are very reasonably priced and never charge per user nor limit the number of users you can have.

 

Best wishes and regards in your daily pursuit of landman excellence!