When discussing data centre security, many articles concentrate specifically on mitigating against network breaches. Infosecurity-magazine.com ran an article November 2013 detailing how ‘cybercriminals were able to access partial information for 1.5 million different customer segments in an Irish data centre’.
Only last week, reports were published, highlighting how a major UK data centre experienced downtime and concurrent issues for nearly 48 hours after a network breach.
However, what about physical security to mitigate against theft of hardware? The well documented Vodafone data centre break in of 2011 (in which thieves broke into Vodafone’s Basingstoke site to steal network equipment) emphasised to all data centre users and operators, the necessity of secure, fortified buildings and halls. Further back, Verizon experienced the famous ‘Ocean’s 11’ type break in, when thieves who were dressed as policemen, tied up security guards before removing $4 million worth of equipment from the site.
But these incidents date back over three years, and so it is easy to see why most data security articles concentrate on network risks – after all, data theft these days is committed by ‘cyber criminals’, right? No one steals physical hardware anymore, right?
Consider Coca Cola’s recent announcement that up to 74,000 records of sensitive data may have been compromised when dozens of laptops were stolen from the company. Coca Cola admit staff driving licence details, salary details and social security details may all have been compromised, offering all affected staff members free credit monitoring, paid at their expense.
The risk to hardware storing data is still very much alive – whether it is stored on a laptop or a server, the hardware on which data is stored is still very much a target for thieves. And rectifying any loss of hardware is expensive, laborious and potentially very harmful to any company.
It is often commented that a data centre provides the securest location to mitigate against the risk of theft of physical hardware. Datacenterjournal.com (for instance) has published a handy list of principles that a client should remember when considering a potential data centre’s security:
- Ensure the data centre has a low key external appearance – why would you want any potential threats knowing that your building is a data centre?
- Limit entry points in and out of the building – who wants large sliding doors that grant entry to all passers by?
- Ensure an external perimeter fence – stopping people getting to the racks is significantly easier if they can’t even get to your building.
- Limit the number of windows – because a glass building really isn’t the safest option now is it?
- Plenty of cameras – cameras can be used to catch people in the act, to gain evidence, but also to prevent criminal activities in the first place.
However, one principle datacenterjournal.com also recommends is permanent security guards on site. Now for many data centres, this is a chosen option. In the reception of the site sits a security guard. But this is where we recognise not all data centres are indeed the same. And not all necessarily are as secure as you might originally think.
Often, contrary to popular belief, it’s safer not to have a security guard at the front desk. After all, doesn’t the Verizon incident clearly showcase the issue of having an approachable guard on site? If a security guard can be approached, they can be put at risk. And if they can be put at risk, so too can your servers.
This is why our Manchester data centre has a BS5979 CATii Alarm Receiving Centre on site. TeleData’s security camera monitoring, access and egress, environmental monitoring, access control lists etc. are all controlled by our BS5979 CAT ii ARC.
Based on the first floor, behind double blast proof doors and high density concrete walls lives our security team – ensuring that they can never be compromised. Upon arriving at the site, security conduct 5 visual or audio challenges, before you even get to the reception. Outside, every inch of our grounds is monitored by our highly trained team to BS8418 standards – including the roof. Inside, security conducts a further visual and audio challenge, before granting access to the iris scanner. Only then can the data centre be accessed, ensuring the most thorough security checks are imposed, without the risk of an approachable security guard.
Having a BS5979 CAT ii ARC, also grants TeleData a URN (Unique Reference Number). This URN means that should TeleData ever be attacked by a physical threat, the police must respond immediately and with adequate force. The ARC guarantees a swift response is implemented in times of need – something that an onsite guard cannot guarantee.
Further, having the ARC ensures at least 3 highly trained specialist guards on site 24/7/365. Crime stops for no holiday, and TeleData never suffer from a lapse in security.
Physical security threats are still a major concern for data centres, and on site security guards is not as adequate a preventative measure as you might think. When considering security, as datacenterjournal.com points out, a host of factors come into play. But with BS5979 CAT ii being the highest level of security available for a private company, no principle can be as secure as an ARC based on site.