Data Centre Titans: The Frontier of Data Protection with Richard Luna, CEO of Protected Harbor
Tue 22 Aug 2023
In the inaugural edition of Data Centre Titans, we spoke with Richard Luna about the evolution of software and corresponding hardware needs, as well as the importance of data protection legislation and accountability in the data centre industry. Richard draws on his experience working with healthcare clients and helping to design communications technology for the first digital signs used in New York City’s subway system.
Data Centre Titans is an interview series aimed at sharing the experiences, insights, and expertise of the leading minds in the data centre industry.
– – – – – –
As CEO of Protected Harbor, what experiences have you had in software development and data centre design?
I have over 30 years’ experience in the software development, DevOps, and data centre space. During this time, I have learned many programming languages and watched the rapid advancement of technology. I have seen and am proud to have been involved in the development of software programs and approaches that have solved complex problems. Software that I worked on has helped to create a foundation for further advancements.
What I have seen from a software viewpoint is the impact of hardware and infrastructure performance. In the past when we were communicating with a mainframe there was a very different type of connection. In those days, we had to go through ‘green screen’ using Unix.
Today, mobile apps require a lot of storage and developers talk about a collection of tools used to create applications, called a stack. The stacks, while much easier to work with, require a lot more resources.
Storage and bandwidth are critical for modern applications to run properly. When an application doesn’t have enough resources, end users complain about slowness and stability. While there have been many changes and the approaches are all different, the logic behind this has much in common. I have seen it all evolve over the years; therefore, I know how to interpret it.
You’ve served in leadership positions in multiple networking groups. How have these experiences influenced your approach to work?
Every CEO is a salesperson or should be one on some level because they are selling the brand, and often, they are the brand.
Networking groups are valuable because you have to stand in front of the members and say what you do. This type of communication is another muscle to build.
In networking groups, most members want to refer business, but they also need to clearly understand what you do and what you are selling. Networking should be looked upon as educating a sales team. After you educate them, ask them to explain back to you what your company does. If they need clarification, offer it.
Leaders need to be able to clearly tell people about the brand and their differentiators. Some are not comfortable speaking in public. These opportunities to talk about your company allow a person to become more comfortable in their skin. This takes practice and commitment, but it is well worth the effort.
The best part of networking is you get feedback. Every meeting, a leader gets to exercise their sales muscle and get more used to feeling comfortable in a sales environment. The second-best element of these activities is getting feedback from prospects or clients.
It is critical that leaders listen and ask questions. Feedback is important because it helps to correct misconceptions and provides an opportunity to share details.
It is important to take time for self-evaluation. Review and examine the feedback you are receiving. It is a tremendous gift, appreciate it when you receive it.
What is one major challenge you’ve faced in your career, and how did you overcome it?
Companies think moving to the ‘cloud’ solves all issues. The cloud is storage, it is not support, it is not protection. It is simply storage.
How have you approached the challenge of explaining the limits of cloud storage to companies?
I have approached the limitations of the cloud by asking who is accountable and how are they accountable. Will the large providers cover your losses or help restore lost data?
For me, the approach is simple, if the data is on my equipment, I am accountable, it is my responsibility.
What I have learned to do is not talk about the cloud. Instead, talk about data being in the cloud. The cloud is really only storage.
A company pays a cloud vendor to store data. This cloud is open and exposed to the world and is constantly being attacked.
Recently, for example, Microsoft admitted that China had broken into their cloud servers. I ask, how many companies have the same budget that Microsoft does for security? Even with this significant budget, they were still breached.
We have been critical of these databases in the cloud storage industry, but what are the benefits of it?
The benefit is that your data is always accessible wherever you are. However, I can make the same argument if you are on a private cloud. Except on a private cloud, where IP users connect from can be limited. Therefore, if a company has no secondary offices in Bangladesh or in Iran, for example, then why should an administrator allow an IP address from those countries to connect? If an executive or office employee is in Iran, they can put in a ticket and open the specific IP address. Other than this, access is kept tight and closed. If a business has no operations outside of the United States, only US-based IP addresses should be allowed to connect to it, period.
Given your background in software development and data centre design, how would you enhance data security?
I am still surprised at how lax data security can be. As someone with a programming background, I ask infrastructure clients ‘who has access to this data?’. Most of the time the answers are missing.
Data theft is real. FTP, open ports, and development stacks are all entry points to steal data. All business should harden even internal data transfers, enabling encryption internally when transferring data from one server to another.
But how can an organisation change? I suggest making a road map that includes security and durability in the plan, and have stakeholders from each technical discipline participate.
For example, use internally hardening data transfers to improve security. Enabling encryption from one server to another will generate a list of systems that need data access; because when clear text connections are disabled, clear text connections will be blocked. The process is to enable encrypted connections and clear text simultaneously and set up a review process for clear text connections.
