Most discussions on data center security tend to focus on the use of technology as the primary defense against cyberattacks. And, certainly, digital protections such as endpoint detection and response solutions do play a critical role. However, whether your data center is maintained on your company’s premises or you have moved digital operations to the cloud, having controls in place that detect or keep bad actors from physically accessing are a necessity.
Consider the following situation. An organization noticed a spike in electricity consumption at its satellite located offshore. Among the initial concerns was the possibility that cryptomining malware had infected that site’s servers. They were right, but the culprit was not a digital bug, it was a result of physical security lapse. Their local IT person, who had purchased the servers citing a legitimate business reason, had installed row upon row of cryptomining rigs instead of hard drives. Through further investigations, it was uncovered that he was able to mine several bitcoins with an estimated value of more than $500,000.
This fraud underscores why physical security continues to be highly relevant, and essential, to modern data center security. With emerging trends like big data and the advent of internet and cloud-based computing, businesses are enticed to place more of their operations outside of traditional IT infrastructure and into data centers, where there are greater demands on physical security.
Look at Business Resilience and Data Security in Tandem
When making the move to a third-party data center. Companies typically look at a provider’s ability to deliver on two key elements: business resilience (data availability) and data security. However, companies too often consider each factor independently of the other and do not fully understand the vital synergies between the two.
From a business risk point of view, we advise clients to investigate how resilience and security work together in a provider’s service offering. For example, companies should identify from the start who is providing the service and how the data center is structured.
A security threat assessment is essential when designing, building and maintaining a data center or when engaging with a third-party data center provider. The center must be able to withstand everything from corporate espionage and low-level thieves to terrorists and natural disasters. By identifying areas of potential threat, a business can enable decision-makers to specify a range of cost-effective and practical countermeasures.
Navigating Competing Security Criteria and Real-world Deliverables
Currently, there are various industry bodies that publish data center standards using different criteria in their assessments. Many data center providers are “aligned to” rather than “certified according to” these standards. Very often, these bodies use a simple tiered rating, which is enhanced with additional terms designed to improve the marketing potential of a data center.
However, understanding the real benefits and risks associated with these terms can be difficult. Unfortunately, there is currently no comprehensive industry standard for security, so it is not unusual to see very inconsistent levels of security performance between different providers.
Data center security is about minimizing risk and maximizing operational uptime. In the digital world today, information is the new currency. Any data loss or system downtime can potentially have very high associated costs. One thing we can be sure of is that criminals are always looking out for opportunities to steal data or create havoc by disrupting critical infrastructure. If operators are to deliver on evolving customer expectations and needs, physical security must be a primary facet of information security programs.
How a Physical Security Expert Can Help
A physical security expert, such as Kroll, can advise on data center physical security and assess how well a data center can meet a client’s needs from both a performance and risk perspective. In cases where we have highlighted the need for improvements, we have worked with data center providers and clients around the world to improve their overall information security and resilience.
This article was originally published in In-House Community.