Iron Mountain’s Gatekeeper

CISO Mark Olson of Iron Mountain outlines the keys to keeping information accessible in an increasingly security-conscious world

In today’s technology-driven landscape, information security isn’t just about preventing hackers from breaking into a company’s systems and stealing information. The heart of information security is in promising information availability and integrity to clients. “Our job is making sure the data our customers rely on is going to be there every day, the way it was yesterday,” Iron Mountain’s vice president and chief information security officer Mark Olson says. “It will be secure and not altered, and they can depend on that fact.”

Olson is in charge of ensuring applications are written securely for the information-management services company, handling Internet responses, managing global directors, and high-level security responsibilities. In order to juggle it all, he’s created elaborate and detailed systems to establish security for both Iron Mountain and its array of global clients.

156K

Organizations being serviced

36

Countries where information is stored, protected and managed

94%

of Fortune 1000 companies are assisted by Iron Mountain

Iron Mountain sets up systems of automated controls that allow data to flow where it should and stop when needed. It also has an extensive information assurance program—a set of standardized policies and procedures that ensure that data is protected across all areas of the business. Within this structure, commercial products are employed for encrypting correspondences and a detailed checks-and-balances scheme is in place to ensure only the appropriate people have access to certain levels of information.

“In the security space you need a separation of duty,” Olson says. “That separation happens in a number of areas, particularly the security controls and devices.” For example, log entries are generated when people operate devices and run applications. Administrators do not have access to the log repositories, ensuring the integrity of the records. Only read-only access is available to the host so administrators and security personnel can monitor activity to seek out abnormalities and make sure everything remains functional. “Audit log integrity is ensured in that way,” Olson explains. “It’s something some customers directly ask for, and it’s also a method of showing customers and reassuring them that we are protecting their data in the best way possible.”These measures are part of the security practices that are repeatedly tested and audited by customers and government regulators. Physical security controls are also regularly assessed to ensure proper care before and after delivery.

After putting internal structural practices into place, Iron Mountain also hires outside companies to validate each security system via manual penetration tests. “We essentially hire somebody to attack and
compromise our websites and applications,” Olson says. That third party then reports back on whether it was able to penetrate Iron Mountain’s systems, how it was able to, and how it would fix the vulnerabilities. Every application is tested before being made available for customer use.

Olson believes that the most successful approach to cybersecurity is a blend of both proactive initiatives and reactive solutions, with a renewed focus on detection. Right now, he hasn’t found any one product on the market that adequately detects breaches, so one of his current initiatives is to look at everything they have in-house and determine whether or not they can build a unique detection capability that will be best suited for Iron Mountain.

Case Study: Global Internet Parameter

The Problem

Different vendors handled security controls for each global client, meaning each area had to be identified for risk uniquely, requiring a lot of time and labor.

The Solution

A complex global Internet parameter for international clients with a standard set of controls via a single vendor that spans the globe with the same consistent connectivity.

The Results

Now Iron Mountain doesn’t need to keep multiple versions of compliance reports from various regions, saving time on its end and also delivering a more consistent, streamlined system that requires less interpretation for clients. Olson and his teams can now accurately measure risk and understand their positions around the world in the most efficient way possible.

Other plans for the future include pushing appropriate security controls, analysis, and responsibility toward those who are closest to the controls and have the most intimate knowledge of operations. “There’s a principle in software engineering that says the sooner you fix a bug, the cheaper it is,” Olson says. “So fix it during the development process when you first write it, where you start testing before it goes to production.” The further in the development cycle, the more expensive the fix. If those responsibilities shift from an analyst to the staff closest to the operations, the security team is free to look at the most complex matters, and the operations staff can identify issues much sooner in the process.

“It’s the same principle,” Olson says. “Detect the security variation and correct it closest to where the problem occurred.” By tackling problems at their source, Olson and his team add another crucial component to Iron Mountain’s defenses.