For each clear text connection, determine why the data is needed. If approved, work with the connection source and enable an encrypted connection. Repeat on all the connections until they are all encrypted. Now that data is safe from in-transit theft.
While this process is focused on data security, it also helps by identifying who is accessing the data and why. This is not just an exercise in improving security, but an exercise in understanding data usage and access.
You also had experience designing the communications technology for the first digital signs used in New York City’s subway system. How did this play into your understanding of data protection and security?
In that analog environment, a signal connection could be made, but may not be strong enough to sustain a high data transmission rate. That is why we had to have a sliding scale of what was acceptable to complete the task.
I learned from this that it was critical to know that data was not only being sent, but also that it needs to arrive at a specific location uncompromised.
The same is true today, although now we have digital communications which are more stable and we also have encryption.
Encryption is more complex but it offers greater security. Systems now allow us to know where data is, when it was sent, how it is transported, when it was received, and when its opened. With more information and a way to track the process, we have greater data integrity. However, we also know that data is valuable, and there are those who are constantly trying to siphon it away or steal it.
Watching how data is shared over my career has taught me to be vigilant and use protocols that will provide the highest level of data protection possible for clients.
What legislation in the data centre industry should be put in place to cover data protection?
First, create a ‘do not connect list’, similar to the Transportation Security Administration’s ‘No Fly’ list. If your IP address is in this list, then you cannot connect to any server anywhere in the country – you are blocked the second you appear on that list.
Lists of IP addresses do exist, but they do not have the resiliency of a certified address.
Second, get credentials via clients regarding anybody coming into the country who has access to public VPN servers. If you obtain a US-based IP address, you have to be registered. This way, we know exactly who you are.
This is similar to what is being done in Europe regarding burner phones. When you buy a mobile phone in Europe, you have to register it. This way, the MAC address they give you on the SIM card is tied to you. They know if you are in Europe and are making phone calls. This allows them to know specifically who owns the phone.
Do you believe there should be standard, industry-wide measures put in place to ensure all parties in the data centre industry take responsibility for data breaches?
There must be serious and significant accountability and financial consequences for data loss. If a company loses data of a customer, there should be a heavy financial consequence. Legislation is the easiest way to enforce this.
The cost will be significant for large cloud providers and they will fight it.
Business owners must be willing to invest enough to truly make sure client information is secure. Today, there are no penalties. Cyber insurance, as well as data protection insurance, are not adequate for businesses and their customers who are vulnerable to criminals and bad actors.
My proposal is that if you have 1,000 customers, you are fined $10,000 per customer in the event of a data breach or compromise that causes harm. This is a harsh penalty and could put a company that has a data compromise out of business. However, 60% of businesses already close down within six months of falling victim to a data breach or cyber attack.
What is one thing that has greatly influenced your professional life?
When I first started in the IT business, we had a large local Pediatrics office as a client. The practice was owned by doctors. The senior physician loved tech and had built the servers running his practice.
Although he was brilliant as a physician, the network equipment was poorly configured and had become unstable. Too many applications had been installed, some of which conflicted with each other, grinding the server to a halt. The reason was to dedicate a server(s) per function, not to try to jamb all functions on all servers.
This reinforced my mission to help businesses design systems, networks and storage to allow them to be on a stable platform, operate efficiently and now operate safely.
How should businesses make decisions about their systems, networks, and storage needs?
Determine who you are holding accountable. Only hire firms that will accept that level of responsibility.
I am not asking a pediatric practice or any business to learn or understand computer networks or servers. What I am asking and suggesting for any business is to interview IT support companies.
During the interview process I suggest asking ‘I am going to give you medical (or other private) records, and if these records get lost or if the system is hacked or breached, whose fault is it?’. The answer should be that the IT vendor take responsibility.
I would recommend dedicated servers and a clarification of the types of data stored. There must be policies in place about data access and the medical practice staff must be educated about the importance of data security.
Obviously, these professionals are not technologists, which means they need to be trained and informed. They should stick to their silos and work collaboratively with their tech people to create systems that will provide them with the information that they need. Internal tech staff then needs to work with IT vendors, managed IT service providers, and MSPs to develop the system and how information will be requested and then delivered.
I would then make sure that all supporting systems in that pediatric practice understood the importance of communication. For example, when they hire, fire, or if an employee leaves the practice, the individual should be immediately locked out of all systems. This is a must and there should be staff assigned to keep track of who is allowed access to data and systems. Regular assessment and reviews of this is critical.
Given your experience working with healthcare clients, what are some best practices to maintain compliance with the Health Insurance Portability and Accountability Act (HIPAA).
