Controls that prevent physical access to servers must be a fundamental component of any information security programme.
Most discussions on data centre security tend to focus on the use of technology as the primary defence against cyber attacks. And, certainly, digital protections such as endpoint detection and response solutions do play a critical role. However, whether your data centre is maintained on your company’s premises or you have moved digital operations to the cloud, having controls in place that detect or keep bad actors from physically accessing servers must be a fundamental component of any information security programme.
Consider the following situation. An organisation noticed a spike in electricity consumption at its satellite located offshore. Among the initial concerns was the possibility that cryptomining malware had infected that site’s servers. They were right, but the culprit was not a digital bug, rather it was a result of physical security lapse. Their local IT person, who had purchased the servers citing a legitimate business reason, had installed row upon row of cryptomining rigs instead of hard drives. Through further investigations, it was uncovered that he was able to mine several bitcoins with an estimated value of more than US$500,000.
This fraud underscores why physical security continues to be highly relevant — indeed, absolutely essential — to modern data centre security. With emerging trends like big data and the advent of the internet and cloud-based computing, businesses are enticed to place more of their operations outside of traditional IT infrastructure and into the data centre, where there is a real drive toward greater demands on its physical security.
Look at business resilience and data security in tandem
When making the move to a third-party data centre, companies typically look at a provider’s ability to deliver on two key elements: business resilience (data availability) and data security. However, companies too often consider each factor independently of the other and do not fully understand the vital synergies between the two.
From a business risk point of view, we will advise clients to investigate how resilience and security work together in a provider’s service offering. For example, companies should identify from the start who, in reality, is providing the service and how the data centre is structured.
A security threat assessment is essential when designing, building and maintaining a data centre or when engaging with a third-party data centre provider. The centre must be able to withstand everything from corporate espionage and low-level thieves to terrorists to natural disasters. By identifying areas of potential threat, a business can enable decision-makers to specify a range of cost-effective and practical countermeasures.
Navigating competing security criteria and real-world deliverables
Currently, there are various industry bodies that publish data centre standards using different criteria in their assessments. Many data centre providers are “aligned to” rather than “certified according to” these standards. Very often, these bodies use a simple tiered rating, which is enhanced with additional terms that are designed to improve the marketing potential of a data centre.
However, understanding the real benefits and risks associated with these terms can be difficult. Unfortunately, there is currently no comprehensive industry standard for security, so it is not unusual to see very inconsistent levels of security performance between different providers.
Data centre security is about minimising risk and maximising operational uptime. In the digital world today, information is the new currency. Any data loss or system downtime can potentially have very high associated costs. One thing we can be sure of is that criminals are always looking out for opportunities to steal data or create havoc by disrupting critical infrastructure. If operators are to deliver on evolving customer expectations and needs, physical security must be a primary facet of information security programmes.
How a physical security expert can help
Specialists in data centre physical security such as Kroll can help clients assess how well a data centre can meet their needs from both a performance and risk perspective. In cases where we have highlighted the need for improvements, we have worked with data centre providers and clients around the world to improve their overall information security and resilience.
Kroll is the leading global provider of risk solutions with more than 45 years of experience in helping clients make confident risk management decisions about people, assets, operations and security. For more information, visit www.kroll.com.