Data Centres: Understanding security

Security is again the hottest topic in circulation. Cyber-threats, encryption and data privacy not only linger on the minds of those in the IT industry but also on the minds of the wider public.

ARE YOU LEADING SECURELY?

Private and business client migration to SaaS, PaaS and IaaS models are reinforcing the need for data centre organisations to institutionalise security leadership in their strategic decision-making and organisational infrastructure. In reflection of the growing value organisations place on the security of their sensitive personal and proprietary information (IPR), security is now employed to differentiate data centre models and win business. Security leadership in strategic decision-making will enable data centre organisations to:

  • react to external change and hyper-competition;
  • reduce operating costs and costs of change;
  • maintain an internally derived Sustainable Competitive Advantage (SCA);
  • protect organisational existence; and
  • plan for disruptive technological shifts.

The key is to appoint security ownership at an appropriate level and corporately encourage organisational collaboration, especially where economies of scale don’t allow for an all-encompassing and dedicated security role.

DO YOU ACCEPT THE CONVERGENCE?

Prediction: In the future, all physical security systems will be networked. It’s not an outrageous prediction because the connectivity will promote organisational efficiencies and productivity, driving business success. It’s already happening!

Data centres are often overlooked as a home of Industrial Control Systems (ICS), a catch-all phrase for Operational and Building Management Technology. However, the presence of Data Centre Infrastructure Management (DCiM) systems to control connected CCTV, PDUs, cooling, UPS and access control paints a potentially attractive target for a malicious attack.

HOW ARE YOU ASSESSING SECURITY?

The identification of appropriate security controls is the product of a proportionate, risk-based assessment and is guided by the input and the convergence of threat analytics, system vulnerabilities and a Business Impact Assessment (BIA) i.e. the impact that cyber threats have on tangible, physical assets is a key assessment to make and determines the initial business risk.

ARE YOU PEELING THE SECURITY ONION?

The four layers of design defining data centre physical security are:

  • the cabinet;
  • the room;
  • the facility; and,
  • the perimeter.

Protection at each stage is the key to maintaining resilience but, where to start? Almost all malicious attacks or theft from data centres originate from within the organisation, the ‘Insider-Threat’ e.g. a disgruntled or incompetent employee, or a criminally motivated contractor. This is the reason to start securing your data centre at the cabinet (the core) and, secure moving outwards towards the perimeter. HMG Security Policy Framework agrees:

‘‘…defence in depth or layered approach to

security starts with the protection of the asset

itself, then proceeds progressively outwards…’’

THE CABINET

Encasing IPR and high business impact assets in a server cabinet with easily removable side panels might present an unacceptable business risk: it’s time to mitigate. A product which has been designed to meet the LPCB LPS 1214 Category 2 standard might provide sufficient risk mitigation e.g. with a Server Fortress cabinet, even cable entry has been considered. Mitigate initial risks even further with a cabinet access control system e.g. the DIRAK E-LINE solution, encompassing security features like the four eyes principle. Each time consider what is encased: is a 3 pin combination lock, lockable side panels and door sensors wired to an environmental monitoring system to provide OIF alerts appropriate?

THE ROOM

PIR POE IP CCTV is the most popular mouthful of a surveillance requirement we encounter. Data centres are a machine room with only occasional human interaction therefore initial business risk might not determine a need for 24/7 surveillance. PIR lighting in tandem with CCTV or infra-red are other mitigation options. For those less versed in modern CCTV systems, software based functionality must be a consideration; utilising corridor mode ensures maximum coverage of any hot or cold aisle, and area linked motion sensing triggers CCTV to start recording only when motion is detected in a pre-designated monitoring software application. Incident tagging and facial recognition are other useful CCTV system features that could be employed to mitigate risk.

THE FACILITY

Prediction: IPR will be more valuable than diamonds for many more years to come and so it needs to be kept in a vault, therefore access controls must be employed. There are many types of access controls: analogue sheets, HID style room access and biometric controls etc.

Access control also touches cyber in a big way, as identified by control 11 in ISO:IEC 27001:2013; Controlled Use (12) and Controlled Access (15) in CPNI Top 20 Security Controls; User Privileges in GCHQ’s refreshed 10 Steps to Cyber Security; and, Access Control in the UK’s Cyber Essentials Scheme and NIST’s Protect Function. Enterprise objectives e.g. defend market share, maintain an SCA and protect the value of IPR, will determine the objectives of access control and, in-turn, the need for prevention of unauthorised use of information systems, process facilities, networked services, operating systems, applications and increasingly, mobile working and telecommunications services.

THE PERIMETER

Fences surrounding the whole facility are a visual and a physical deterrent. For example, a barrier with ANPR for vehicle access and boundary-point authentication might be a necessary perimeter control. The attributes of a 358 style fence lend themselves to data centre requirements – they’re trusted. It’s recommended to look for BS 1722: Part 14: Category 4 and certification to LPS 1175 SR1 but security leaders should always remember to be proportionate.

CONCLUSION

Security is about protecting and enhancing the organisational value of information in the connected world (remember: data is our diamond). Physical security acts as the eyes and ears – a fort to the keep and choosing a relative data centre security solution is fundamental to the longevity of an organisation.