Let's consider each of the risk factors in turn, and then address mitigation.

Risk Factor 1: Information Risk

Data center consolidation represents an incredible concentration of information on an infrastructure that's highly accessible. Remember that not all data is created equal, with some being much more sensitive than others. However, because the economics of the new data center are so compelling, there is now a much broader variety of data within it.

Consider credit card information. In late 2004, Visa and MasterCard more closely aligned their respective approaches and created the Payment Card Industry (PCI) Data Security Standard. PCI information resides in the data center and must be protected. In addition, if an organization also provides health-related services or processing, it may include protected health information (PHI) as well.

Add to this email information, research, financial information, and intranet content, and you have terabytes of growing and disparate information all residing within the same data center. The capacity of the new data, along with the continued, rapid growth of information, challenges its ability to be effectively controlled.

Risk Factor 2: Asset Risk

Which assets contain the sensitive information? Great question, especially when we mix in server virtualization and storage area networks (SANs). The benefits of the afore-mentioned technologies are great, but it remains a challenge for most organizations to identify assets which contain some of the critical information we highlighted in Risk Factor 1. This is a major compliance challenge, as identification of critical assets is just as important as identifying the data which they contain.

Risk Factor 3: Access Risk

Once we have a base understanding of the critical information and assets within our new data center, how do we control access?

Organizations often have a vast array of not only authentication techniques, but also of authorization methods. Depending on their information, different assets might require different access methods, which may in turn be incongruous with other technologies in place.

To overcome access challenges, numerous technologies are thrown at the problem. These include but are not limited to router access controls, virtual LANs, firewalls, single sign on (SSO), intrusion detection, etc. Whether the information is distributed, concentrated, or virtualized, getting the policy in place for managing access remains a challenge.

Risk Factor 4: Audit Risk

Aggravating these challenges are the ever-increasing audit requirements. It doesn't matter whether you're a privately held entity not controlled by the Sarbanes-Oxley Act, or if you just have sensitive information, you're going to have to prove that you have the requisite controls in place and that they're working.

Even within a consolidated data center, collecting information is difficult, especially since audit information may have to be correlated with other information outside the data center. Activating specific auditing functionality within point products might not only result in large log files and trigger a number of events, but may in fact impact operational and transactional performance as well.

This, of course, runs counter to some of the justification for consolidating the data center in the first place.

These risk factors aren't going away; in fact, one may argue that they're only getting worse. Outsourcing is not a cure-all either, as service providers are also dealing with these challenges.

Moving forward, it's imperative for a broader array of stakeholders to be involved in the up-front efforts to tackle the risk factors. Though technology is evolving to address these issues, it does not preclude the need for cross-functional planning and a candid assessment of requirements.