Confidentiality, Integrity and Availability (CIA) in a Physical World – Data Centre Physical Security.
A new market has boomed around the world and the currency is data. Globally, the data stored in data centres will quintuple by 2020 to reach 915 EB by 2020, up 5.3-fold (a CAGR of 40%) from 171 EB in 2015. (Source: Cisco Global Cloud Index: Forecast and Methodology, 2015-2020).
Overall data centre workloads will more than double (2.6-fold) and cloud workloads will more than triple (3.2-fold) from 2015 to 2020, so there needs to be a corresponding rise in data centre physical security to match this demand.
Since the very first digital ‘virus’ was detected in the Advanced Research Projects Agency Network (ARPANET) in the form of the Creeper Virus in the early 1970s, the development of digital security practices against attack has been at the forefront of data security. However, at the same time; it has often been held that the physical security of the data has, shall we say; stalled.
In 2016, a Power Company in the United States hired a group of White Hat Hackers known as RedTeam Security to carry out a series of tests on its defences. A video of this can be seen at the base of this article, but in principle the key areas of exploitation at all the sites were:
Which prompts the question, “How can you stop the fox when it’s already in your hen house?” If we are always looking at the virtual threat then we leave the door open for a physical attack. It is easy to deploy a digital attack inside of a network if you can walk right up to a terminal. The ability to infiltrate this way instantly breeches all aspects of CIA; what would be the cost to your customers’ business if the data centre was simply ‘turned off’ from inside? Data breaches not only pose a significant threat to brand reputation, but will incur substantial fines (20m Euro or 4% of annual worldwide turnover, whichever is greater far exceeding the current maximum of £500,000) once the General Data Protection Regulation (GDPR) becomes law on the 25th May 2018.
Whilst it would be simple to encase a data centre in an impenetrable surface with no doors and windows, the practical side of the matter states that you need access to ensure the systems are maintained to allow uninterrupted access to the data for the customers. However, the second you have an ingress area your data centre physical security is potentially weakened.
Data Centre Physical Security has to be observed as a layered approach and employing systems of defence that will deter, detect and delay as any intruder tries to access the data in the physical world. Ask yourself the following questions on your data centre physical security:
Deter – Does your physical perimeter offer a visual deterrent against attack?
Detect – Does your physical perimeter allow the detection of an attacker before they get inside your site?
Delay – Has your physical perimeter been tested to an industry standard to allow you to factor in the delay time of a sustained attack upon it?
At the furthest area, but one of the most important layers, from your data asset stands your perimeter fencing system and access control. This is where the first question should be answered, whilst aesthetics play an important part of the design statement these days; a perimeter fencing system has one very important role… to deter.
The majority of opportunist attacks can be negated by a fence line that acts as a physical barrier between looking like a soft target or a hard target. As discussed in the video by RedTeam Security the areas they attacked were soft targets. Soft targets provoke an ability to attempt entry which is more often than not achieved, whereas a hard target deters the attacker from attempting to gain entry at that point. The use of Rigid Mesh such as the Securus SR1 system is a standout fencing system for deterring as not only does it offer a secure design but the mesh apertures mean the fence is classed as an anti-climb panel. If it is hard to climb that means the use of additional climbing equipment will be required that increases the chance of detection for the attacker and delays them in getting inside.
Whilst talking about delay, the use of a security rated fencing system allows the correct planning of active response. When we look at two of CLD Fencing Systems products in terms of delay the difference is noticeable in name alone. The Securus SR1 holds LPS1175:7 SR1 rating from LPCB, however the Securus AC (SR2) holds the SR2 rating, this means it can provide an additional 2 minutes of certified delay against a physical attack. When we start to layer these with a sterile zone in between the perimeters, it can present a deadly delay time for anyone seeking to break in to the data centre; even with the most dedicated tools.
Notably, having a secure perimeter again almost works along the same principles as encasing the data centre in an impenetrable surface, you have to allow access control through it. Over the last 4 years CLD Fencing Systems research and development department worked on creating a world’s first in access control by designing, testing and having certified the first LPS1175 Security Rated Sliding Gate systems at SR1, SR2 and SR3. They are now the only company in the world to be able to offer a SR2 and SR3 version of access control in both swing and sliding variants.
If you have thought about deterring and delaying a potential attack, then you must be prepared to detect it when the worst-case scenario happens. Quality data centre physical security perimeter protection systems such as Fencing and Gates must hold the ability to integrate with detection systems to provide effective PIDS protection. In 2017, CLD Fencing Systems will be launching their brand-new detection system, the SV5000 which employs military grade detection and encryption hardware to inform your Alarm Receiving Centre (ARC) or security manager of any attempts to breech the perimeter anywhere in the world.
Employing a remotely operated camera, imagery can be downloaded in an instant to identify and respond to both real and false alarms without the need for an initial manned response to the location. Powered by solar it has been designed to work in some of the more remote sites with zero ground dig for power or transmission. So, when it comes to designing, or upgrading your data centre please consider how you are going to answer those three questions. Without effective planning and quality systems the ability to keep data confidential, uncompromised and accessible in the physical world is heightened. Make sure your Data Centre Physical Security meets the grade.