Martin Grigg of PTS Consulting and chairman of the DCA Site Access Control and Security Group discusses how a breach of physical security could bring a major cloud provider to its knees…
Anybody that can gain physical access to a cloud server can access the data that is on it. This means that data security is not just about firewalls and encryption – it’s about physical protection as well. There are numerous standards and guidance documents available to steer owners and operators in the right direction for physical security, but this wealth of information leaves many people scratching their heads. New European Standard CENELEC EN 50600 contains useful information such as risk assessment and protection classes, but what are proportionate security measures? How do we define ‘proportionate’? What are the real risks?
Understand the threats
Security deployment must be proportional to risk, which is why the very first thing needed is to understand the threats and vulnerabilities that your data centre faces. A threat, vulnerability and risk assessment (TVRA) will assess all of these aspects and quantify the risks so that proportionate mitigation measures can be put in place. However, for the purposes of discussion, let’s assume that we are talking about a data centre that hosts a major cloud provider. That facility will have many facets that a TVRA will explore, but the headline risk to the cloud provider is data compromise and reputational damage. This risk is prompting some global data centre providers to go beyond access control and CCTV as far as installing body scanners for staff and visitors. The provider’s worry is an insider attack, so they are deploying technology to detect contraband, storage devices and other tools to try and counter the threat.
Integration can combine different elements of a security scheme in such a way that they support each other to produce a stronger and more effective solution as a whole.
In order to determine what measures are proportionate, one has to measure the cost of implementation against the likely exposure. Assuming that a data breach could significantly damage your business, then in proportionate terms an investment in physical security seems an excellent business decision – especially if your business is a recognised global enterprise.
There is a lot of good advice for security for a data centre, such as having good signage, locking gates, intruder detection and CCTV, but without a unifying strategy, they are not as effective as you might think. Without proper planning and integration of systems, you will not be getting the best from your investment. For example, without an integrated CCTV and detection system, your cameras will only provide a video of the crime after the event. Although this may have forensic value, you would rather see live images used as video verification of the event and a guard responding to shut down the breach before it becomes an issue.
A simple, layered approach to security will make it hard for an external attacker to breach your defences, but it takes more than this to counter the insider threat. Integration can combine different elements of a security scheme in such a way that they support each other to produce a stronger and more effective solution as a whole. The benefits of such integration can be summed up by the phrase that was first coined by Aristotle: ‘the whole is greater than the sum of its parts.’ In other words, integration done in the right way produces synergy.
Integration also produces defence in depth, which is where defensive lines of a system support each other and create uncertainty for an assailant. Defence in depth goes beyond a simple layered approach and reaches out as far as the local community, contractor vetting, robust procedures and a good security culture. At this stage it becomes not only difficult for an insider to cause a problem, but also reduces the likelihood that they will get away with it, making the deterrence far stronger.
Shining a light
By talking about the benefits of integration and defence in depth, it can be seen that physical security is an essential but complex subject and that paying lip service to it is not going to protect your business. The industry needs to pull expertise and experience to not just produce another guidance document but to shine a light on good practice and available information. EN 50600, which has a section dedicated to security, is an excellent document and good news for the industry; hopefully, it will standardise the approach.
Even though this document contains a lot of good information, it still does not go far enough to help owners and operators prevent a major data breach, which could potentially bring a large corporate – including any cloud provider – to its knees.
This post originated at Data Centre Management magazine, from the same publisher as The Stack. Click here to find out more about the UK’s most important industry publication for the data centre space.