• United States

A night to remember: Engineering lessons from the Titanic

Oct 12, 20164 mins
Data CenterNetwork SecuritySDN

Heeding the lessons of the Titanic can help modern data center engineers avoid and mitigate fateful encounters with unforeseen menaces

Some 31 years ago, the RMS Titanic was discovered resting on the ocean floor. The legend of its sinking has been retold many times in books and movies. One compelling aspect of the story is the safety claims made by its creators. Even as reports of the disaster began to filter into New York, the vice president of the White Star Line stated, without qualification, “We place absolute confidence in the Titanic. We believe that the boat is unsinkable.” Obviously reality betrayed those maritime engineers’ confidence.

What lessons might this famous disaster teach engineers in modern data centers? In particular, how do we prevent hostile attacks—the “icebergs” that lurk on the seas we sail—from causing catastrophic breaches?

+ Also on Network World: How network segmentation provides a path to IoT security +

The confidence of the designers was not completely unfounded. The ship was divided into 16 compartments, each of which could be isolated by watertight doors. Up to four could have flooded without sinking the ship.

Data center networks follow a similar principal, called segmentation, with logical divisions designed to protect servers from attack.

Unfortunately, the Titanic bulkheads did not run high enough, so water began to spill from one to the next. The threat came first from outside the hull, but then increasingly from adjacent compartments.

Likewise, data center engineers increasingly recognize that threats don’t just come from outside, so called “north-south” traffic from external access to enterprise web servers. They can also come from inside, hostile “east-west” traffic from compromised servers probing for further vulnerabilities.

Normal “east-west” traffic includes, for instance, a customer-facing application querying an internal database to retrieve account information. But allowing such queries to flow without restriction would be as dangerous as a ship without any bulkheads. Instead, data centers are increasingly divided into smaller sealed compartments, an approach called microsegmentation.

Automation essential

In 1911, Shipbuilder magazine reported: “The Captain may, by simply moving an electric switch, instantly close the doors throughout and make the vessel practically unsinkable.” While some automatic controls were also available, such reliance on human intervention can become a weakness during the chaos surrounding actual emergencies.

In data centers, such a manual approach corresponds to opening tickets to prompt human operators to open or close firewall settings. That’s not much better than the telegraph from the bridge to the engine room, signaling “Full astern!” as disaster looms ahead.

A more modern approach is to assign each server to an appropriate security group automatically at the moment it’s created, with predetermined settings limiting connectivity only to what is absolutely required. Such an automated approach becomes increasingly necessary to secure thousands of applications, especially as they’re further divided into component microservices.

Of course, the human element remains important, even if people are no longer involved with every transaction. One recommendation from the British report on the Titanic disaster stated: “That the men who are to man the boats should have more frequent drills than hitherto. … Such drills to be recorded in the official log.”

Such directives sound familiar to anyone involved with ongoing security certifications of a modern data center, though admiralty rules has been replaced by Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS).

The senior wireless operator aboard, Jack Phillips, stayed at his post until the end, seeking help from other ships in the area. Afterwards a colleague wrote about his late colleague, “I suddenly felt a great reverence to see him standing there sticking to his work while everybody else was raging about.”

Anyone who’s experienced a data center breach can easily imagine the raging and also understand the need for sticking to the work.

Learning from history and taking steps in advance can help avoid cybersecurity disasters before they happen. Increasingly network security will rely on microsegmentation and automated security groups, along with ongoing training and vigilance.

Heeding the lessons of the Titanic can help modern data center engineers avoid and mitigate fateful encounters with unforeseen menaces, and ensure the only ice they encounter is clinking gently in a glass of their favorite beverage.


Larry Lang is a technology business leader with experience in managing, raising capital, and developing products at startups and larger companies. Larry most recently served as CEO of PLUMgrid, a virtual networking company acquired by VMware. Other prior startups include Quorum, which provides cloud-based disaster recovery, and Ipsilon, which pioneered IP switching and was acquired by Nokia.

Larry worked for many years at Cisco, ultimately as general manager of the mobile service provider business unit, which created the data infrastructure for the original iPhone launch. Larry currently serves on the board of Violin Memory, and has held board positions at Infineta and BelAir, which was acquired by Ericsson. He started his career at Bellcore.

Larry holds a bachelor of science degree in electrical engineering from Duke University and a master of science degree in operations research from Stanford University.

The opinions expressed in this blog are those of Larry Lang and do not necessarily represent those of IDG Communications Inc., or its parent, subsidiary or affiliated companies.