Data centres are at the heart of technology operations and hold the keys to some of the most confidential information on earth. Nick Smith, Business Development Manager at Genetec, offers some of his best practice advice for addressing the cyber and physical security of data centre facilities today, to ensure data centre leaders remain vigilant.
The need to comply with a range of legal requirements, meet relevant standards and fulfil multiple security and resilience SLAs for customers can be a complex task for data centre operators, especially if operations extend across multiple sites. Then we have to add in obligations such as data subject access, a provision under GDPR that can be complex to fulfil in practice. Finally, there is the evolving threat of cyberattacks.
Data centres are well equipped to provide high levels of security far beyond what customers could ever hope to maintain in-house. They are rightly seen as part of the solution for security-conscious companies and individuals. That’s why a cyberattack on a data centre can be catastrophic.
So, how can operators centralise security, be compliant in operations to protect data, and satisfy regulatory requirements while also functioning effectively across multiple sites? This article outlines the guidance for addressing the cyber and physical security of data centre facilities in a single plan.
Centralise compliance, security and operations
The ability to easily keep track of who had access to what and when, who granted it and why, has benefits far beyond the security function. It sits at the core of satisfying regulatory requirements and ensuring the smooth flow of people throughout the facility.
Commonly, there are a significant number of people and steps involved in granting access to a room or rack and, if authorisation relies upon manual intervention in the access control system, there is a lot of room for mistakes. Social engineering is therefore often used by criminals as a means of getting inside a data centre facility.
Making use of a physical identity and access management solution that bridges physical and IT security to automate the workflow removes the potential for human error while also delivering associated cost efficiencies.
That is why operators should invest in and rely upon a scalable and unified security platform that takes into account the requirements of users within and outside of the physical security function. There are many other ways in which centralisation can enhance security and streamline compliance operations. For example, by making it easier to set expiry times for contractor passes or by automating the generation and sharing of audit reports so that any irregular activity is quickly brought to light. Automation is key as these activities are easy to specify but difficult to consistently carry out if manual intervention is required.
Pooling resources and expertise from across the business allows for the specification and deployment of a common platform with greater capabilities than any one function could hope to develop in isolation. It simplifies day-to-day operations and prevents future headaches surrounding overlapping systems that create operational blind spots through a failure to integrate.
Take a layered approach
It is easy to think in terms of a facility having a single perimeter that needs to be secured. However, it is important to recognise that facilities comprise of multiple overlapping perimeters, each with their own rights of access, risk profile and operational requirements.
For data centres, the situation is particularly nuanced. There are all the usual considerations over public and private areas and where people may pass between them to consider. Equally, there are specific partitions that must be maintained concerning individual customers’ hardware or data. It’s not a case of simply controlling access to the facility, but of dynamically controlling access to specific data halls, rooms and even the individual cabinets that they hold.
Don’t put too much reliance on any one sensor or analytic to detect intrusion. Instead, build out a layered approach to perimeter security that ensures all is not lost should one method fail. Video surveillance, number plate recognition, biometrics, LiDAR and fencing are just some of the technologies that can be combined as part of a comprehensive plan to discourage unwanted incursions.
Ensure physical security systems aren’t themselves a cybersecurity risk
A key reason to address cyber and physical security in a single plan is the possibility that attackers could use the physical security systems themselves as potential entry points to the network. Over 90% of all IoT attacks go through routers and connected cameras.
Security cameras, access control readers and alarm panels are all IoT devices that run the software and may contain cybersecurity vulnerabilities that can be exploited by attackers. To counter the threat, physical security teams must partner with their counterparts in information security to better understand the true limits of the security perimeter and work to develop strong governance and processes to avoid or mitigate cyberattacks.
The majority of risks could easily be eliminated simply by taking basic steps such as ensuring devices are not using default passwords and are running on the latest available version of the firmware. Yet according to Genetec’s own data, 68% of cameras trying to connect to its systems are typically running out-of-date firmware. Of these, more than half involve known vulnerabilities for which a security update is available.
It’s a situation that needs to change fast and that can only be resolved through increased collaboration, by removing the burden from employees and by leveraging automation to manage the firmware and passwords. Only then can organisations hope to build a resilient cyber-physical security framework from which to operate.
Where cyber meets physical
The data centre industry remains at the forefront of technical innovation and strong global demand for data storage and processing guarantees the market will continue to expand year on year. Against this backdrop, it’s important to plan for future growth, to address physical and cybersecurity within a single plan and to invest in a security system now that can scale, adapt and evolve in line with immediate and future requirements.