What makes a good data security guard? Matt Lovell, the chief technology officer of Pulsant, assesses what should be looked for in a third party provider for both physical and cyber security.
16.10.13 – Entrusting mission critical data to a third party is not a decision to be taken lightly, and requires the highest level of trust. The market is full of reputable companies offering cloud, managed hosting and data centre services. However, while reputation and experience are certainly important in establishing this trust, as a CIO or high level decision maker, you need to know exactly where your data is, and what is being done to protect it. Vendor assurances, detailed service level agreements and a signed contract may not be enough to allay fears and an examination of the actual data centre may be in order.
Typically, your organisation would be hosting its data alongside other companies in a multi-tenant data centre environment. What this means is that your confidential information, intellectual property and other mission critical data must be kept safe from both physical and cyber threats.
Data is transferred in and out of the data centre environment via the Internet, and it is here that it is at its most vulnerable. Your provider should be ISO 27001 (information security) compliant and, at the very least, it should have the basic security measures in place, from intrusion detection to application firewalls. This can be further extended to anti-virus software, hardware firewalls, updates and patches and regular security audits.
The data centre could be more of a target for theft, than say, a server on your premises. Therefore the building and surrounding area must be highly secure and in a suitable location free from extreme weather, natural disasters and away from electromagnetic interference. In addition, the sites should be located away from potential political targets, such as airports, chemical facilities and power plants.
The most effective mix of security services incorporates physical patrols, on-site security presence in the main entrance for visitor validation, as well as remotely monitoring CCTV recordings and reporting any threat to the local police for an immediate response. Within the facility, the role of security personnel should include supporting customer and authorised third party access to the data hall, escorting visitors and contractors, as well as monitoring access control logs and internal CCTV views. Maintaining and managing internal and external security roles is best served by separate resources which permits absolute focus on specific roles in order to maintain vigilance levels.
Entry to the site should be managed with an anti-tailgating system, vehicle registration capture software and facial recognition cameras. For authorised visitors and staff, access should be controlled via a two factor authentication system, using a combination of biometrics, access cards and fobs. Access to the data halls should be further secured through a layered security approach, which could see staff needing to verify their credentials at least three times before entry is permitted.
Access control is the primary security shield inside the building and as such, includes controlling and monitoring entry, as well as recording who exactly went where.
People will always be a weak link in a security chain. Not only must all visitors be correctly vetted, asked for photographic identification and monitored throughout the facility, staff members need to meet stringent security requirements. For example, Pulsant conducts DBS checks (disclosure barring services, previously called a CRB check) every year on its employees and verifies at least two past employer and personal references prior to employment.
The Pulsant facility in South London, for example, operates to ISO standards to maintain guaranteed levels of data security. It features on-site security personnel 24-hours a day, an anti-tailgating vehicle entry system, and dual palisade steel fencing around the entire site. Inside the building, infra-red motion sensors activate intruder alerts within the halls, 42 high-definition CCTV cameras monitor the site and PAC (personal access code) and PIN (personal identification number) access control is in place, along with double entry systems throughout the site.
Hacking, malware and cyber-crime are just a few of the threats that will continue to grow in line with the value of data. Therefore keeping data safe becomes an ever more challenging task. However, with the right partner to take responsibility for your data in a secure facility, the job of successfully protecting it becomes more manageable.