In this article Farsight looks at the rise of data centres in the UK, the security threats they face and outlines the five pillars of physical data centre security.
Over the past few years, data has become an integral part of the way we all live in a digital age. This has driven our reliance on the operations of data centres (AKA co-location centres) which have become vital to the functioning of our economy. In fact, the movement of data generates £174 billion in the U.K. according to the Confederation of British Industry.
It has been said that ‘data is the new oil’. It is little wonder that data centres are a growing sector within the construction market – the more we use our digital devices, the more servers are needed to process that information and the more data centres are required to house them. Consequently, there are ever growing numbers of hyper-scale data centres springing up all over the UK. Construction News estimates these were worth 1.14 Billion to the construction industry in 2020.
The UK boasts the largest data centre market in Europe and we estimate there to be as many as 250 data centres (and co-location centre) around the UK. However, strictly speaking a data centre can be described as a building or dedicated space within a building that is used to house computer systems and associated components, such as telecommunications and storage systems.
Based on that definition, we can add the c.40,000 small businesses with server rooms within their buildings to that number, plus another c40,000 for non-business IT organisations which includes public sector server rooms like local authorities, emergency services and educational establishments (source). That amounts to 80,000+ ‘data centres’ of varying sizes across the UK holding and needing to protect valuable data.
Data centres are generally categorised in tiers, with small businesses at Tier 1, through to the new Tier 5 category for enterprise corporations and hyper-scale data centres. The tier system is dependant on many factors including uptime, allowed downtime, outage protection levels and redundant capacity components. Tier 3+ are generally more efficient and secure.
Whether a hyper-scale data centre or a small business owner operated data centre, physical security has never been so important to keep your site, assets, data and people safe.
There’s a lot of data centres out there, but how secure are they?
Data is at the heart of any business and keeping it secure is a core responsibility. You don’t have to scan the news media too hard to see why security is so important to data centres in particular.
Around 65,000 attempts to hack small- to medium-sized businesses (SMBs) occur in the UK every day, around 4,500 of which are successful. Gov UK’s Cyber Security Breaches Survey 2020 shows that the threat from cyber security threats has increased with 68% of medium sized businesses and 75% large businesses reporting having security breaches or attempts.
With UK data centres responsible for storing billions of pounds worth of data on their servers, the responsibility to protect this data is a big one. Clearly, the importance of employing the right cyber and physical strategies are crucial to work harder to avoid these types of headlines…
What is the cost data breaches?
Data breaches cost UK enterprises an average of £2.8 million per breach, according to IBM and Ponemon’s Cost of a Data Breach study. Reputational damage, regulatory fines and customer churn make data breaches make extremely costly.
When it comes to reputation damage, Forty-four percent of UK consumers claim they will stop spending with a business temporarily after a security breach, and 41% claim they will never return to a business post-breach. For smaller organisations this can be disastrous to their business continuity – placing firm emphasis on the importance of data centre security which must to protect them against breaches from cyber attacks and also from physical ones.
To ensure this happens, in March 2020, Gov UK published its legal and regulatory framework – the Security standard SS-018: Network Security Design. This document includes expected standards across network and physical data centre security requirements.
What are the most common causes of Data Breach?
Sutcliffe & Co. Insurance Brokers recently outlined the most common causes of data breach, as follows:
- Weak and Stolen Credentials – A.K.A. Passwords
- Back Doors, Application Vulnerabilities
- Social Engineering
- Too Many Permissions
- Insider Threats (Physical)
- Physical Attacks (Physical)
- Improper Configuration, User Error
Physical data centre security has never been so important
Data centres are vulnerable to many forms of breach – other than cyber attacks. It is not just physical break-ins, theft and unauthorised entry that Data centre security security must guard against either – insider breaches can happen too. In fact, IT leaders and data centre employees were surveyed about data risk and a whopping 75% think that employees have put data at risk intentionally.
Taking the time to develop a coherent, holistic, risk based and proportionate security strategy, supported by effective governance structures, is essential in ensuring success. Too often when protective security is applied in an ad hoc, siloed and unstructured manner valuable resources are wasted with limited impact on security risk reduction.
The CPNI (Centre for Protection of National Infrastructure) provide advice in two key areas that help form the framework for the effective management of protective security: Leadership and Governance and Security Risk Assessment.
What are the five pillars of ‘physical’ data centre security?
To successfully plan and implement a data centre ‘physical’ security strategy, a holistic, multi-layered approach to physical security should be considered. Based on our many years’ experience in protecting businesses with our marketing leading remote security monitoring services within the data centre sector, Farsight outlines the fundamental layers of protection to consider. These are as follows, which form the five pillars of data centre security…
1. Protect Outside the Boundary Perimeter
Keeping unwanted or unauthorised visitors out of your data centre is the first step in preventing physical security breaches at any time whether day or night. The objective is to be able to detect, verify and deter if necessary.
