Kimon Nicolaides, digital services group head at MASS examines the three key elements of data centre security and urges facility operators to consider them collectively.
Organisational security can be thought of like an onion – with critical assets sitting in the middle protected by multiple layers, and if one layer is breached, there’s another one underneath. At least that’s the way it should be, but too often, we see a siloed approach to the different aspects of security.
Whilst data centre and co-located facilities typically have well established security measures, the explosive growth of data consumption has massively elevated society’s overall dependence on secure and resilient data storage.
As a result, access to data continues to be a top agenda item for most threat actors, and data breaches now have the potential for greater widespread impact. In addition, the General Data Protection Regulation (GDPR) has resulted in regulatory scrutiny being greater than ever before.
For these reasons, security measures cannot be taken for granted. Physical, cyber and personnel security are all related and each needs to be given due consideration.
The first and most obvious layer to assess should be the physical access to assets – even for the data centre industry where physical security principles have been long established.
The first crucial step is the identification of the perimeter – many organisations think they know this but, in reality, fail to broaden its definition enough. Where there are distributed site facilities, remote assets and supply chain dependencies, the perimeter can be vast.
Scenario-based analysis, using threat actor personas, motivations and objectives can help define where the perimeter really lies. It’s also invaluable for exposing how an organisation could be exploited.
This stage should then review physical controls such as fencing, access technology, CCTV etc., including their role in the deterrence and detection of hostile reconnaissance activities. The importance of disrupting the planning stage of a physical attack is often overlooked.
However, security measures are only as effective as the people that apply them, so an understanding of human behaviours is essential. It’s important to consider how actions of the individual affect the overall site security and also, why these actions happen.
Issues can range from, the wearing of security badges in the street, through to poor motivation and effectiveness of roving security staff or those monitoring CCTV. Simple and innocent human mistakes could form the seed of future security breaches.
The scale of data, our dependency on it, combined with the evolving complexity of technologies and systems, mean that data has become more challenging to protect.
Added to this, cyber exploitation toolsets and services are more widely available and cheaper – reducing barriers to advanced cyber-attacks. Cybersecurity must stay one step ahead.
Taking one example, although penetration testing is a fundamental network cyber tool, it can only provide a snapshot in time and can leave vulnerable blind spots.
More regular, lighter-touch cyber assessments can help fill this gap by highlighting the easy targets for the cyber actor over a wider proportion of the estate.
Modern threat intelligence techniques (which mine information throughout different layers of the web), can enhance this further, by identifying existing compromises and potential weaknesses, including those exposed by the corporate digital footprint. This establishes a picture of cyber posture and vulnerabilities before any testing takes place.
It’s also equally important to examine the wider supply chain. Data centres have high dependence on a range of equipment from servers to smart air conditioning units, and when complex systems are interconnected it’s challenging to pinpoint cyber resilience risks.
Despite this, using automated threat modelling tools, even with incomplete information, valuable system models can be developed and rapidly analysed for vulnerability. This allows resilience ‘hot spots’ to be identified and different security mitigations to be assessed quickly within a virtual environment – so that you invest in the changes that deliver the most benefit.
The potential threat from insiders – those who might misuse their legitimate access to an organisation's assets for unauthorised purposes – is often overlooked.
Insider threat can be considered as the ‘grand master skeleton key’ of security, as there are few security measures that cannot be overcome by the right insider, or team of insiders. Due to this, insider breaches can have a disproportionately high business impact.
For data centre facilities, where there can be various subcontractors or customer staff on-site, this is of particular importance and so the effective enforcement of physical security controls and rules really matters.
Although many businesses believe this risk can be managed by pre-employment screening, they fail to recognise the range of risks, from genuine human error, through to planned insider activity by paid professionals.
Insider cases often involve individuals who have been with an organisation for some years and have had some personal vulnerability exposed or have simply become disgruntled.
It’s a broad area to address, with many factors (governance, security culture, employee wellbeing, etc.) to be considered for both your own organisation and your supply chain. Although if the business is committed, it is possible to use analytical methods to quantify your organisation’s maturity and assess where the key vulnerabilities and risks could lie. This lays the groundwork for improvement, where even small changes can have a significant impact.
The hidden layers
Like an onion, there are hidden layers to security that may be overlooked so it’s important to consider physical, cyber and personnel security collectively, and to understand the wider dependencies you have as a business. For example, if a supplier or partner has a security breach, what does it mean for your operation, your business continuity and your customers?
When assessing security, it’s essential to go that extra layer deeper and consider how a range of factors could impact your organisation and its readiness to respond to an incident.