High-profile data breaches and disruption to services are frequently reported with each incident causing huge financial and credibility losses. Giovanni Grosso, Managing Director at G4S Secure Solutions Services tells us about combing physical security and cybersecurity when looking at DC security programmes holistically, the six layers of security within data centres and the benefits of a risk-based approach.
Why is security so important to the data centre?
Availability of service, security and energy efficiency (as part of ESG) are the fundamental pillars to every successful data centre business.
High-profile data breaches and disruption to services are frequently reported with each incident causing huge financial losses in regulatory fines, loss of sensitive IP, downtime, post-incident recovery, security improvements and perhaps most valuably of all, reputation.
What advice would you give for anyone considering security for their data centre?
For anyone considering security, we’d always recommend starting with a thorough risk assessment and then looking at security on a holistic basis, combining cyber and physical security and integrating people, process and technology into a single integrated security solution.
Where should the focus be?
In October 2021 a global cloud communications company reported losses of between $9 and $12 million due to a DDoS attack. It would be easy to focus the security programme on cybersecurity alone.
However, the opportunities for attack are diverse. Threat actors will target vulnerabilities in data centres’ ownership, geography, physical perimeter, data halls, network rooms (or MMR’s), supply chains, staff and cybersecurity in a concerted effort to breach data centres’ defences and acquire or tamper with sensitive information or disrupt critical services.
What are the principal threats?
There is no one-size-fits-all approach to holistic data centre security. Every data centre will need to consider guidance based on their own risk assessments.
The targets are not limited to acquiring or degrading data. Threat actors may also seek to disrupt services by targeting data centres through either a destructive cyberattack or a physical attack.
Historically, the focus has been on preventing service interruption due to natural hazards, power outages, hardware failures or denial-of-service attacks.
Ransomware has emerged as a major threat, in a recent incident, stolen employee credentials helped the threat actors complete their attack. This was a great example of the requirement for physical and cyberthreat converging.
To address this trend, organisations need to bring together physical and cybersecurity of data centres into a single holistic strategy.
Only when this is done can they be confident of withstanding the diversified methods threat actors, cybercriminals and others may use to attack.
How do cyber and physical security converge?
To be effective, the modern security plan should adopt a risk-based approach to security mitigation supported by a layered strategy which operates at different levels and integrates physical, personnel and cybersecurity in a single, holistic programme.
To counter the threat from forcible attack such as theft or terrorism, the 3Ds philosophy of Deter, Detect and Delay attackers may be used.
By creating a highly visible security appearance or messaging, the goal is to provide a strong deterrent to the potential attacker. When an attack occurs, the objective is to detect attacks at the earliest opportunity and delay the attacker for as long as possible to enable response and intervention prior to any loss.
To counter the threat from espionage, the BAD philosophy should be used by implementing effective barriers, tightly controlling access and using technology to detect potential attacks.
In a reverse approach to that used for forcible attack protection, layers that form barriers, control access and detect attacks should be created as close to the asset as possible.
This philosophy focuses on detection and not delay of attacks due to the differing measures of success for the attacker. Taking this approach allows you to focus security measures on the asset, which in turn can also help mitigate risk from insiders who exploit or have the intention to exploit an organisation’s assets for unauthorised purposes.
What should the security programme address?
We mentioned earlier, security mitigation is most effective through a layering approach. An example of the physical Security layering within the data centre typically includes 4 to 6 layers. These layers allow defence in depth and typically address each of:
- Layer 1: The fence line at the perimeter of the facility
- Layer 2: External areas, including car parks, access and reception areas
- Layer 3: Common/circulation areas and Security Operations Centre (SOC)
- Layer 4: Grey space (plant rooms, inc. MMR)
- Layer 5: White space/ Data Centre Floor
- Layer 6: IT rack (including associated cage and air containment – hot aisle or cold)
The overall security programme should address each of the layers and combine people, process and technology in an integrated approach. When one provider delivers the entire programme, it gives clear accountability and ownership for the entire security supply chain.
What are the main elements of the security plan?
Clearly by addressing vulnerabilities, an organisation is more likely to prevent the more damaging aspects of a security breach.
Security design activity that fails to consider the appropriate risks, threats and vulnerabilities is unable to identify the necessary impact areas and is therefore unlikely to meet its objectives. The result is either over-expenditure, or vulnerabilities being left unaddressed.
