As Mel Mason sat down to give a press interview in the conference room of his company's high-security, bomb-proofed, state of the art data centre, he admitted to some misgivings.
Mason is the director of technology services for Experian, the information services giant that manages sensitive personal information about tens of millions of individuals. Although he wants his 40,000 commercial customers – and the public – to know just how well protected and reliable its information and services are, he also knows that any organisation that boasts about its security is inviting attack – especially if it has systems that are accessed by partners via the Internet.
In the information business, security and business continuity have become the single biggest concerns, and the ability to deal with almost any kind of threat is a near obsession. Experian, best known for its credit checking services, generated more than £1.3 billion in revenue in 2004 by providing access to its 100 online terabytes of data; if the integrity or availability of its 543 million records were ever in question, then the financial consequences could be huge.
That concern is not just academic: in recent months, other companies holding similar levels of detailed customer data, among them ChoicePoint, Bank of America, Citigroup and UBS, have all suffered expensive, brand-damaging information breaches. For Experian, which has so far avoided such problems, resilience is increasingly part of the brand.
Experian probably comes as near to the impossible goal of total security as any organisation in the world. As a visitor approaches the new purpose-built £31 million European data centre outside Nottingham, they will probably not realise that the reeds surrounding the building mask a treacherous swamp, that the fences are motion-sensitive, that footpaths are pressure sensitive, and that the barriers to the car park are built to withstand attack from a 65 ton lorry.
Inside, the reception area is bomb-proofed, doorways have pressure sensors, and access throughout the building is monitored by CCTV and motion detection systems. Access to the computer rooms themselves is strictly limited – with management tasks performed from screens in separate, secure areas. To ensure visitors can't do any deliberate or accidental damage that might hinder business continuity, tours through the building are virtual. And, unusually, even this article has been vetted to ensure that not too much is revealed to those with malicious intentions.
One of the men responsible for all this is John Walker, head of operational security. He not only carries the now obligatory tool of security managers – a BlackBerry – to receive up-to-the-minute security alerts and also a keyfob that can detect forbidden wireless networks. Anyone needing remote access to the systems carries around an RSA authentication device, so that their access passwords are dynamically changed.
The software security architecture mirrors the physical. Experian uses two anti-virus services, two separate firewalls and a specialist product to distribute patches.
Experian's approach when dealing with third parties is to "extend the perimeter", says Walker, even offshore if necessary, insisting that partners follow the same stringent practices that it does. How do they find this experience? "We are their worst nightmare," he says. Security was one of the key reasons for Experian's new data centre. Its existing data centres were not fully equipped with the power supply, bandwidth or space to ensure "safe, secure and resilient" computing, says Mason.
When it moved into its new centre, it installed five new IBM mainframes, three of which it now runs alongside some 600 ‘distributed' (Unix or Windows) servers. All of these are backed up at another data centre some 11 miles away, linked by Experian's own 640 gigabits-per-second optical fibre link. The new site now has three high wattage power feeds, three generators, three uninterruptible power supplies and enough fuel for five days. In addition to its 100 terabytes online, Experian now stores some 2,000 terabytes (2 petabytes) on tape.
Managing all of this has, over the years, fundamentally changed the nature of what Experian does – with 75% of Experian's staff now working in an IT-related function. "We're much more than a credit rating agency. Our real product is putting value around data assets via a product offering," says Mason. This long list of services includes providing risk data for insurers, managing electoral rolls and analysing demographic behaviour – as well as tracking credit risks.
These challenges mean Experian now invests heavily in all aspects of IT. Mason describes his three main tasks as providing a reliable service, enabling the business to launch new products, and being responsive to change. With the first part largely achieved – although always under threat – the company is now reviewing its software architecture, aiming to recast all its products and legacy applications as services. It believes this will give it a greater agility and a further edge in a market that is intensely competitive.