Data centre security: Where cyber meets physical

The UK’s data centres are an undisputed success story. Collectively, they underpin an internet economy that contributes to over 16% of domestic output, 10% of employment, and 24% of total UK exports. They are a physical manifestation of our digital economy and just as central to our economic prosperity as concrete or steel. Yet, several factors are heightening complexity for operators when it comes to staying on the cutting edge of data centre security while remaining compliant.

Consistent demand from customers for increased bandwidth means operators must anticipate future mergers, acquisitions, and expansion to new sites, leading to the convergence of existing security departments. Often, this also means inheriting various security technologies and processes that must be integrated to maintain a consistent picture of security operations.

Added to this is the need to keep on top of a growing volume of regulatory frameworks related to data privacy and information security. Meeting and demonstrating compliance with the stringent criteria for the likes of the General Data Protection Regulation (GDPR), SOC 2, and ISO 27001 information security standard requires specific consideration of how physical security systems are configured and managed.

Finally, there is the threat of cyberattacks. Data centres are trusted to protect sensitive data on behalf of their clients. As businesses become more connected globally, bad actors are identifying new entry points into systems, and new cyber threats are becoming more sophisticated, which increases the scope for infiltration. To stay competitive, security teams must consider how to address both cyber and physical security in one plan.

So how can security operators centralise security, satisfy regulatory requirements and keep their business running at peak efficiency?

Cyber security is a shared responsibility

Data breaches are a global reality, impacting everybody, everywhere. Some are caused by weaknesses in an organisation’s virtual perimeter. For instance, when hackers can exploit software vulnerabilities to gain access to a connected system from the outside. Others rely on a breach of a physical perimeter, such as when a visitor can get inside the facility to connect a rogue device. In the case of the most sophisticated and targeted attacks, it’s common for criminals to probe for weaknesses in both realms until they discover the weak link that allows them to gain access, remain undetected, and exfiltrate sensitive data over a significant period.

It is why securing an organisation against cyberattacks cannot simply be delegated to IT or appropriately addressed within departmental siloes that do not collaborate. Data centre employees, contractors, and visitors all periodically require access to restricted areas. Yet, a failure to appropriately restrict, monitor, and audit access to physical servers instantly compromises any cybersecurity precautions that have been put in place. For example, IT professionals can rely upon monitoring tools to detect an incidence of a USB device being connected to a server.

However, it is only by integrating such an alert with the operator’s video management system that security teams can be put in a position to quickly respond. Having instant access to the associated video footage in that part of the facility makes it far easier to quickly ascertain who was responsible before it is too late. HR, physical security and information security professionals within a data centre environment all share a common goal of supporting the business and mitigating risk. They exist in a symbiotic relationship as none can succeed without effective teamwork with colleagues in other departments.

Centralise compliance, security, and operations

The ability to easily keep track of who had access to what and when, who granted it and why, has benefits far beyond the security function. It sits at the core of satisfying regulatory requirements and ensuring the smooth flow of people throughout the facility. Commonly, there are a significant number of people and steps involved in granting access to a room or rack and, if authorisation relies upon manual intervention in the access control system, there is a lot of room for mistakes.

Social engineering is therefore often used by criminals as a means of getting inside a data centre facility. Making use of a physical identity and access management solution that bridges physical and IT security to automate the workflow removes the potential for human error while also delivering associated cost efficiencies. That is why operators should invest in and rely upon a scalable and unified security platform that takes into account the requirements of users within and outside of the physical security function. There are many other ways in which centralisation can enhance security and streamline compliance operations.

For example, by making it easier to set expiry times for contractor passes or by automating the generation and sharing of audit reports so that any irregular activity is quickly brought to light. Automation is key as these activities are easy to specify but difficult to consistently carry out if manual intervention is required. Pooling resources and expertise from across the business allows for the specification and deployment of a common platform with greater capabilities than any one function could hope to develop in isolation. It simplifies day-to-day operations and prevents future headaches surrounding overlapping systems that create operational blind spots through a failure to integrate.

Physical security systems can be a cybersecurity risk

A final reason to address cyber and physical security in a single plan is the possibility that attackers could use the physical security systems themselves as potential entry points to the network. Over 90% of all IoT attacks go through routers and connected cameras. Security cameras, access control readers and alarm panels are all IoT devices that run the software and may contain cybersecurity vulnerabilities that can be exploited by attackers. Yet, many of the risks could be eliminated simply by taking basic steps such as ensuring they are running on the latest version of the firmware and not using default passwords.

They are a shared physical and cybersecurity responsibility that could easily result in avoidable unplanned downtime. While the automated updating of core business systems and devices is a key concern of the IT function, it is not always front of mind for physical security professionals. Genetec data reveals 68% of cameras trying to connect to its systems are typically running out-of-date firmware. Of these more than half involve known vulnerabilities for which a security update is available.

It’s a situation that needs to change fast and that can only be resolved by removing the burden from employees and leveraging automation to manage the firmware and passwords. Only then can organisations hope to build a resilient cyber-physical security framework from which to operate.

Future thought

Data centres must keep up with evolving regulations and security threats while ensuring their customer’s needs are always met. With its ability to unify and centralise all of these considerations, a physical security platform should be considered integral to reaching these goals. It should be designed to reduce security risk (both cyber and physical), improve decision-making, and enhance compliance. No matter how the organisation grows, or how the threat landscape evolves, it should be flexible enough to evolve in line with future needs.

Related Articles

Top Stories