HIPAA rules focus on protecting patient health data. Like all data, patient health information is valuable to the individual and it is important the data is kept secure for personal privacy.
Bad actors seek to gain access to this information or hold it for ransom. To protect this information, there are several best practices that organisations and their IT providers should follow.
It goes without saying that all staff and vendors who come in contact with this information must be aware of the responsibility they have to protect this data and that there are penalties for not following guidelines. Access to this data must be limited to the patient and those who need it.
A best practice that makes it challenging for those who seek to read, steal, copy, or hold data for ransom, is to limit who is permitted access to the database. Credentials should only be given to those who need to use the specific patient information and globally there must be strict boundaries relating to administrative access to databases.
For the data itself, splitting it up and placing parts of records on different servers adds a layer of protection. For the user who needs access, software and formulas are designed to pull the data from the different servers and present it to the user. This can only happen when the right passwords are utilised.
The process of combing the data is easy to do with the right formula. It is more difficult, but not impossible, for those who seek to breach this data. However, separating the data, using strong passwords, encryption and staff awareness go a long way to enhancing protection.
How have you seen the landscape of data protection and HIPAA compliance evolve over the years?
HIPAA requires that the data is always encrypted in transit or in storage (at rest). I believe it is easy to go a step further by breaking up the HIPAA data across multiple database servers. Therefore, if a database server or one channel is compromised, the whole record is not fully exposed. The perpetrator does not even have enough of a record to make an identifier; all they would have is a piece.
I built a HIPAA system for a client that is very secure. One of the objectives was to improve security and break the data up. Take a social security number as an example. Parts of this number should be stored on different servers and in three different encrypted databases. We delivered three isolated data servers, storing the first three numbers in one data base on one server, the next two numbers in one server, and the last numbers on another database on another server.
Each time the client wanted to reconstruct the number; a user would have to do three queries. As long as the user understood what was going on, it was relatively easy to do. It is a beautiful setup since it was simple and required very little programming code.
While there is a slight operational slowdown in data retrieval and storage, the benefit is huge because the data is much more secure.
It is important to note that at a certain point, it is mathematically possible to crack almost any encryption with CPUs due to increased processing power. However, it gets near to the realm of the impossible with security approaches like I described. This is because it will take a very long time to crack the encryption, making it more likely that those seeking to crack the encryption will give up and move on.
I believe the goal is not to make the data impenetrable, but to make it so hard to get that anybody who is attacking gives up and moves on to another system that is easier to gain access to.
What advice would you give to someone starting in the data centre industry?
Learn to delegate and communicate. Most technicians are not good communicators and that hinders working collaboratively. Larger problems can only be solved collaboratively.
Also, get your sleep now. Once you are in the industry, years will go by and you won’t realise it.
How can someone develop their skills in delegating and communicating?
I lead by coaching. I have done every job in the company, so my advantage is that I know what needs to be done and I am able to explain what the person who holds the position should be thinking and/or doing.
I coach people in their position to help them be successful. I will ask, ‘what do you think about this?’. I then listen to their answer and see if they mention the same items that I would be thinking of in that situation. If not, then I know that I need to do a better job explaining my view.
There are also opportunities where I may need to learn something new. To be a good coach, you have to evolve and learn as well. I encourage employees to ask me questions or ask other staff for their input. This is a common practice between me and my CTO. I ask, ‘what do you think of this situation?’ or ‘what do you think we should do?’. This gives me important feedback and moves the process forward.
We were recently discussing a new client being onboarded and he said, ‘just rip the plaster off’. This happened when we were having a hard time getting basic information from a clients’ old IT support company. I agreed and we went directly to the client to try to resolve the roadblock.
The client opted not to disrupt the process as we had hoped. They did not want to change their approach or alter preexisting external communications.
I was fine with their decision. We approached the client because we were at a roadblock and wanted to move faster. I wanted the client to hear our concerns and to advise us. It is my goal to be a partner with all clients. As a leader, I took my CTO’s advice, I listened, I agreed, and we took action.
As a leader, communication is critical. I believe that a leader must always be communicating their intentions and expressing their thoughts with their team. My job is to have an entire company of people who think like me. This means that they understand every decision is important or tangible for the company.
I am also open to discussing challenges and problems. I then say, ‘here is how I see it; how do you see it?’. They respond and I know that they understand the direction and actions that will take place. This is a wonderful way to develop an educational process. This enhances trust and collaboration.
Could you share a quote that inspires you as a leader or empowers you in your work?
Two quotes by Thomas Edison: “Genius is 1% inspiration, 99% perspiration.” and “The three great essentials to achieve anything worthwhile are, first, hard work; second, stick-to-itiveness; third, common sense.”
Hungry for more tech news?
Sign up for your weekly tech briefings!