This article is part of our Essential Guide: Essential guide to securing hybrid IT infrastructure

Datacentre security: Why operators must give cyber and physical threats equal attention

Datacentre operators often talk up the physical security measures they have in place, but are they at risk of overlooking cyber threats?

Datacentres are built from the ground up to keep people out and ensure the precious data housed inside their walls is securely protected.

To this end, it’s not uncommon for facilities to be located within non-descript bomb-proof buildings that are equipped with bulletproof glass and surrounded by huge fences.

If someone manages to breach these defences, the data halls will be protected by biometric security systems, man-traps and other security protocols, meaning access to the servers is in no way guaranteed.

Physical security is clearly of utmost concern for datacentre operators, but industry watchers have previously aired concerns about whether the cyber security of their sites are subject to the same level of due care and attention.

This is of particular note as datacentres represent a hugely lucrative target for hackers, who see major potential in gaining control of the digital assets they store.

According to Cyren’s 2015 Cyberthreat Yearbook report, successful, business-focused cyber attacks – including ones against datacentres – have increased by 144% in the past four years. Meanwhile, the National Security Agency (NSA) claims attacks can cost victims up to $40,000 per hour, so clearly there’s a need to have appropriate security procedures in place.

In a media advisory, published in May 2016, the CEO of co-location provider Aegis Data, Greg McCulloch, shed some light on why operators seem so preoccupied with the physical security of their sites.

“While cyber security is of paramount importance when it comes to datacentres, the majority of this protection is unseen, hidden in lines of code and firewalls. It can be stressed to the client the multiple layers of cyber security, but all of this is intangible,” he says.

“Physical security features, however, are much more likely to impress and reassure prospective and existing clients that their data is safe.

“The more layers that a centre can provide between the individual and the data hall, the greater the likelihood of reducing the risk of a physical breach,” adds McCulloch.

Having around eight layers of physical security is ideal, he claims, and should ensure the operator is doing all it can to keep the bad guys out.

“Typically, eight layers and upwards is ideal with a combination of personnel barriers like guard posts, physical barriers such as locked doors requiring biometric scans, and security barriers like man traps in the event of a breach,” continues McCulloch.

“These should all be installed in and around the data hall. For co-location providers storing multiple clients’ data, each server should be locked and access to these should be provided only to authorised personnel.”  

Equal billing

However, as the move towards cloud continues apace in the enterprise, and the number of internet-connected devices coming online soars, the cyber security threat level for datacentres will rise accordingly, says Talal Rajab, head of cyber and national security at trade body TechUK.

“Datacentres hold critical data that contain critical assets and information, including customer data and intellectual property,” he says.

“With the emerging big data trend and the advent of internet of things [IoT], the various threats to datacentres will only increase, meaning security will become an increasing priority for their customers.”

For this reason, Rajab says it is high time cyber and physical security are given the same levels of due care and attention by datacentre operators.

Read more about datacentre technology

“Cyber security procedures in datacentres must be given the same priority as physical security procedures – in the same way that physical access to a site is restricted to people with special access,” he says.

“A datacentre has round-the-clock surveillance with permanent security personnel, and a truly secure datacentre must have a similar strategy in place to protect against cyber threats.

“This can take the form of practices such as privileged network access for special users and constant network monitoring,” adds Rajab.

Security and service availability

Matt Lovell, CTO at datacentre provider Pulsant, says volumetric attacks – including domain name system (DNS) and distributed-denial-of-service incidents (DDos) – are a big cyber security threat to datacentres, and can play havoc with an operator’s ability to meet the terms of their service-level agreements.  

”Maintaining service availability is paramount to all customers and anything that can affect this needs careful consideration,” he says.

“It isn’t just power, cooling that helps to keep the lights on, but also any disruption caused directly or indirectly by cyber attacks.

These can be volumetric attacks, like DNS or DDoS, phishing, or exploitation of customer data or application-related attacks,” adds Lovell.

Maintaining service availability is paramount to all customers and anything that can affect this needs careful consideration
Matt Lovell, Pulsant

Along with the threats the IoT and cloud pose to datacentre security, the attack service for hackers is growing in other ways too.

“There are more customer systems talking to one another, whether that’s analytics, decision engines, security and payment processes or sharing marketing data. As a result, there is now a shift in focus to core and network security,” claims Lovell.

Trust is paramount

Cloud hosting firm Iomart operates eight UK datacentres, and its chief technology officer (CTO) Bill Strain says the organisation uses threat-detection technology to guard against DDoS attacks, and has invested in ISO certifications and becoming PCI DSS-compliant to show customers how seriously it takes this issue.

However, Strain adds that it’s also important operators do not overlook the important role staff play in maintaining the integrity of an organisations cyber defences.

“Successful management of your people and secure management of the physical infrastructure for your business and your customers is about making sure everything is under your control so your customers trust you,” he says.

The people element of datacentre security was touched on in the previously mentioned Aegis Data media advisory, where McCulloch talks up how reassuring the presence of an on-premise security team can be for security-conscious customers.

“CCTV, security barriers and biometric scanners are all obviously important features [of a secure datacentre], but nothing makes up for the presence of a human element within the building 24/7/365,” he says.

“Having a team that can be trusted with the security of the site and the protection of the data stored within will often provide an added level of trust for both clients and datacentre providers ensuring the safety of information.”

Read more on Datacentre disaster recovery and security