Asia (Other)

Screen Shot 2019-03-12 at 6.11.44 PMControls that prevent physical access to servers must be a fundamental component of any information security programme.




Most discussions on data centre security tend to focus on the use of technology as the primary defence against cyber attacks. And, certainly, digital protections such as endpoint detection and response solutions do play a critical role. However, whether your data centre is maintained on your company’s premises or you have moved digital operations to the cloud, having controls in place that detect or keep bad actors from physically accessing servers must be a fundamental component of any information security programme.

Consider the following situation. An organisation noticed a spike in electricity consumption at its satellite located offshore. Among the initial concerns was the possibility that cryptomining malware had infected that site’s servers. They were right, but the culprit was not a digital bug, rather it was a result of physical security lapse. Their local IT person, who had purchased the servers citing a legitimate business reason, had installed row upon row of cryptomining rigs instead of hard drives. Through further investigations, it was uncovered that he was able to mine several bitcoins with an estimated value of more than US$500,000.

This fraud underscores why physical security continues to be highly relevant — indeed, absolutely essential — to modern data centre security. With emerging trends like big data and the advent of the internet and cloud-based computing, businesses are enticed to place more of their operations outside of traditional IT infrastructure and into the data centre, where there is a real drive toward greater demands on its physical security.

Look at business resilience and data security in tandem
When making the move to a third-party data centre, companies typically look at a provider’s ability to deliver on two key elements: business resilience (data availability) and data security. However, companies too often consider each factor independently of the other and do not fully understand the vital synergies between the two.

From a business risk point of view, we will advise clients to investigate how resilience and security work together in a provider’s service offering. For example, companies should identify from the start who, in reality, is providing the service and how the data centre is structured.

A security threat assessment is essential when designing, building and maintaining a data centre or when engaging with a third-party data centre provider. The centre must be able to withstand everything from corporate espionage and low-level thieves to terrorists to natural disasters. By identifying areas of potential threat, a business can enable decision-makers to specify a range of cost-effective and practical countermeasures.

Navigating competing security criteria and real-world deliverables
Currently, there are various industry bodies that publish data centre standards using different criteria in their assessments. Many data centre providers are “aligned to” rather than “certified according to” these standards. Very often, these bodies use a simple tiered rating, which is enhanced with additional terms that are designed to improve the marketing potential of a data centre.

However, understanding the real benefits and risks associated with these terms can be difficult. Unfortunately, there is currently no comprehensive industry standard for security, so it is not unusual to see very inconsistent levels of security performance between different providers.

Data centre security is about minimising risk and maximising operational uptime. In the digital world today, information is the new currency. Any data loss or system downtime can potentially have very high associated costs. One thing we can be sure of is that criminals are always looking out for opportunities to steal data or create havoc by disrupting critical infrastructure. If operators are to deliver on evolving customer expectations and needs, physical security must be a primary facet of information security programmes.

How a physical security expert can help
Specialists in data centre physical security such as Kroll can help clients assess how well a data centre can meet their needs from both a performance and risk perspective. In cases where we have highlighted the need for improvements, we have worked with data centre providers and clients around the world to improve their overall information security and resilience.


By Simon Ashenden, Associate Managing Director, Security Risk Management, Kroll


Screen Shot 2019-02-01 at 11.05.31 PMKroll is the leading global provider of risk solutions with more than 45 years of experience in helping clients make confident risk management decisions about people, assets, operations and security. For more information, visit

Related Articles by Firm
Combating private sector corruption in Indonesia: A challenge to address in 2019
With elections just around the corner, corruption involving government and public service agencies will likely be a top issue ...
Infrastructure investment in emerging markets — mitigating the risks
Infrastructure projects in emerging markets attract investors on the back of potential returns that can outstrip yields in mature markets ...
Defeatist data security cultures no more
Organisations need to recognise that information security is a question of risk and step up defences now ..
Innovating internal investigations in today’s hyperconnected world
Data visualisation tools have emerged as a powerful resource for internal investigations ...
Why asset searches are increasing in Singapore
Parties choose to resolve their disputes in Singapore for the relative ease of enforcement of awards and judgments.
New ultimate beneficial ownership disclosure requirements: An important step in combating financial crime in Indonesia
The requirement will strengthen and amplify the anti-corruption, anti-money laundering, anti-tax avoidance/evasion and anti-monopolism efforts.
Kroll: Opaque ownership fastest-growing concern for compliance professionals
Less than 25 percent feel highly confident in their program’s ability to address these risks.
Singapore gets serious in fight against bribery and corruption
Conducting joint investigations and joint enforcement actions with foreign authorities may become a new norm ...
Global Fraud & Risk Report – 2017/18
Forging New Paths in Times of Uncertainty ...
Law firms play a critical role in the new Indian Insolvency & Bankruptcy Code
Many new reforms and regulations have been introduced to support economic growth. However, one area that was always neglected was bankruptcy law ...
Risks for investors ahead of 2018 Malaysia elections
Investors should be aware of elevated fraud and corruption risks in the lead-up to the election ...
Forensic accounting to assist asset search
There are endless ways to identify assets, but it can be a costly exercise ...
Buyer, beware!
The final of four reports from Kroll and Liberty Asia on how to mitigate any hidden compliance and reputational risks relating to human trafficking issues …
Forewarned is forearmed
The third of four reports from Kroll and Liberty Asia on how to mitigate any hidden compliance and reputational risks relating to human trafficking issues …
Crime vs. Ethics: Changing corporate culture to reduce modern slavery
The second of four reports from Kroll and Liberty Asia on how to mitigate any hidden compliance and reputational risks relating to human trafficking issues …
Reducing and removing involvement in modern slavery
The first of four reports from Kroll and Liberty Asia on how to mitigate any hidden compliance and reputational risks relating to human trafficking issues ...
Related Articles
Related Articles by Jurisdiction
Asset searches in the digital age
Social media and other technology are changing the way asset searches are conducted in a dispute ...
Latest Articles