Security: A Growing Influence on Data Centre Selection

The development and proliferation of the global Data Centre industry over recent years has been nothing less than incredible. A bubble that many experts expected to burst in the early 2000s has, in fact, grown exponentially since that time. Driven by the movement of data from private corporate servers to cloud-based solutions, coupled with a growing corporate interest around Internet of Things (IoT) initiatives, corporate demand continues to grow and, asserts Jon Roadnight, there’s no sign of a slow-down. Indeed, with data consumption skyrocketing, major cloud service providers are anticipating the need to triple their infrastructure by 2020.

One of the major beneficiaries of this growth has been Data Centre service providers with a co-location proposition. A ‘Co-Lo’, as these Data Centres are known, is a facility in which tenants are able to rent space to accommodate anything from a single server blade with negligible power requirements up to multiple, complete data halls requiring many megawatts of processing power. The Data Centre provider is, in effect, a landlord who provides a facility that generally delivers five key services to each of its tenants: a managed building facility, access to diverse data networks, power, cooling and security.

If you take a moment or two to consider the type of information now routinely housed within these giant data warehouse facilities, it’s little wonder that security is seen as a key ingredient of a high-quality Data Centre operation. Governments store much of our personal data, including National Insurance and HMRC records, within Data Centres. Many financial institutions operate on systems housed in Co-Lo’s and, while the Security and Intelligence Services, the military, the courts and Her Majesty’s Prison Service, etc have their own dedicated Data Centres, cloud-based strategies across all sectors will continue to blur the lines between dedicated and co-located facilities. While we can appreciate the need to secure all of the associate data in those areas, the new technology industries are going to present challenges that are only now being fully considered.

By way of an example, the race to develop ‘driverless’ vehicles has, on the face of it, little to do with a Data Centre. However, the processing capacity to provide the tracking, monitoring and guidance systems that are needed to facilitate this technology are already being built and large aspects of the infrastructure will be housed within Data Centres. Who would have guessed a few years ago that technology would revolutionise the world of private hire taxis, but Uber (full name: Uber Technologies Inc) is seen very much as a technology giant and its operation is very largely Data Centre-based.

While most Co-Lo operators use a risk mitigation approach to Data Centre management, let’s concentrate here on looking specifically at the subject of security risk management and highlight some of the areas that need further attention when it comes to Data Centre security.

Security: one of the key elements

In an age where the subject of data security has become so emotive, it’s right that security is seen as one of the key elements of a Data Centre. The subjects of cyber and information security have grown in prevalence in line with the growth of Data Centre numbers and there appears to be an increasing appreciation that the consequences of a cyber or information security breach can be far-reaching. Reputational damage, significant financial penalties, a loss of confidence in the affected business and even a reduction in the service offering (as seen in the financial services sector when ATM networks go down) can have far-reaching consequences. This often negatively impacts share prices and commonly results in the loss of senior level executives or staff, who pay the price of ineffective security by losing their jobs.

Cyber security, in its broadest sense, is intrinsically linked to the subject of physical security and an holistic approach is required to understand security risks, threats and vulnerabilities. The same holistic approach is necessary to develop appropriate mitigation strategies.

Over the years, certain mitigation measures have become the standard approach used by designers and developers of Data Centres, but how those measures have been delivered has varied significantly. Whether those measures are still appropriate within the contemporary Data Centre environment, and whether they will still be relevant in the coming years, is presently a matter of conjecture.

Standards and the Data Centre environment

Industry and international standards have not kept pace with the development of the Data Centre world and it’s only in the past few years that physical security requirements have been defined more clearly. TIA-5017, which is referenced in the more widely-known TIA-942-B, makes recommendations on improving the physical security of the Data Centre. These include criteria such as CCTV requirements, access control levels and hardware as well as matters relating to site selection.

The EN 50600 collection of standards, first published in 2013, was developed to support the various parties involved in the design, planning, procurement, integration, installation, operation and maintenance of facilities and infrastructures within Data Centres.

