How Secure is Your Data Centre?
BY MARTIN GRIGG
SECURITY CONSULTANT MARTIN GRIGG DISCUSSES THE VULNERABILITY OF MANY BUSINESSES RESULTING FROM LACK OF UNDERSTANDING OF THE REAL SECURITY RISKS THAT THEY FACE EVERY DAY
Martin Grigg is a principal consultant at PTS Consulting Group whose Physical Security division offers services including Threat and Vulnerability assessments. Martin, has over 20 years of experience designing innovative security solutions for organisations. He is also now chair of Data Centre Alliance Technical Council.
It is often reported that the average Londoner is recorded by a CCTV camera 300 times - and that is probably true throughout the country. But does this fact increase the security of your Data Centre? Does the myriad of access control systems and biometric readers really keep a Data Centre, its people, property and assets safe?
To answer these questions, we first need to consider what threatens our Data Centres and how likely it is any of these scenarios will affect us. Whether the risks are unauthorised use of equipment, illegal processing of data, data corruption, espionage, bombs, terrorists, electronic warfare or system sabotage, the risks need to be quantified.
A process of risk assessment should consider the risks associated with any specific security event. The assessment establishes the relationship between two equally important variables in the definition of risk; the likelihood of a security event occurring and the impact the event would have if it were to occur.
SIA-licenced security personnel, cameras and access control systems all play a part in protecting a Data Centre from local crime; but if put under scrutiny, they would often fail to protect the Data Centre from a crisis.
Effective risk assessments, mitigation and business continuity planning is essential in today’s climate of heightened security. The current threat level from international terrorism is ‘SEVERE,’ which means that the risk of a terrorist attack is highly likely. If a part of the country is disabled for a prolonged period of time, could your Data Centre continue to operate?
Many people believe that “It won’t happen to me,” or, “It’ll never happen here,’ yet we are often surprised by crime statistics and the horror stories of operations ceasing, and disruption to business activity. Surveys after the 9/11 attacks in the USA indicated that many businesses that were not directly involved in the physical destruction, failed to survive after the event.
But it does not have to be a major disaster to affect a Data Centre. The inside threat is always a problem. Low-paid staff can be a target for bribery to help with espionage or theft. A rogue or disaffected employee can cause significant damage if they have access to machinery, stock or data.
A secure Data Centre has security at its heart and in its culture. Employees should feel comfortable in the workplace, in the knowledge that security checks have been performed on all the staff and that everybody is happy to wear an identity badge. If a stranger is in the building, then staff should feel confident about approaching them and asking if they need help. Suspicious behaviour should be reported without any feelings of possible guilt. A well-rehearsed business continuity plan means that everybody knows exactly what to do if disaster does strike- in any form. All of these things indicate a secure Data Centre and emphasises the important role technology can play as well.
Upgrading access control systems to one where the card is encrypted and cannot be cloned will help reduce the risk of a deliberate attempt to breach your perimeter. Biometric readers such as fingerprint, palm vein and iris readers ensure that the person requesting access is the authorised individual and not just a person holding the card with the access rights. Here is a security professional’s mantra of “what you have, what you know and who you are”. If an area within your building is of a high security nature, then doubling up on identification technology is a good idea. “What you have” could be your access card. “What you know” could be a PIN number entered on a keypad and “Who you are”, Could be your fingerprint. Any combination of these is going to make it more difficult to compromise the system.
CCTV is a common form of security system, but it can lead to a false sense of security because if nobody is watching, all you are left with is an evidence-gathering tool which may be useful after the event, but that may not be enough. With the advent of IP security systems, it is possible to integrate CCTV with access control so that if an exceptional event occurs, then a security officer is notified with video verification. Modern security systems can also fit into the world of ‘Big Data’ and the ‘Internet of Everything’ which are the philosophies behind Intelligent Buildings that use information management to spot trends to either report on problems or predict an event.
In conclusion, Data Centre security is about planning both before and after an event. It is about mitigation through procedures and technology and it is about instilling a culture of security awareness in the company. It is my belief that many businesses fall short when it comes to security.