It can be a challenging and difficult process choosing a colocation provider – especially if you’re not an expert on the inner-workings of a data centre and how their attitude, approach and general operations could impact the security of your and your customers’ critical systems and data.
As a major consideration should always be physical security, here, we outline some of the issues most commonly overlooked by providers that you should keep in mind during your data centre selection process.
1. Tenant confidentiality
If your colocation provider makes a big song and dance about the high-profile and big-brand tenants they are hosting equipment for within their data centre, they may not be your best bet if you need your own company confidentiality to be respected.
Don’t be afraid to ask whether they have permission to mention any of the brand names that they may do during a data centre tour – even during the sales process they should be demonstrating their integrity and approach to client confidentiality.
There are other areas where anonymity may be important, too. A poorly designed access card with personal, contact, address or company identifying information on either side, for example, not only makes it easier for someone to pretend to be you, but may also give them a starting point to crack other site authentication controls.
2. An accessible reception doubles up as site security
It may seem strange to say, but the presence of security guards, or receptionists doubling up as security, on an easily accessible front desk at your data centre reception or lobby could actually be a serious security risk – for your data, equipment and also for the personnel themselves.
If the facility is compromised, they may be subject to intimidation or a duress situation and could become part of an incident themselves rather than be able to respond to it in an appropriate manner – and, in such a scenario, you can guarantee that they’ll protect themselves and their own personal well-being over that of equipment within the data centre (as they should, of course, be expected to do).
Instead, colocation providers should keep their staff in a separate, protected and purpose built control room (as they are in TeleData's Manchester data centre) where they can observe incidents and make cool-headed decisions (such as whether to remotely lock down critical doors, or contact the police), from out of harm’s way.
If the data centre’s technical security controls and monitoring capabilities are strong enough, then they shouldn’t need to keep security personnel on reception to enforce access rules and turn away unwanted visitors. It may save money to provide a double function on the reception desk, but it’s not best practice.
3. There are multiple entry points to the facility
The more points of entry a data centre has, the more opportunities for resourceful and persistent individuals to get inside without authorisation. This is especially true if a colocation provider does not have consistent (or risk-appropriate) security controls across all of their possible entry points. Having a robust set of controls in primary access areas is almost pointless if the loading bay is not secured, for example.
You should question any potential provider on the type of intruder detection that is in place across any externally facing doors or windows and if and how this is monitored.
4. Access control records and audit trails cannot be provided with certainty
Your provider should have full visibility of who comes in and out, and all access attempts, both successful and denied, should be logged so that they can provide with certainty details of who was in the facility at any particular time and date. It’s important that you quiz them about their methods to ensure the logging process is watertight and can be reported on in detail.
Furthermore, contractors and staff should undergo similar authorisation procedures as visitors, with identity badges used to differentiate the working staff on site. A log of all these visitors should also be kept. As a customer you should be able to request all access attempts by your members of staff and a record of any third party engineers you may have authorised along the way.
If this information cannot be provided or substantiated then it could point to a substandard access control system, and could be a red flag for any accreditations that require this information as part of an audit.
5. The role of management and expertise
We’ve said it time after time, and it’s a message that bears repeating: most security breaches or unplanned outages in the data centre are the result of human error and poor management, rather than a malicious attack. The recent BA outage, caused by a contractor accidentally turning off a UPS unit, is a perfect example of this.
It’s therefore essential that the staff are confident in their own procedures, and there’s an organised management structure in place. As a buyer, you rely on your colocation provider for business critical services – you should have access to their expertise as well as evidence of their accreditations, procedures, policies and control mechanisms.