These security standards go beyond the physical. Modern data centres must react to ever-expanding virtual threats while meeting the requirements of a range of compliance standards.
And, once a data centre has met the information security standards of today, it must be ready to react to the emerging threats of tomorrow. To do this, it must employ automation and security tools that allow an agile and adaptive security outlook, often meeting new challenges in real time.
There are many demands made of the modern data centre, including:
- Securing all assets behind robust layers of physical, virtual and compliant security methods.
- Providing continual and resilient services that can withstand many types of interruptions and failures
- Securing key customer data in compliance with various regulations
- Providing a range of cloud solutions, including private, multi and hybrid cloud environments.
To provide the services that customers need today, data centres must adopt the highest levels of data centre security.
What is data centre security?
Data centre security is the combined effort of securing vital assets using multiple levels of protection. To meet modern security industry standards, a data centre must secure physical access to its infrastructure, manage virtual threats, and comply with the latest compliance levels.
What is at stake? First on the list is the critical data protection involved in storing customers’ digital assets. The average data breach cost companies around $5 million in 2022, with damage to reputation and trust costing far more. With so much data now stored in cloud infrastructure, data centres must play their part in securing these vital assets.
What are the common causes of data centre data breaches?
So, what are the most common data centre security threats?
Social engineering attacks - The first on the list is something every security team must consider: social engineering attacks. Proper data centre security measures involve training staff to spot social engineering, protecting physical and virtual assets from unauthorised access.
Malware infection - IT infrastructure must also be secured – as far as possible – against malware infection. Modern malware can do much more than infect one system, potentially spilling over to other assets. To protect against malware, data centre operators should train staff and implement a range of security tools and resources along with segmenting critical systems.
Weak, lost or stolen passwords - Perhaps the easiest way into any system is through weak or stolen user credentials. In fact, around 80 per cent of all business hacks come from insecure passwords. To protect against password misuse, all employees should require multi-factor authentication and strong, unique passwords as a minimum.
Zero-day or application vulnerabilities - Vulnerabilities in network systems can give attackers a straightforward entry into critical assets. Security management should include the ongoing patching, upgrading and monitoring of all hardware and software to close any gaps as quickly as possible.
Physical attacks - Of course, it’s also essential to control who has physical access to a data centre. This should include multiple layers of protection, including perimeter controls, individual authentication and advanced security resources.
How to secure a data centre
No matter the data centre's size, many virtual and physical security measures should be in place. Likewise, compliance standards require the rigorous protection of specific assets.
Important compliance standards for data centres
At any time, a data centre may be required to demonstrate its compliance standards to authorities, stakeholders and customers. Establishing these key security standards is essential to keeping customer assets safe.
Data centre compliance standards can test the service provider’s credentials and certifications in many areas, such as data protection, cybersecurity and sustainability. There are various ways in which a data centre can prove compliance.
One example is achieving essential data centre compliance standards, such as System and Organisation Controls (SOC) audits. SOC reports give data centres credibility, often a requirement before working with clients of a specific size or industry. They prove that the provider meets robust standards in many vital areas and can be trusted by their clients.
There are three primary SOC standards:
SOC 1: Achieving the SOC 1 compliance standard proves that strong financial and reporting controls are in place within a business. They’re a great way to grow trust with clients, showing that you secure and handle financial information to the highest degree. In a world of increasing data regulation and legislation, SOC 1 is another method of demonstrating your trustworthiness in handling sensitive data.
SOC 2: The SOC 2 compliance standard is an excellent level for a data centre to achieve. It demonstrates a range of trust signals to customers, including key physical, on-premises and cloud security controls. With a heavy focus on security, SOC 2 also covers the processing, privacy and integrity of data management. Overall, SOC 2 is a measure of critical data centre security controls based on the Trust Services Criteria.
SOC 3: The SOC 3 standard is the less common of the three, although it is still an important achievement for service providers working with the public. While it covers much of the same ground as SOC 2, there is a key difference. Data centres achieving SOC 3 compliance can freely distribute and market SOC 3 to a broader audience.
Other key compliance standards could include the following:
ISO 27001 standard for meeting crucial information security measures
PCI DSS standard for accepting, processing and storing financial payment details
HIPAA standard for processing and storing healthcare information.
Data centre physical security
As well as reaching compliance standards, data centres must also build, maintain and upgrade their physical security measures. These actions should ensure that only authorised personnel enter the centre and that assets are protected from potential damage.
Data centre security levels can be thought of as multiple rings of protection. They begin outside the centre and gradually get closer to the physical computing resources.
An outside risk assessment should identify the following:
- Any potential dangers outside of the data centre. This includes local area risks, such as other industries or nearby facilities.
- The ongoing availability of critical resources such as water, power and network.
- The threat of natural disasters possible in the specific location, such as extreme weather, flooding or earthquakes.
These considerations can help make the location of a data centre as strong as possible. The next step is implementing data centre access controls for the facility itself. Such actions can include:
- Perimeter access controls: Using surveillance and security professionals, implement a strong data centre access policy around the facility. There should be a camera system, personnel checkpoints and measures to prevent intruders.
- Security controls inside the data centre. These should again be designed in layers, preventing access without multiple identification checks. Such checks can include multi-factor authentication, biometric checks, identification cards, data centre cages and more. Stricter data centre security should isolate individuals entering to prevent tailgating. Of course, physical computing resources should be behind multiple layers of protection inside the facility.
- Once access controls are in place, data centre security can consider how to provide continuous and uninterrupted power to resources. Also, consider any potential water damage, fire safety threats, or networking blockages. Data centre disaster recovery plans should constantly be in place should an incident occur.
Combined, these security controls can help physically secure assets from outside attacks.
Data centre virtual security
Finally, data centre security management must secure all virtual assets from outside attack. There are many tools and techniques to achieve this, although most systems will include firewalls, intrusion detection systems and data centre network security management systems.
A high-security data centre firewall can help protect devices held on-premises from outside interference, preventing unauthorised access to systems. Intrusion detection systems should monitor for any suspicious activity. All tools should then report to security apps or a management system for security professionals to examine.
Many further data centre security services exist, especially within cloud computing deployments. The crucial measure is to proactively prevent threats while reacting to new dangers. The information should be readily available to security teams, with data clearly presenting the essential details.
Interxion and data centre security
Next-generation data centres must do more than host resources. They must play a key role in protecting client assets, identify methods of maintaining service availability, and react to emerging and evolving threats.
There are many steps to achieving this. A strong security policy should involve both physical and virtual protections that prevent outside access to on-premises and cloud services.
Data centres should also demonstrate their protections by delivering a high-quality service, meeting compliance requirements, and continuing to improve. Data centre security is an ongoing challenge – and only those that evolve and learn from new challenges will be able to meet them.
At Interxion, our colocation data centres meet robust security standards. We implement multiple rigorous security layers – both physical and virtual – to protect clients’ critical assets. Learn more with our Security in the Data Centre whitepaper.