Fergus Kennedy, Head of Compliance and Information Systems at Pulsant
The issue of data security is playing a prominent role in corporate decision-making and budgeting, a view supported by a recent KPMG survey that shows it is the third most important consideration in UK boardrooms today. For datacentre operators, where responsibility extends beyond that of the company’s own security to encompass security controls for its customers, this is no different. Keeping a customer’s data safe is core to a datacentre providers’ business where a full spectrum of security controls from the virtual to the physical is in place.
Data centre operators face a wide threat landscape and must deliver environments that reduce the potential impact to their business and customers, whether the risks concern intellectual property, mission critical information or confidential data. Best practices and frameworks for addressing these threats must be embraced to achieve this and there are a burgeoning number of frameworks out there. However, the basics like ISO27001 must never be overlooked as it provides the much needed baseline and common ground from which to develop.
The environment into which a provider delivers its services will mould the security controls and practices deployed as the risk profile differs from one industry to another. Whether the appropriate practices are defined by PCI-DSS for ecommerce and financial sectors or CESG guidance on the new protective marking scheme for the public sector, these all have a common goal to ensure data security appropriate to the requirements of the environment in which they operate. The controls defined by ISO27001 are the starting point from which a provider must grow additional controls to meet the additional requirements placed upon them.
As the risk increases, so does the severity and complexity of the controls, but it consistently comes under to the same areas of physical security, network security, application security and people all measured against impact from the standard security tryst of availability, integrity and confidentiality.
Having the right people and making sure they get the support and training to do their job is essential. Threats from accidental and malicious behaviour can very quickly render large security investments impotent.
Personnel must be vetted to the appropriate level and receive awareness and competency training appropriate to their role. As risk increases for a business so does the commitment to deliver more in depth, but basic vetting, following ACAS guidelines and including DS/DBS background checks can be achieved easily. This has become a standard part of working for the industry.
It is not just staff that must be considered; visitors to the facilities and contractors who deliver essential professional services must also be taken into account. They too require training or induction to ensure they understand the site’s controls and don’t weaken the datacentre security by their presence.
Networks & Applications
The systems used to deliver security controls are just as subject to threats as the systems holding data that they protect. In a modern datacentre it is unlikely that security systems are kept in isolation as requirements for business continuity and remote management exist within many best practices. As a result, network segregation and security around the platforms and applications used to deliver the security controls is another potential attack vector and must be subject to appropriate risk mitigation.
Security in this space extends beyond the state of the systems at time of deployment. Regular audit, change management and patching must make up part of the ongoing maintenance to ensure continued compliance.
Physical security is often considered as a set of layers of protection with arguably the first layer of all being location. Ideally, datacentres should be located outside of densely populated areas and far enough from significant public infrastructure or large facilities that could be considered targets for terrorism or sources of interruption or contamination to datacentre operations. There must be a balance between accessibility and separation that must also satisfy specific physical requirements like access to power and telecommunication providers, and customer specific needs such as defined distance between a primary business systems and their backup or continuity services. Environmental threats like flooding must also be taken into account as potential critical threats to the operation of the datacentre.
With a suitably situated datacentre, a set of appropriate perimeter access controls must be deployed.
The requirement for an actual physical perimeter can change depending on the compliance requirements but perimeter fences should present a reasonable obstacle to entry encapsulating the site, and entry points should be controlled and employ anti-tailgate systems. Suitable surveillance should be used, as well as tremor sensors, infrared motion detectors and robust locking systems within the perimeter, particularly for generator and fuel repository containment. Controls like vehicle registration capture and facial recognition systems can supplement access security where additional control and audit is required.
Once inside the perimeter of a datacentre, the space is divided into a series of secure areas, often with within one another where the security controls deployed are appropriate to the threats and likelihood. At entry, exit and transit between secure areas controls must tie access to an individual and most commonly include two factor access authentication and in some cases extended to biometric devices. The intention is that both staff and visitor credentials are validated every time they move between secure areas. Access control is the primary security measure inside the building and should include camera coverage as an additional confirmation of access.
Security by design
Retro fitting security controls is always expensive so it is critical that the review of risk and identification of controls is included at the design stage. The inner walls of the building, particularly within the data halls, must be solid and run from ceiling to the subfloor to eliminate unnecessary spaces and points of access between areas. Filtered air systems, cooling, water, power and connectivity systems are typically housed in separate facilities and should also feature the same levels of security as the main building in terms of both access control. Threats to infrastructure can differ from traditional data security challenges so may require dedicated features like anti-ram protection.
Data centres must provide an extremely high level of service availability and need the electrical and mechanical systems to be designed to be highly available with built in redundancy and automatic failover. This means the continuous supply of power and telecommunications connectivity to site are a critical part of the design with requirement for diverse supplies of power and communications and multiple lines of protection including generators and uninterruptible power supplies.
The security and continuity approaches deployed to address risk within a datacentre environment often exceed what a normal business would consider and as such are an integral part of the business process review and improvement of a datacentre operator. Customers benefit from the extensive focus on delivering, maintaining and improving the security and availability of data held within the facilities allowing customer to focus on the security issues that are specific to their business.