In light of recent events including the DDoS cyber attacks on Sony Corporation’s PlayStation and Entertainment networks, one prime area for reassessment by security and IT professionals just now is that of data security. Not just online safety from the perspective of the firewall, but also – as Kevin Ward rightly points out – the physical security scenario in terms of where and how sensitive information is stored and protected.
We’re living in changing times and, it must be said, not all of the changes visited upon as are for the better. We left 2014 with the ugly taste of international terrorism once again in our mouths following the shocking atrocities in France and Australia. At the same time, the promise of a Brave New World ushered in by new technology and the Internet suffered a seismic blow as the Sony Corporation was hit by a DDoS cyber attack on an epic scale.
While the latter episode may not have resulted in death or injury, it still served to highlight the degree to which the modern world is vulnerable to attacks, not to mention the emerging angles of those attacks.
The terrorism episode at the offices of satirical magazine Charlie Hebdo in Paris and the armed siege at The Lindt Café in central Sydney were most certainly shocking but they didn’t necessarily surprise. Terrorism is nothing new and there’s no reason to assume it will ever go away.
However, what did raise collective eyebrows was the ruthless efficiency and obvious targeting behind the attacks that, in the case of the Paris episode, saw just a few obviously well-prepared individuals create an outrage of global magnitude.
The Sony cyber attack was also nothing new. Cyber crime has been around since the dawn of the modern IT age. Again, what the Sony attack highlighted, though, is how ruthlessly efficient cyber criminals can be. This attack was likely to be carried out by a very small group of individuals with very limited resources but using them to maximum effect. It also served to illustrate the degree to which cyber criminals always seem to be one step ahead of complex defence mechanisms designed to negate them.
It’s fair to say the huge global IT industry that’s working on a 24/7 basis to defend against cyber criminality is invariably reactive to emerging threats. The very nature of the beast means that the threat isn’t always foreseen nor fully understood until such time that the mode of attack reveals itself.
If security professionals have learned anything from these recent events it’s simply that they cannot afford to be complacent. At the same time, they must think clearly about the next angles and modes of attack society is likely to face. It will always be a challenge for us all to be proactive and attempt to remain one step ahead of ‘the bad guys’ but, as the bastions of security, we need to try.
The most pressing issue facing security professionals in the modern era is to identify what the potential targets for terrorism and major crime are likely to be and then devise strategies that better protect against them.
Protecting sensitive information
One key area to be reassessed is data security. Not just online security from the perspective of the firewall but also where and how sensitive information is both stored and protected.
In the digital age, our modern society is entirely reliant upon data. Whether you’re considering our own personal lives and finances or the workings of the business community and even Governments, data exists largely as binary code stored in – and transmitted between – an increasing number of data centres around the world. Many end users, organisations and businesses are now moving towards a computing model whereby they’re opting – largely for the sake of convenience – to entrust data to ‘the cloud’. In other words, instead of storing data locally at the office, they’re uploading it to third party data centres and trusting such operations to both keep that information safe and make it available wherever and whenever it’s needed.
Furthermore, as a society we’re increasingly using cloud-based software and applications (ie Software-as-a-Service) whereby we don’t buy and own hard copies of programs. Rather, we effectively rent and use software programs that operate ‘from the cloud’.
That being so, data centres are becoming incredibly valuable… and also increasingly vulnerable. Yet while we rely more and more on data centres, the reality is that most people aren’t even aware of their existence. Those same individuals would certainly be aware of the effects should a data centre holding their information be successfully targeted and breached by criminal factions.
During 2013 it was estimated that approximately 10% of the world’s total electricity usage was set aside for operating physical data centres. While there has been a determined push to make those data centres more energy efficient, there has also been that mass migration to the cloud computing model and an explosion of additional data.
The reality of the situation is that the number of data centres has increased still further.
Data centres themselves do not change much. As you might imagine they’re effectively buildings full of servers, wiring and other technical infrastructure managed by teams of skilled technical staff. There’s a good deal of guidance available in terms of Best Practice with regards to the set-up and operation of data centres and, equally, much Best Practice advice for organisations and businesses making good use of data centres’ capabilities.
By way of example, it’s Best Practice to ensure that an organisation’s data is backed up at a recovery data centre situated a suitable distance away from the main organisation. In the event of a catastrophic event or failure at the primary data centre, the idea is that an organisation can then easily access the back-up data at the second site.
The importance of data recovery strategies was shown during the 9/11 attacks on the World Trade Centre in New York. Questions were raised around back-up data and the location of back-up data centres after an estimated 18,000 businesses were affected by the attacks. The initial debate focused on the physical location of recovery sites, with some experts suggesting 200 miles as being an ideal safe distance. Other commentators proposed the notion that the distance be dependent on environmental factors such as the likelihood of natural disasters or the sensitivity of the actual data and the organisation itself.
Security of data centres
The 9/11 attacks were a long time ago. Back then we were still largely living in a dial-up Internet world. Both broadband and mass online data storage were yet to become a reality for most.
However, even then the terrorist attacks perpetrated by Al-Qaeda gave an early indication of the disruption that can be caused when data stored off-site is compromised.
To be frank, 9/11 represented a dramatic wake-up call to the business community and the IT world that hadn’t even considered the effects of such a terrorist-driven catastrophe.
During the intervening years the focus has been on back-up recovery – which, in itself, is a sensible strategy – but has there been a strong enough parallel concentration on the security of data centres themselves?
The potential effects of cyber crime are huge and widely appreciated. As a result, there’s a global industry fully focused on improving online defence in the form of firewalls and other state-of-the-art technologies.
As 9/11 showed, though, the effects of physical attacks on data centres can be equally damaging, and most certainly so for those businesses that don’t have adequate data recovery strategies in place.
It would be ignorant to believe that terrorists and criminals will not, at some stage, turn their attentions towards data centres. Such centres’ inherent value as critical information hubs upon which our modern digital society is built will inevitably render them the targets of tomorrow if they’re not already so.
It’s also folly to assume that maintaining a low profile and ‘not being noticed’ is a sensible approach towards physical security for the data centre or, indeed, any other sensitive location.
Kevin Ward is Executive Director at Ward Security