Security measures to be considered at this first layer of protection include:
Installing CCTV cameras allows trained CCTV security operators to have eyes on your boundaries 24/7 365. They are alerted at the approach of any potential threat to your site – an essential frontline ‘first’ defence measure to enable visual verification giving the opportunity to identify the threat early and follow pre-defined protocols in responding to it – detect, verify, deter as necessary.
CCTV Audio Warnings
Including audio equipment with installed CCTV systems is often overlooked, but this add an important and effective level of security. CCTV operators can issue live audio deterrent warnings to alert would be intruders to the fact they are being monitored in real time and their next actions will be observed and recorded and if necessary blue light services will be called in.
Access points into your site from outside the boundary perimeter should be protected to control who comes and goes. Security gates and barriers can be operated remotely whilst being monitored by guards or remotely by CCTV access control operators with visual and two way audio communication. This allows complete control to prevent unauthorised entry, whilst staff can use keypads/swipe cards to gain authorised access.
Gates & Fences
HVM (Hostile Vehicle Mitigation) gates and bollards to prevent vehicle breach, along with mesh composite fencing that incorporates anti-climbing features but crucially still allows CCTV monitoring operatives to have visibility of threats outside the perimeter.
Using the correct security lighting is important not only as a deterrent to would be intruders, but also to allow CCTV operators to see what is happening at your boundary perimeters. See why security lighting makes all the difference here.
Visible security warnings should be displayed to notify that the site is private property and no unauthorised entry is permitted.
2. Protect The Premises Within The Boundary Perimeter
This second layer of physical data centre security is where the ability to identify and track all movement in the zone is crucial.
Security measures to be considered at this second layer of protection include:
Passive Infra Red detectors or thermal detectors will pick up movement in the zone, allowing PTZ (Pan, Tilt. Zoom) CCTV cameras to zone in to specific areas within the ‘closed’ site and/or patrol the site ensuring nothing is missed by the CCTV security operators 24/7. See how Farsight’s remote CCTV monitoring works in the video below:
Whilst visually tracking an intruder, audio warnings delivered by the CCTV operator can be particularly effective in deterring incidents from progressing further.
In some cases, where drones may be used, to protect from the air radar surveillance can be used to keep a look at your premises too.
It is important that there is adequate lighting, so there are no dark areas to hide in. In some areas where light pollution restrictions may be in place, either event activated lighting can be an option, or there are many CCTV camera systems available with built in lighting options such as thermal video imagery.
3. Protect the Data Centre Structure Itself
The third layer of data centre security is protecting against entry to the actual building and access point within the building. Surveillance and security access points allow you to monitor and control access points to make sure only approved visors can gain access.
Security measures to be considered at this third layer of protection include:
Fire & Intruder Alarm systems
These are crucial in not only protecting from unauthorised entry, theft and damage, but also from fire. Alarms signalling can also linked to CCTV monitoring for an extra of safety, where alarms can be visually verified by CCTV operators who can remotely patrol the building, Visual verification of intrusion or fire can also raise the priority given to an incident by emergency services responders – which is crucial in the face of disaster striking when every second counts.
Strategically placed CCTV cameras, which can be monitored remotely, will ensure visual protection at entry points and key access areas within the building to keep watch and identify potential threats.
Control Key Access Points
Key entry points should be protected to restrict access unauthorised personnel to important areas within the building. These measures can include a range of considerations such as man traps, turnstiles and keypad entry systems to name a few.
4. Protect the Server Room Itself
The next layer of protection in data centre security is to protect the server room itself. Once inside, data is accessible and movements inside need to be monitored closely.
Security measures to be considered at this fourth layer of protection include:
Multidirectional cameras allow you to detect all activity, while speakers along the wall can announce and deter any potential threat.
Speakers mounted along the walls can announce and deter any potential threat that may be observed or indeed to verify the authority to be there in the first place.
5. Protect the Data Itself
The last line of defence for data centre security is protecting the data itself. Control access to the data racks is critical.
Security measures to be considered at this fifth and final layer of physical protection include:
Monitor Cabinet Doors
Modular cameras systems within the racks can keep track of open cabinet doors, or other unexpected activity.
Smart tech allows security across (not just this layer but all the layers) to interact and communicate with each other, granting easy access and control from within the data centre or from a remote location such as Farsight’s central monitoring station.
Let’s Talk about Your Data Centre Security
If you would like to discuss protecting a data centre or want to find our more about how Farsight’s range of remote security monitoring services could bolster the protection layers of your data centre security – whether a big hyper-data centre or small data server room, let’s talk. Either call the Farsight team on 0845 371 0101 or drop us a line in the form below…