Getting your head around data centre security can be hard work. You need a sophisticated understanding of concepts like authentication, the ability to spot weaknesses in your provider’s policies and processes, and some idea of the level of security you need to meet your business’ data protection and compliance requirements.
That’s why organisations often look to accreditations as their first port of call when assessing the security of a potential data centre partner. But what should you actually look for?
Your first port of call: ISO27001
Almost every reputable data centre will have the ISO27001 accreditation – it’s the most commonly recognised within the industry and sets the benchmark that every provider should adhere to. The standard was first published in 2005, and has been updated steadily since to provide a trustworthy reference point for how an information security management system should be implemented, managed and improved.
In some industries, compliance with particular security standards is vital for a business even to function. And, in some cases, those standards include a number of requirements around the design and maintenance of the data centre – meaning colocation and cloud providers need to be able to prove their compliance, too.
If you work in the e-commerce industry and process your own credit and debit card transactions, for example, it’s critical that your data centre can demonstrate PCI compliance (either via an external audit or annual self-assessment). This requires security controls like 24-hour CCTV monitoring to minimise the risk of card data exposure and fraud.
Finally, you may want to consider the auditing body used by a potential data centre partner, the nature of its accreditations, and whether this in itself tells you something about the security of the facility. It’s easy to look at a data centre’s website, see that a particular accreditation is listed, and take it at face value rather than undertaking an in-depth review of the relevant documentation. But the latter is, of course, what you ought to be doing.
It’s in your best interest to check to scope of any accreditations, as well as ensure they come from reputable bodies – not some website you’ve never heard of before. There should also be evidence that the facility’s security policies are followed correctly – and that they actually exist! Most data centres, and certainly the ones worth working with, should have no problem with your business auditing their premises.
Still not sure about what makes a data centre secure? Download our checklist for a comprehensive overview of the factors to consider.