Both standards are useful and need to be understood and delivered more widely than is presently the case.

There are many other standards that can be used to benchmark most areas of a Data Centre security operation, but currently they’re seldom used. These include physical security ratings for structures including fences, gates, windows, doors and building facades as well as operational security standards that specifically address the management of the facility.

Physical security considerations

All-too-often, physical security measures for Data Centres are considered in isolation and not aligned with either the prevailing threat and risk environments or a broader security strategy. A risk-based approach is essential for ensuring that the security measures applied are commensurate with the environment and appropriate tier level. Under-investing in appropriate security measures at a Data Centre during the development stage can become a significant obstacle to successfully letting the Co-Lo space in the future.

As security awareness grows and clients become more concerned about the security of their data, a Co-Lo with a good security posture and the ability to demonstrate the basis of its security and risk mitigation strategies will undoubtedly find it easier to attract tenants who are prepared to pay a premium for their space. We’re already observing this phenomenon and the bar is only set to go higher.

Facilities where security hasn’t  been taken seriously enough or where there’s no clear strategy in place are being overlooked in favour of sites where security (as well as all the other key attributes) are designed-in and mature in terms of their development.

Operational security

Security management, including maintaining a security guarding presence, can come with significant costs. Co-Lo landlords will understandably seek to minimise the site management overhead, and this can result is under-resourcing the security management capability.

Having a single security officer on site who manages reception and visitors, provides access for deliveries, organises engineering attendance and conducts numerous other tasks, all the while being expected to monitor and respond to security system events as well, probably isn’t doing any of those tasks consistently well.

Having invested, in many cases, significant amounts of capital to develop a Data Centre and deploy a range of physical security systems, it makes little sense not to monitor them correctly. Particularly so where the investment has been driven by risks, threats and vulnerabilities, it would be (at the very least) inconsistent to base capital expenditure upon risk-based intelligence and then use a completely different basis (such as operational costs) as the reason to not properly monitor the deployed systems.

Having procedures in place for the vetting and screening of individuals attending site should enhance a security operation, but the process needs to be delivered, managed and audited correctly in order for it to be effective.

This isn’t to advocate the loading of the operation budget with a significant security management overhead. There are ways to deliver operational efficiency while not necessarily compromising security, but these solutions need to be delivered in accordance with an Operational Requirement (OR) report that clearly links security systems to identified threats and risks. Conducting a risk, threat and vulnerability assessment at the earliest possible opportunity in the design process will help to ensure that security systems are fully optimised (providing not too much and not too little) and that they don’t incur further costs at some future stage.

Looking to the future

Data Centre owners and developers have responded well to capacity requirements driven by technological innovation. The ability to respond quickly to this spike in demand has been impressive and demand doesn’t appear to be waning. There are significant environmental questions about the amount of power required to sustain this proliferation. There are also logistical questions about the need for larger and larger data highways and the clustering that can occur where these fibre networks are accessed. These questions will generally find an engineering solution and are all part of a fast-moving industry that will continue to innovate as it evolves.

Jon Roadnight

Jon Roadnight

The issue of security however, falls under a different category. An intensifying need to secure data and the importance attached to offering security assurances are driving an increasingly more stringent selection criterion. Business enterprises are selecting Co-Lo’s that not only offer them a good business proposition in terms of their data hosting, but also demonstrate sound security credentials through certifications and successful audits.

A Data Centre that can demonstrate an effective security operation with security systems that have been deployed to address identified risks and threats will elevate itself above its competitors. A Data Centre that’s able to adapt over time and accommodate a range of client security strategies will continue to maintain its lead.

As the variations in engineering services and the buildings themselves diminish (which will occur given the industry’s increasingly prescriptive standards), potential clients will increasingly use other factors to decide where their data should be stored. Security has already been identified as a prominent part of Data Centres’ service offerings and it will become a more important differentiator as time goes on.

Jon Roadnight is Director of CornerStone

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts