The development and proliferation of the global Data Centre industry over recent years has been nothing less than incredible. A bubble that many experts expected to burst in the early 2000s has, in fact, grown exponentially since that time. Driven by the movement of data from private corporate servers to cloud-based solutions, coupled with a growing corporate interest around Internet of Things (IoT) initiatives, corporate demand continues to grow and, asserts Jon Roadnight, there’s no sign of a slow-down. Indeed, with data consumption skyrocketing, major cloud service providers are anticipating the need to triple their infrastructure by 2020.
One of the major beneficiaries of this growth has been Data Centre service providers with a co-location proposition. A ‘Co-Lo’, as these Data Centres are known, is a facility in which tenants are able to rent space to accommodate anything from a single server blade with negligible power requirements up to multiple, complete data halls requiring many megawatts of processing power. The Data Centre provider is, in effect, a landlord who provides a facility that generally delivers five key services to each of its tenants: a managed building facility, access to diverse data networks, power, cooling and security.
If you take a moment or two to consider the type of information now routinely housed within these giant data warehouse facilities, it’s little wonder that security is seen as a key ingredient of a high-quality Data Centre operation. Governments store much of our personal data, including National Insurance and HMRC records, within Data Centres. Many financial institutions operate on systems housed in Co-Lo’s and, while the Security and Intelligence Services, the military, the courts and Her Majesty’s Prison Service, etc have their own dedicated Data Centres, cloud-based strategies across all sectors will continue to blur the lines between dedicated and co-located facilities. While we can appreciate the need to secure all of the associate data in those areas, the new technology industries are going to present challenges that are only now being fully considered.
By way of an example, the race to develop ‘driverless’ vehicles has, on the face of it, little to do with a Data Centre. However, the processing capacity to provide the tracking, monitoring and guidance systems that are needed to facilitate this technology are already being built and large aspects of the infrastructure will be housed within Data Centres. Who would have guessed a few years ago that technology would revolutionise the world of private hire taxis, but Uber (full name: Uber Technologies Inc) is seen very much as a technology giant and its operation is very largely Data Centre-based.
While most Co-Lo operators use a risk mitigation approach to Data Centre management, let’s concentrate here on looking specifically at the subject of security risk management and highlight some of the areas that need further attention when it comes to Data Centre security.
Security: one of the key elements
In an age where the subject of data security has become so emotive, it’s right that security is seen as one of the key elements of a Data Centre. The subjects of cyber and information security have grown in prevalence in line with the growth of Data Centre numbers and there appears to be an increasing appreciation that the consequences of a cyber or information security breach can be far-reaching. Reputational damage, significant financial penalties, a loss of confidence in the affected business and even a reduction in the service offering (as seen in the financial services sector when ATM networks go down) can have far-reaching consequences. This often negatively impacts share prices and commonly results in the loss of senior level executives or staff, who pay the price of ineffective security by losing their jobs.
Cyber security, in its broadest sense, is intrinsically linked to the subject of physical security and an holistic approach is required to understand security risks, threats and vulnerabilities. The same holistic approach is necessary to develop appropriate mitigation strategies.
Over the years, certain mitigation measures have become the standard approach used by designers and developers of Data Centres, but how those measures have been delivered has varied significantly. Whether those measures are still appropriate within the contemporary Data Centre environment, and whether they will still be relevant in the coming years, is presently a matter of conjecture.
Standards and the Data Centre environment
Industry and international standards have not kept pace with the development of the Data Centre world and it’s only in the past few years that physical security requirements have been defined more clearly. TIA-5017, which is referenced in the more widely-known TIA-942-B, makes recommendations on improving the physical security of the Data Centre. These include criteria such as CCTV requirements, access control levels and hardware as well as matters relating to site selection.
The EN 50600 collection of standards, first published in 2013, was developed to support the various parties involved in the design, planning, procurement, integration, installation, operation and maintenance of facilities and infrastructures within Data Centres.
Both standards are useful and need to be understood and delivered more widely than is presently the case.
There are many other standards that can be used to benchmark most areas of a Data Centre security operation, but currently they’re seldom used. These include physical security ratings for structures including fences, gates, windows, doors and building facades as well as operational security standards that specifically address the management of the facility.
Physical security considerations
All-too-often, physical security measures for Data Centres are considered in isolation and not aligned with either the prevailing threat and risk environments or a broader security strategy. A risk-based approach is essential for ensuring that the security measures applied are commensurate with the environment and appropriate tier level. Under-investing in appropriate security measures at a Data Centre during the development stage can become a significant obstacle to successfully letting the Co-Lo space in the future.
As security awareness grows and clients become more concerned about the security of their data, a Co-Lo with a good security posture and the ability to demonstrate the basis of its security and risk mitigation strategies will undoubtedly find it easier to attract tenants who are prepared to pay a premium for their space. We’re already observing this phenomenon and the bar is only set to go higher.
Facilities where security hasn’t been taken seriously enough or where there’s no clear strategy in place are being overlooked in favour of sites where security (as well as all the other key attributes) are designed-in and mature in terms of their development.
Security management, including maintaining a security guarding presence, can come with significant costs. Co-Lo landlords will understandably seek to minimise the site management overhead, and this can result is under-resourcing the security management capability.
Having a single security officer on site who manages reception and visitors, provides access for deliveries, organises engineering attendance and conducts numerous other tasks, all the while being expected to monitor and respond to security system events as well, probably isn’t doing any of those tasks consistently well.
Having invested, in many cases, significant amounts of capital to develop a Data Centre and deploy a range of physical security systems, it makes little sense not to monitor them correctly. Particularly so where the investment has been driven by risks, threats and vulnerabilities, it would be (at the very least) inconsistent to base capital expenditure upon risk-based intelligence and then use a completely different basis (such as operational costs) as the reason to not properly monitor the deployed systems.
Having procedures in place for the vetting and screening of individuals attending site should enhance a security operation, but the process needs to be delivered, managed and audited correctly in order for it to be effective.
This isn’t to advocate the loading of the operation budget with a significant security management overhead. There are ways to deliver operational efficiency while not necessarily compromising security, but these solutions need to be delivered in accordance with an Operational Requirement (OR) report that clearly links security systems to identified threats and risks. Conducting a risk, threat and vulnerability assessment at the earliest possible opportunity in the design process will help to ensure that security systems are fully optimised (providing not too much and not too little) and that they don’t incur further costs at some future stage.
Looking to the future
Data Centre owners and developers have responded well to capacity requirements driven by technological innovation. The ability to respond quickly to this spike in demand has been impressive and demand doesn’t appear to be waning. There are significant environmental questions about the amount of power required to sustain this proliferation. There are also logistical questions about the need for larger and larger data highways and the clustering that can occur where these fibre networks are accessed. These questions will generally find an engineering solution and are all part of a fast-moving industry that will continue to innovate as it evolves.
The issue of security however, falls under a different category. An intensifying need to secure data and the importance attached to offering security assurances are driving an increasingly more stringent selection criterion. Business enterprises are selecting Co-Lo’s that not only offer them a good business proposition in terms of their data hosting, but also demonstrate sound security credentials through certifications and successful audits.
A Data Centre that can demonstrate an effective security operation with security systems that have been deployed to address identified risks and threats will elevate itself above its competitors. A Data Centre that’s able to adapt over time and accommodate a range of client security strategies will continue to maintain its lead.
As the variations in engineering services and the buildings themselves diminish (which will occur given the industry’s increasingly prescriptive standards), potential clients will increasingly use other factors to decide where their data should be stored. Security has already been identified as a prominent part of Data Centres’ service offerings and it will become a more important differentiator as time goes on.
Jon Roadnight is Director of CornerStone