Hackers can wreak all sorts of havoc by breaching datacentres, from gaining access to masses of sensitive data to knocking entire companies offline.
With cyber attacks becoming more common and complex, it’s understandable why datacentre operators are worried – and increasing their cyber security spend as a result.
But the physical security of datacentres, which some experts fear is being neglected as operators focus more of their time and resources mitigating cyber risks, also has a crucial role to play. Whether it’s ensuring datacentres are equipped to cope with natural disasters or keeping intruders out, physical security is key to maintaining the resilience and effectiveness of datacentres.
Jake Moore, a security specialist at ESET, says: “Physical security is just as important as cyber security but it rarely gets matched with the same pay. Some of the biggest threats come from physical access to a network, such as insider threat, which can be extremely difficult to protect against.”
Moore takes the view that physical security should be treated just as seriously as cyber security when it comes to securing datacentres. He warns that businesses end up exposing themselves to a range of risks if this area of security is ignored.
“Access management is clearly a big issue, too, with the likes of the recent Twitter hack, and mustn’t be forgotten about when securing a perimeter,” he says. “Coupled up with social engineering, it can have devastating consequences.
“Furthermore, the recent influx of ransomware demands are being paid due to the incorrect way backups are being kept. When stored correctly, it can mitigate ransomware mishaps and get businesses back up and running in a short time.”
A balancing act
In many ways, cyber and physical security go hand-in-hand. And if one area is missing, the other will not be as effective. “Those in charge of the network perimeter mustn’t get complacent when spending on physical security and need to remember that spending resources on cyber security can be worthless without protecting the physical assets, too,” says Moore.
“This can be showcased in arranging a simulation attack from a third-party penetration team and it can be extremely valuable to a company. Such an experiment will usually highlight those weaknesses both in the network and from a physical perspective, and all in a safe environment.”
Andy Miller, security risk manager at BT, agrees that the physical security of datacentres must be treated with the same level of attention as cyber threats.
He tells Computer Weekly: “The foundation of protecting datacentre assets is to ensure you truly understand how critical each of your assets are, and the associated risks to service operations if they are compromised. When it comes to understanding and then mitigating risk, you must think holistically and ensure that you aren’t forgetting to address the physical aspects.
“This includes employee identity and access management to avoid unauthorised access; considering the effects of disruption from power or utilities issues; how you would deal with environmental causes such as flooding; and even more extreme situations such as explosives, electromagnetic pulse (EMP) attacks or a hostile vehicle incident.”
For datacentre security measures to be effective, organisations should take into account all types of threats and mitigate them accordingly.
“Essentially, you must think about what’s beyond your perimeter, as well as your own systems and operations (cyber and physical), all the way to the rack,” says Miller. “By adopting a security-by-design approach, you can invest intelligently to create defence in depth, delivering the comprehensive range of protections required to deal with physical threats, alongside the cyber threats which are often top of mind.”
Merritt Maxim, research director at Forrester, also believes the stakes are high when businesses neglect the physical security of datacentres. “These potential disruptions can range from unpredictable weather-related disruptions to insider attacks and criminal or terrorist events, all of which can lead to the loss of physical data,” he says.
“Disruptions to the datacentre can lead to lost data, disrupted business operations, detract from employee productivity, affect customer perceptions and lead to similar compliance fines or penalties from cyber loss.”
But he explains how many organisations are investing in different technologies to counter such threats. “These range from stronger access controls to manage employee access to the datacentres, often using biometrics (hand, eye or facial recognition) to HD video surveillance and advanced video analytics to utilise for forensic purposes,” he says. “In cases where third parties or contractors may need access to the datacentre, firms may use stronger background checks prior to granting access to the facility.”
“Lastly, firms are also investing more in business continuity services to ensure proper failover and backup in event of an incident, as well as doing annual red team exercises and security awareness training to maintain strong security vigilance among all the staff managing the physical datacentre.”
Improving physical security
At colocation giant Digital Realty, securing physical and cyber assets is being treated with equal importance. Jeff Tapley, managing director of Europe, Middle East and Africa, says: “Since the data ‘big bang’ in the technology industry many years ago, conversations about security have gradually shifted from revolving around traditional lock and key to cyber security and protecting data virtually.
“However, bad guys don’t just exist in the virtual world, so virtual is only one part of the equation. What good are antivirus programmes and firewalls if anybody off the street is able to gain physical access to critical servers without resistance?”
Tapley believes that the physical safeguarding of datacentres has never been more important, with the proliferation of the internet of things (IoT) and big data. Because of this, Digital Realty has invested significantly in the physical security of its datacentres.
“Our facilities make use of a full array of security tools – including bollards, mantraps, access control systems and sophisticated surveillance systems – to ensure all resources are protected from unexpected incidents and criminal activity,” he says.
As well as protecting against both physical and cyber security threats, he says firms need to realise that security is not a “set it and forget it” scenario, and that it requires constant attention with new threats always emerging.
“Over the past few years, data has moved from being just a resource to an asset; arguably the most valuable in the world,” says Tapley. “And as it continues to increase in value, our customers need the assurance that the assets they house in our datacentres are protected from theft and natural disasters.”
“Therefore, in order to work effectively, security requires constant vigilance, both in terms of monitoring the facilities themselves, as well as regularly updating systems to reflect current best practices and developments.”
Layered security is crucial
Physical security clearly plays a vital role in protecting datacentres from myriad threats, but what does it actually entail? David Watkins, solutions director of Virtus Data Centres, says a data centre’s physical security should be designed to withstand things like corporate espionage, terrorism, natural disasters, thieves looking to make financial gains and many other issues.
“They should be built with security in mind from the ground up to maintain 100% uptime, keep unauthorised people out and ensure that the precious data housed inside is protected,” says Watkins.
He advises datacentre operators to implement defence-in-depth strategies, whereby IT systems are protected by a layered security approach, to “keep out the people you don’t want in your datacentre, and if they do get in, identify them as soon as possible, ideally keeping them contained to a secure section of the facility”.
Datacentres should be equipped with at least seven layers of physical security, according to Watkins. These include physical barriers, intruder detection, surveillance cameras, 24/7 security guards, vehicle traps, full authentication and auditable access policy control, he says.
“Additional security features are sometimes added depending on the specific needs of the organisation,” says Watkins. “But be aware that not all datacentres provide the same level of physical security. For example, some older datacentres that happen to be in city centres may not benefit from the same set of security parameters as those located in the lower-profile metro areas.”
Jeffrey Schilling, CISO at Teleperformance, recommends four tips for getting physical with datacentre security.
First, he says businesses that use colocation datacentres should ask themselves whether rented space has a protective cage around their servers that only employees can access through biometric access management locks.
Second, he advises companies to implement CCTV cameras that show both the front and back of their hosted servers to identify unauthorised access.
Third, businesses should also have a redundant workload in another datacentre that is on a separate power grid and more than 90 miles away in case of natural disasters, according to Schilling.
Finally, he says businesses should ensure that their backup generators have adequate fuel, adding that they should plan enough onsite fuel to run a minimum of 72 hours.
For businesses of all industries, datacentres are an incredibly important asset in the digital age. And while it is great to see that so many businesses are taking steps to defend them from cyber attacks, they also need to ensure that the physical security of their datacentres is also up-to-scratch. Otherwise, they will be left vulnerable to a whole range of threats.