Protecting the keys to the kingdom: Assessing data centre risks

Protecting the keys to the kingdom: Assessing data centre risks

Data is the highest-value asset within a data centre facility and must be shielded. Terry King, Vice President, Security and Technology Consulting at Guidepost Solutions, explores the significance of threat assessments and layered security measures to fend off malicious entities, both physical and digital.

Terry King, Vice President, Security and Technology Consulting at Guidepost Solutions

Security, at its most basic element, is one of the most crucial aspects of a data centre facility. Along with power, conditioned air and real estate itself, security is not just an amenity, but a foundational component of a data centre’s critical infrastructure. The need to safely and securely store and process individual, company and public information is at the very heart of why data centres exist and why security is of the highest priority.

The impact of a physical or cybersecurity breach poses a grave threat, potentially crippling vital services, erasing or compromising financial data, or jeopardising critical health data when it is needed most. Just as societies have protected their most valuable assets over time – today’s data centres have become our literal keys to the kingdom and should be our most highly secured spaces.

The importance of location and TVRA in data centre security

While it can appear that data centres are popping up everywhere (and the requisite demand can certainly drive this mindset), the basis of securing our most critical information is formed in the actual location of the facility itself.

Whether it is the policy of the hyperscaler, the service provider, or a compliance-driven standard – where and how secure a data centre facility is driven by a Threat, Vulnerability, Risk Assessment (TVRA) – which defines all aspects of threats a facility might incur in a specific location.

The threats, such as poor site lines, neighbouring motorways, adjacent neighbours and short set-back distances, are measured against the vulnerabilities inherent in the design of the data centre itself. This combination of threats and vulnerabilities provides a data centre provider or a dedicated end-user with the risk profile for the site. All of which determines the approach and mitigation strategies of how to properly secure the property, the facility and ultimately the primary asset – information.

The approach: Layered security measures

Most data centres are predicated on the concept of a concentric circle approach in which multiple layers (or zones) of protection are defined physically, operationally and through strident processes and procedures. The approach ensures that each layer provides a higher level of defined security and stronger measures of deterrence throughout the facility. As a result, the most critical and important areas within the data centre environment are most secure and accessible to only those with the proper level of authorisation and clearances.

All of this is predicated on proven strategies of deterrence, detection, delay and defence. Each data centre will determine how they approach the tactics at and within each zone of intervention and what elements within their facility will be included in this layer – but the ultimate strategy is always based on this concentric process.

Physical threats

The physical elements, including anti-climb fencing, fortified entry/egress points and extensive camera and technology displays, are immediately apparent at any data centre location, providing a visible deterrent from the first layer. However, the physical electronic security components are but one aspect of a data centre’s layered strategy.

Beyond these robust and hardened elements, a data centre’s security programme is supported by the combined structure of operational staffing and rigorous policies and procedures. At each secured layer, individuals are challenged to confirm their identity, their authorisation, as well as the premise by which they will be visiting the site – as authorised guests with access rights to the space or as escorted visitors.

In all cases, the individuals who access a data centre are continually monitored through video surveillance, their access rights are managed through enterprise access control solutions, and areas that are off-limits are monitored and managed through a fully integrated security solution. Ultimately, the highest level of security presents the least number of threats to this area. Since people present the greatest, ultimate, risk – the goal is to minimise who has access to the data centre and to manage how much access is allowed.

Digital threats

The principles of layered security that apply to physical security also hold true for network security. Layers of security are applied through a multitude of solutions such as firewalls, encryption, authentication and authorisation. These elements, too, are predicated on monitoring and managing the informational traffic (incoming and outgoing) against any bad actors attempting a malicious attack on today’s most critical infrastructures.

For the average person, understanding the technology and solutions that protect our electronic environments can be difficult. Comparing this logical sequence to physical protection zones yields a very similar analogy. The goal, whether it is in the physical world or the networks themselves, is to mitigate any potential breach of the system.

Securing the data centre to protect global commerce

At the core of a data centre is the vital information entrusted for storage, archiving, processing and maintenance. This critical and confidential information is the lifeblood of today’s business. From the health of our economic markets to the health and well-being of individuals – the need for data centres will continue to grow at an exhaustive rate. Consequently, enhancing the safety and security of these data centres becomes imperative as threats from malicious entities evolve. Ensuring the secure management of this data is critical to maintaining the integrity of global commerce. Therefore, the design and development of a data centre must incorporate stringent security measures, from Threat and Vulnerability Risk Assessments (TVRA) to the deployment of comprehensive physical, operational and digital security strategies. As needs and threats develop, so too will the solutions to address them.

Browse our latest issue

Intelligent CISO

View Magazine Archive