Data centre security: Do you understand your risk?


Let’s assume for a moment that you still manage all or some of your data in-house.

By implication that means that somewhere in the building you have a room full of servers that need to be maintained and protected. And as a manager you’ll be aware of the physical risks that threaten the integrity of your data. These include not only flood, fire and incursions by malicious third parties but also the havoc that can be created by unauthorised members of staff entering the secure area and, accidentally or deliberately, tampering with the equipment. Naturally enough you do your level best to protect your hardware and software from all these threats.

So now let’s say that you’ve made an important decision to outsource your storage and IT functionality to an external data centre. As with the in-house operation, you’ll want to be absolutely assured that the risks will be effectively addressed. Certainly you will ask questions and your choice of provider depends heavily on the answers.

But will you be asking the right questions? Or, to put it another way, unless you fully understand where the main areas of risk lie, you may not be in position to assess the security provisions put in place by a potential provider.

Risk misconceptions

As a species, we’re not always terribly good when it comes to assessing real levels of risk and threat. The classic example is the motorist who drives many thousands of miles a month without a second thought while getting stressed at the (statistically) much safer prospect of catching a flight from London to New York.

There are good reasons why the latter is perceived as more dangerous – not least that driving gives us a sense of control while flying puts us in the hands of others and that air accidents tend to be both well publicised and unpleasant. Air travel is, therefore, scarier but actually much less risky.

And very often, data centre customers will focus on the ‘scary’ headline threats, such as terrorism, theft by organised criminals or a major accident. This leads to common questions such as:

  • What provision have you made to protect against an explosion?
  • What has been done to prevent an attack on the data centre from, say a gang driving a truck through the wall?
  • What has been done to ensure the centre continues to operate if there is a major incident in the area?

All good questions and your data centre manager should be able to provide the answers.  But the truth of the matter is that incidents of this kind are extremely rare. If we take the threat of bomb-blast as an example, there is currently no record of a data centre being attacked by terrorists in this way. Equally the incidence of data centres being affected by attacks on other installations is rare to the point of being negligible.

Common threats

And in reality the main and common threat to the integrity of data stems from a much more mundane source – namely the member of staff (or perhaps an external party) who gains access to the servers and maliciously or unintentionally causes an outage.

This was probably a threat that you were aware of when running an in-house operation, but the expectation is that in an external data centre all staff will be suitably qualified and skilled and those who aren’t will not be given access to key areas.

But the truth is that it’s vital to ensure that all those with physical access to your servers (within the data centre) should be thoroughly vetted and managed. At one level, a negligent or poorly skilled employee can cause an enormous amount of damage. At the malicious end of the spectrum, someone with a grudge or criminal intent could, in extreme circumstances, cripple your operations.

Going forward

So what is to be done? Well, first and foremost it’s important to thoroughly vet your own staff, and particularly those who may be visiting the data centre. Equally important, you should also be vetting anyone within your supply chain who might be given access.

It’s vital to establish how the outsource provider manages access to your IT hardware within the data centre. How are members of staff authenticated? What measures are in place to prevent an unauthorised person stealing the identities of others to obtain physical or virtual access?

Equally important, if security measures are ostensibly present, are they being actively enforced? For instance, let’s say an authorised person opens a secure door with a pass and is followed through by another party. Clearly the second party has no need to use a pass as the door is already opened but this is a breach of procedure. Will he or she be challenged, or are there electronic measures in place to prevent this kind of “tailgating”?

The value of locked-up in data is immeasurable. From client details and e-mail records, through to transactional and operational information the data lies at the heart of corporate operations. Those protecting the data should be security professionals and not simply data centre managers with an added security responsibility.

Outsourcing to a data centre can and should make information more, rather than less secure. Good data centres have the resources and expertise to ensure its integrity. However, before deciding on a provider it is vital to fully understand the risks and ask appropriate questions.