How important is data centre security?

By Bill Walsh, Operations Manager of City Lifeline.

  • Monday, 18th November 2013 Posted 11 years ago in by Phil Alsop

Customers and their business needs in a commercial colocation data centre vary enormously. They range from very large organisations in financial services, through to media companies with high data communications needs and to one-man voice telephony operations. Some taking relatively small amounts of data bandwidth, and some larger bandwidth users but no matter what the amount all are colocating into a data centre for the high connectivity a carrier neutral data centre can offer?

When the decision making people in this diverse range of organisations are asked what their priorities are when they are selecting data centre services, one of the first answer that continually comes back is physical security. Customers regard physical security as a pre-requisite of a successful professional data centre – as important as reliable power or redundant cooling and more important than multiple carriers for connectivity or even cost. The first question a customer asks is “Is my equipment secure?” Customers want to sleep at night and not have to worry about their mission critical equipment.

Many smaller companies operate their IT systems on site, without any special consideration for environment or power reliability. Often the installations have grown from a single server under someone’s desk to a couple of servers, then a small rack and then into the server-cupboard. Whilst companies may take the risk of a power outage seriously, they may not think so much about the risk of a burglary where the burglars simply steal all the equipment, to sell on the black market without a care for what information might be on it. A recent City Lifeline data centre survey showed that almost 30% of businesses surveyed had no regularly tested off site data back-up arrangements in place. A business which loses its data is unlikely to survive in today’s data-rich and data-critical world and a Gartner 2010 survey showed that only 6% of business which lost all their data would survive beyond two years.

Physical security isn’t just about stealing or damaging equipment. A London bank recently suffered a confidence-trick attack, where someone posing as a maintenance technician talked their way into a bank branch and installed a surreptitious KVM and was then able to remotely intercept and reroute internal bank transactions for financial gain. Physical security can be just as much about adding equipment as removing it! If that equipment had been installed in a professional data centre, it would have been much harder, and probably realistically not possible, for the gentleman concerned to have deceived multiple Security hurdles and gained the necessary unauthorised access.

The physical security offered by a well-run professional data centre is neither easy nor cheap. The core disciplines are defined by the ISO27001 international standard for secure data management. This sets out the basis on which security operations in the data centre are run and provides for a continuous improvement process, with every security violation being reported, investigated and the relevant process improved if necessary. Regular inspections by independent external auditors are a key feature of ISO27001, ensuring that standards meet internationally accepted levels. Such levels of management are essential if data centre security is to meet the security needs of the customers.

The right facility physical assets are also essential to effective security in colocation. CCTV is an absolute must, both for real-time monitoring of movements of people and for historic analysis – for example if an untoward incident occurs, historic analysis of CCTV footage allows possible perpetrators to be identified with speed and certainty. Detailed and well partitioned access controls allow customers access to only the areas of the data centre facility where they are authorised. Many professional data centres are moving away from swipe cards, which are vulnerable to being lent or stolen, to biometric controls such as finger-print recognition. Whilst no security system is impregnable, spoofing fingerprint access control is very difficult. It also provides very accurate historic records of physical access by area.

Security is not just about physical security, important though that is. Data centres are entirely about security in the broadest sense of the word. That includes security of power supplies, of cooling and of connectivity. Whist the physical security of the equipment is important, so are its connections to the outside world. Security includes being able to connect via multiple data communication paths though different access points to a building and with data communication paths following different routes. The best placed organisation to deliver that is a well-run professional colocation data centre.
Security in its broadest sense is what commercial data centres are about – providing colocation customers with one less thing to worry about and the ability to sleep at night, knowing that their mission critical equipment is safe, powered, cooled, connected and secure. Security in its broadest sense is the essence of what a well-run professional data centre does.