Comment: Physical Security in a Digital World

Neal believes 'the real world' is the weak link in the digital security chain
Neal believes 'the real world' is the weak link in the digital security chain
Simon Neal, The Bunker
Simon Neal, The Bunker

As the EC urges member states to establish Computer Emergency Response Teams by next year to defend Europe against large-scale cyber attacks, the online threat to business has never been greater.

While government and defense sites are an obvious target for hackers, the private sector is just as vulnerable to attack as a way of destabilizing economies. With companies increasingly on the frontline of today’s cyber war, the UK government has already called on businesses to play their part in defending the country against the online threat.

Many companies have already realized they can’t protect their digital assets alone, and have outsourced servers and core infrastructure to managed service providers (MSPs) – and Gartner predicts that this trend will accelerate rapidly as business continues to embrace cloud computing.

But is outsourcing really the end to the security problem? MSPs will highlight their readiness to respond to a myriad of cyber attacks – but even in the 21st century, that’s still only half the story. Companies’ digital assets still exist in the physical world of data centers – and it’s here that they’re at their most vulnerable.

Recent high-profile break-ins at data centers run by Vodafone and O2 bear out this point – both caused mobile network outages, but could just as easily have seen e-commerce sites go down or confidential databases compromised if the servers had been holding different information. What’s clearly at issue is the fact that if something as central to our digital lives as the mobile networks can be affected in this way, what else is at risk from physical attack?

This highlights an often neglected but no less important issue that threatens business in cyberspace – the ‘real world’ insecurity of the infrastructure running the digital economy.

While most MSPs and data centre providers can offer excellent digital protection, with multiple firewalls and hardware security modules, the other key aspects of data security – physical and human – are often lacking. Even if a provider’s digital security is strong, the easiest way to ‘hack’ a data center remains physical infiltration, where servers can be physically attacked from inside the data center, or even removed.

Theft is also a big problem because it’s not uncommon for a single rack in a data center to hold up to £1m of equipment, while the high price of copper means that cables and wiring are also now a top target for criminal gangs.

Other physical threats to data centers include fire, flooding and subsidence, all of which could damage equipment or cause power and connectivity outages. Human error or accidents are also a potential weak point for data centers; for example, an unescorted customer unplugging cables that affect other customers’ services.

For the increasing amount of companies and organizations that require their data to be ‘ultra secure’, it is important to ask some very hard questions of the data center provider. So what are the key aspects of physical and human security that need to be considered when choosing a data center?

First, there is the structural integrity of the buildings and site from where the provider operates. A common problem with many data centers is their warehouse-style buildings with drop ceilings and raised floors to accommodate cabling, which also provides a handy crawl space for an intruder to access the data floor unseen. Check exactly where the concrete walls and physical perimeter actually begin and end.

Door locks and keypads are also often surprisingly flimsy, with easily picked locks retro-fitted to existing doors rather than specialist biometric or badge-based systems operating in tandem with a secure turnstile or rotating door.

Second, there is the issue of location. While, for instance, it might feel convenient having a data center in the heart of London, think about this in a security context: the capital is an obvious target for terrorism, while mega-events such as the 2012 Olympics will result in power fluctuations and limitations.

Similarly, other locations might be prone to flooding or subsidence, or vulnerable to physical attacks such as ram raiding.

Third, there are the human processes around security practiced by the data center:

  • Does the provider require all visits to be pre-booked and verified with a photo card ID?
  • Are security guards in place 24/7 who are actively engaged in the security procedures?
  • Are all customers accessing the data floor escorted at all times?
  • Are all requests for remote hands work verified first?
  • Does the HR department run stringent, independent checks on all personnel?
  • Are the data center’s processes and facilities regularly audited as part of recognized security certifications, such as ISO 27001?
  • Has staff been trained in recognizing potential social engineering strategies, where intruders gain entry to the data center by pretending to be somebody else or exploiting people’s natural good will?

Additionally, the data center provider must maintain its core services – facilities, power, cooling, network – with an effective information security management system (ISMS) to ensure that changes are not made to the core services without a prior security risk assessment and peer review. It’s also important to check that the data center provider has a business continuity plan itself.

Both terrorists and criminals have already identified the real world as the weak link in the digital security chain that is supposed to protect our business and communications interests. So while it might sound like a contradiction in terms, it seems certain that physical security will become increasingly important to keeping the virtual world up and running.

Simon Neal is chief operating officer at The Bunker. As one of the founding members of the UK Data Centre and Colocation scene, he possesses an unrivalled knowledge of the data center market. Neal has previously held a variety of senior positions in the industry, including European sales manager and later managing director of Redbus Interhouse, now Telecity/Redbus’ UK operations. He also holds a number of qualifications in data communications, network topologies and high-voltage and DC power.

What’s hot on Infosecurity Magazine?