News Stay informed about the latest enterprise technology news and product updates.

Verizon security chief says protect your data first

ATLANTA -- JP Callahan, a former counter-intelligence agent with the U.S. Department of Defense, runs data center security for Verizon Business, the company's data center hosting arm. While Callahan has the demeanor of a standup comedian rather than a CIA spook, his full-time focus is data center security. caught up with Callahan at Afcom's Data Center World conference last week.

JP Callahan, data center security, Verizon

What's your biggest concern in data center security?
Physical security in the data center is about who touched what when. I'm not worrying about someone stealing a server for its monetary value. I'm concerned someone stealing the data without me knowing.

We do audit trails, employee vetting. What's the biggest threat in the data center? Internal users?
Exactly. Instead of spending money on bollards [posts preventing vehicles from entering an area], run internal checks. Which guy in your company just went into bankruptcy? How many background checks could that money buy? What misconceptions have you seen in data center security?
I come across data centers with pop-up bollards. How many times in the last 35 years has a truck bomb been used in the U.S.? The University of Wisconsin ROTC bombing [1970]; the Oklahoma City bombing [1995]; and then the New York Trade Center [1993]. Three times. But we're spending hundreds of millions of dollars hardening our data centers against truck bombs.

Where's your anti-aircraft weapons? You could have taken the price you were pumping into hardening your facility and built a secondary site. So hardening the data center doesn't matter?
I'm not saying throw out your data center security. You have to increase the complexity of the attacker's planning process. But if you're building those bunkers, you're building one of them.

Spending the money on a third redundant site will get you more ROI [return on investment]. Most people have a primary and redundant site. Why not have a primary and two redundant sites? That way, if somebody blows up your place with a truck bomb -- you now have another redundant site somewhere. You've hunkered down, but why not spread it out?

There are some sectors where your IT infrastructure is potentially a target, and you'd better hunker down and hide. The Pentagon and Wall Street are targets, but not the data centers. Your data center doesn't need to be there. I've got fiber in front of my house! Why do you need the data center there? The paradigm is that it's mine and I want to be able to touch it. People will harden a facility because it's what they do. What do you think of biometrics?
Our managed data centers all have HandKey II hand geometry readers. The biggest push back I get on them is that people think they aren't sanitary. But then they'll go touch the door knob.

We have three-factor automation to get into our facilities. Badge, biometrics and all doors are PIN activated. I need that audit trail. In the collocation environment we offer an optional biometric. Why hand geometry readers?
If I have to push a population through a door, transaction time is absolutely critical -- I don't want to hear "step back, step forward" [in relation to Panasonic iris readers]. That's why I use HandKey. It's dependable. It's fast.

Fingerprint readers are interesting and cheap. But last research I did on this said 4% of the U.S. population can't use fingerprint technology because their skin is too dry. Retina scan is incredibly detailed, the problem again is transaction time. Plus, three-four years ago there were societal impacts. 'What are you doing with this? I'm putting my eyeball up to this thing?'

If you want to speed up biometric processing, you need to distinguish between identification and authentication. Identification is 'Who are you?' Authentication is 'Are you who you claim to be?' Putting the ID badge down first in a combined system speeds up the transaction time.

This interview originally appeared on

Dig Deeper on SaaS and Web application security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.