Managing risk in the data centre space is crucial for protecting operations and keeping data safe. Steve Hone, CEO, The DCA, discusses data centre security from both a physical and cyber perspective and offers some best practice advice for covering all bases when it comes to security.
I’d initially like to address the issue of cybersecurity. I spotted a billboard on the tube (if you can remember when we used to frequent them) that claimed you were 40% more likely to be a victim of cybercrime than to have your house robbed. This claim was backed up by the Office for National Statistics which has seen a steady rise in reported cybercrime year on year; with more than 6 million cybercrime incidents being reported each year, far more than previously predicted and enough to nearly double the headline crime rate, that equates to more than 40% of all crimes committed in England and Wales.
Data centres represent a very attractive target for criminals. If someone manages to breach these defences, the data halls should be protected by a host of biometric security systems, man-traps and other security protocols, meaning physical access to the servers is in no way guaranteed. However, this assumes that the criminal has a crowbar, swag bag and wearing a balaclava. What happens if the attacker is not planning on abseiling across the rooftops and dropping in through the air duct; what if he can break into your facility and steal your data or plant a virus/DDoS all from the comfort of his/her armchair without you even knowing.
According to a cyberthreat report, business-focused cyberattacks – including ones specifically targeting data centres – has increased by 144% in the past four years and data centres have become the number one target of cybercriminals, hacktivists and state-sponsored attackers. Although physical security should remain a top priority for data centre operators, equal consideration needs to be given to the increasing threat posed by cyberattacks with the same level of due care and attention.
Although I personally do not confess to be an expert when it comes to cybersecurity, the good news is, I know someone who is. The DCA has access to lots of members who could help so if you would like to speak to a specialist, the Trade Association can facilitate this.
Physical security
The aim of physical data centre security is to keep out the people you don’t want in your building or accessing your data. Simply put, if you aren’t on the list you can’t come in. Assuming their name is on the list once inside, it is imperative to continue to keep an eye on them. If you discover that someone, be it a customer, contractor or even staff member is guilty or suspected of committing a security breach, identify them as soon as possible and containing the situation is paramount.
Through the Data Centre Trade Association, you have access to a wealth of specialists and experts. Datum, South Co, Chatsworth and EMKA, can all help with security.
When looking at physical security for a new or existing data centre, its sensible to take a few steps back and perform a risk assessment of the actual data and equipment that the facility will hold. Fully understanding the risks and potential breaches that could occur is essential, as is establishing the likelihood of such a breach taking place and the impact it could have on your business (be that reputational or financial). This type of ‘drains up’ assessment should be your first port of call when defining your physical security requirements and determining how far you need to go.
I have often heard it said that ‘security of any facility needs to be like and an onion’ – made up of multiple layers of security which encapsulate what it is you are trying to protect.
So, when we are talking in terms of a physical data centre, what typically makes up the layers of a data centre onion?
Keep a low profile – Especially in a populated area, you don’t want to be advertising to everyone that you are running a data centre.
Avoid windows – There should be no windows directly onto the data floor.
Fencing – Granted, not always possible if located in a city location, which is where the avoid windows advice kicks in above; however, if you are going to have fencing, make sure it not just a token gesture. There are plenty of guidelines when it comes to security fencing and the Trade Association can point you towards fellow members who can offer some guidance.
Limit entry points: Access to the building needs to be controlled. Think not just about main entrance, fire exits and loading bays, but also roof access points too.
Fire exits – When it comes to those fire exits, make sure they are exactly that – ‘exit only’ (and install alarms and monitoring on them as they are often frequented by smokers who then politely hold the door open for a stranger to wander in).
Hinges on the outside – These can make it far too easy for someone to pop the pins out to gain access. It might sound basic but this is a common mistake I often see with repurposed buildings.
Tailgating – Following someone through a door before it closes is known as tailgating and is one of the main ways that an unauthorised visitor will gain access to your facility. By implementing man-traps that only allow one person through at a time, you force visitors to be identified before allowing access.
Smile, you’re on camera – You can never have enough cameras: CCTV cameras are a very effective deterrent for an opportunist, as is proximity flood lighting. All footage should be stored digitally and archived off site.
Access control – You need granular control over which visitors can access certain parts of your facility. The easiest way to do this is through proximity access card readers, biometrics and retinal scans on the doors.
Pre-approval and personal identification – Many data centres operate on a pre-approval system whereby you warn the data centre in advance that someone will be attending site and usually, this person will need to show some form of photo ID. Cast iron rule: ‘no ID = no entry’, irrespective of how much they protest.
Compound entry control – Access to the facility compound, be that pedestrian or vehicle via a parking lot, needs to be strictly controlled either with gated or turn-style entry that can be opened remotely by the reception/security once the person/driver has been identified.
Ram Raiders – Don’t just target retail stores, metal bollards or large boulders can just as effectively act as a protective exterior layer to prevent a vehicle itself being used as a fifteenth century battering ram.
Processes and training – This might sound out of place in this list of essentials; but having all the security layers in the world will be worthless unless you have the processes and procedures documented along with having your staff vetted and trained to prevent security breaches from happening – this needs to include any third-party contract staff you employ.
You can never test enough – It’s only by regular testing and auditing of your security systems that any gaps will be identified before someone else can exploit them.
Both cyber and physical security considerations come down to managing risk, so make sure you carry out a regular risk assessment, try to think of data centre security being like an onion and remember not all burglars wear balaclavas.