Data centres: Are we underestimating physical risk?
Wed 10 Aug 2016
Data Centre Alliance (DCA) is committed to developing and improving the standards of the data centre infrastructure sector and, as the sector booms, security standards have never been more important. In 2015, the data centre market in the U.S. alone was valued at just over $115 billion; and it continues to grow at a rate of 6-8% yearly. The British, European, Indian, and Nordic markets are also experiencing unprecedented growth and a 2015 report by 451 Research counted more than 4.3 million data centres worldwide. The sector’s growth trend is clear; but it is also clear that great opportunities are being accompanied by great risks.
As the new vice-chair of the DCA Security Committee, I am extremely pleased to have a role in helping the data centre sector accurately assess its current and future threats and risks. Only with an accurate understanding of the security challenges facing the sector can we hope to develop and improve our physical security standards to ensure that the sector realises its full potential.
The data centre sector adds value to increasingly technical customers and industries by helping them to ensure that their data remains confidential, safe from tampering, and accessible to authorised users on demand. To date, the single greatest threat to the confidentiality, integrity, and accessibility of data stored in data centres worldwide stems from hacking and other online cyber-criminal activities.
Governments and commercial industry leaders alike are becoming increasingly concerned about evidence that suggests physical security standards across the data centre sector are lagging
Research suggests that between 25-33% of information breaches at data centres are due to the actions of hackers remotely unleashing malware on vulnerable computers and servers. But Navigant’s latest Information Security & Data Breach Report suggests that the remaining 66-75% of information breaches stem from more ‘hands-on’ activities including the outright theft of servers and hardware, unauthorised access or use of computers and servers, and damage caused by the loss and/or improper disposal of equipment. These latter types of breaches are significant because, together, they constitute the majority of information breaches.
Financial losses caused by physical breaches ($11.5 million yearly) are also about 50% higher than those caused by hacker breaches ($7.7 million yearly). Finally, all types of physical breaches share one thing in common: they occur as a direct result of perpetrators finding and exploiting weaknesses in data centres’ physical security standards.
Threats posed by hackers are rightfully receiving a great deal of attention; but governments and commercial industry leaders alike are becoming increasingly concerned about evidence that suggests physical security standards across the data centre sector are lagging. These concerns are being driven by perpetrators who are increasingly taking advantage of weaknesses in data centre physical security processes, policies, and procedures.
Rakesh Panda, a senior analyst at Technavio, suspects that physical security breaches in data centres are nearly 10-12 times higher than companies are actually reporting to the general public. Accurately tracking physical security breaches is difficult, however, because losses are often opaquely reported as ‘data theft’, which can be interpreted in a variety of ways. Due to media publicity and reporting trends, many people equate data theft with hacking, erroneously underestimating the extent to which low physical security standards might have facilitated loss.
From a physical security perspective, common criminals pose the greatest threat to data centres. Not only have money-motivated criminals demonstrated both the intent and ability to steal and destroy information-laden equipment thought to be ‘safe’ within ‘high-security’ data centres worldwide, but they have also exposed weaknesses that other perpetrators with even more damaging agendas might try to exploit.
Within the past 10 years, exemplary criminal attacks at major data centres have ranged from opportunistic to shockingly brutal. In 2015, the theft of a storage device from a Royal Sun Alliance’s data centre exposed thousands of Lloyds TSB customer names, addresses, bank, accounts and sort details.
In 2011, theft and vandalism occurred at both O2 and Vodafone data centres resulting in tens of thousands of customers losing access to services while technicians replaced equipment and repaired damage. In 2007, more brazen robbers attacked a Verizon data centre dressed as police officers, resulting in the loss of nearly $4 million worth of equipment, high-value circuit boards, and micro-system motherboards. Five staff members were tied up during the robbery.
Worse still, between 2005 and 2007, a data centre was violently robbed at gunpoint four times, despite safeguards that include multiple layers of security cameras, proximity card readers, biometric access controls and key pads, double-locking mantraps at the data centre entrance, a 360-degree perimeter, and rooftop surveillance. The robbers beat several staff members with blunt instruments and shocked them with tazers.
In each of these incidents, major companies had detailed plans for dealing with equipment failures and normal network outages, but they had no processes (or customer insurances) in place to deal with physical security breaches. In addition to rapidly repairing missing and broken equipment, companies had to simultaneously figure out how to preserve evidence, contact the appropriate authorities, and begin internal investigations.
On multiple occasions, data centre thieves and saboteurs have turned out to be past or current employees, contractors, and technicians
As disruptive as common criminals can be, terrorism is a growing threat and it might be only a matter of time before a terrorist group develops the capability and/or intent to target commercial data centres that contain servers belonging to law enforcement, counter-terrorist, and other organisations important to national security. Thus far, it appears that there have been no physical terrorist attacks conducted on a data centre anywhere in the world. But, where weaknesses exist, so do risks, and common criminals have publicly demonstrated that many data centres are not maintaining adequate levels of physical security.
If unorganised groups of criminals can cause millions of dollars worth of damage in terms of lost equipment, compromised information, and service outages, then it is logical to consider that well-resourced (and even state-sponsored) terrorists could cost a nation billions of dollars with a well-planned attack. It is incumbent upon data centres to develop and improve their physical security standards before such attacks evolve from hypothetical to historical.
If external threats weren’t enough to worry about, it is finally important to acknowledge that a great deal of data theft from high-security data centres is perpetrated by insiders. On multiple occasions, data centre thieves and saboteurs have turned out to be past or current employees, contractors, and technicians who have been authorised access to sensitive areas and equipment by the data centres themselves.
Major world governments have all been implicated in (sometimes successful) attempts to recruit data centre employees to steal information from customers and clients. In other cases where data loss has not been deliberate, security breaches have been, at least in part, facilitated by employee negligence. Physical security standards must include safeguards that restrict access for unauthorised people, but they must also observe, track, and control the activities of people who have been granted access for legitimate reasons.
Securing a bright future
With so much growth and opportunity ahead, it is no surprise that the data centre sector is also being challenged by threats and risks. I am honoured to play a role in helping the sector to capitalise on what is sure to be a very bright future. I look forward to working closely with DCA members, partners, and stakeholders to develop and improve the sector’s security standards.