While an integrated approach reduces risk levels and improves protection and resilience, we work hard to identify ways to add value throughout every engagement. Mapping how mitigation impacts not only a single vulnerability but an array of security weaknesses across asset categories enables us to maximise operational efficiencies.
The security plan as a minimum should address each of the physical layers through the 3D’s and BAD design philosophy
What technologies should be included?
The security solution should embrace a variety of system technologies working in an integrated fashion with a strong focus on analytics to assist the security service team in performing their duties.
Typically, from a physical security perspective, the perimeter may adopt vehicle access control, using license plate recognition (LNPR) and mechanical barriers at a manned guarding point. Perimeter intruder detection (PID) will use video analytics and thermal imaging to draw attention to attempts to gain unauthorised access to sites around the boundary or fence line.
Internally, the security systems include access control, some with two factor credentials such as pin and / or biometrics to control access to the varying layers, particularly high security areas such as the rack or IT space.
Real time video surveillance embedded with Deep Learning analytics will draw attention to unusual activity or motion while a communication system should make it simple for security to push messages and video capture if necessary.
Ideally a security management system will provide a simple interface to allow security to operate the different systems in a controlled manner from a central location.
Life safety and fire prevention and detection is absolutely necessary and often seeking Very Early Smoke Detection Alarm (VESDA) to maximise response preparedness with a double-knock alarm often providing a secondary detection to activate the fire Suppression systems in the critical white (IT Room) and grey (Plant Room) spaces.
What should you look for in a technology partner?
I’d say quality, experience, breadth and a commitment to continuous improvement. Let’s treat each of those individually.
- Quality -Where systems integration is required, it is critical that they can demonstrate a commitment to the manufacturer’s accreditation programme. It sounds obvious but they should absolutely be licensed or certified by the original equipment manufacturer (OEM) to provide reassurance of the design and installation proposed, through to the on-going service and maintenance of the installed systems. Today especially, we also lean heavily on our great relationships with distribution and channel partners to help offer timely delivery. The integrator themselves should have a commitment to an independent quality management system to give confidence in their processes and systems, through the complete life-cycle of services- from Account Management, design development, to installation, commissioning and maintenance services.
- Experience – Particularly in construction projects, having a partner that is experienced and flexible to work within demanding time frames and can demonstrate staff with the appropriate clearances give confidence and trust.
- Breadth – Put simply, the broader the security portfolio across systems support, the simpler the supply chain and the greater the accountability. So, whether it is the access control system, CCTV, provision of permanent site guarding or urgent mobile site response, partnering with an organisation that can deliver across products and services can be a real advantage.
- Continuous Improvement – Security waits for nobody so being able to offer continuous improvement abreast of a constantly evolving threat landscape can also be considered invaluable. This may be through the introduction of next generation technologies such as drones or AI within CCTV and Video Management Systems (VMS).
For any security system, resilience in design is paramount. Availability is not a nice-to-have in the data centre environment, it’s a necessity.
While capacity is also important, any system should be designed with the capability to grow with you across multiple sites or geographies but also be able to offer integrations to 3rd party systems to ensure multi-tenant facilities retain security integrity.
What to look for in system design?
More recently we’ve seen the emergence of Hyperscale data centre projects. These can be huge, complex and time sensitive projects where Staged completion is often required, with the security system is just one part of a larger overall project.
Therefore, one should expect the contractor to provide a qualified project manager to take charge of the works at all times and to attend the job site during the installation, testing and commissioning of the works to ensure the design “Layers” are adhered to before stage handovers, equipment is fully operational and users trained well before go live to ensure that security integrity is not compromised.
Once the systems are in situ, they become a key part of the overall security plan that should be regularly tested, challenged and developed.
What about project management for technology installations?
Any new security systems should be making use of Artificial Intelligence and its Deep Learning analytics to create proactive security by driving attention to unusual or suspicious activity – whether that be unusual motion identified via the Video Management Systems, or recurring unauthorised or failed access credentials via Access Control Systems.
The key is to operate with connected security systems that alert personnel through their mobility solutions. For security, it’s a critical enabler by allowing personnel to take action as an event is unfolding, collecting credible evidence along the way and reducing the “delay” time required to reach a satisfactory event conclusion.
Within access control, we see the emergence of advanced biometric readers which can be recommended for highly restricted spaces and incorporates PIN or card reader functionality with fingerprint, retinal scan or full-facial reading. This provides heightened two factor credentials with both technologies requiring valid reads before transit is authorised.
With new installations and infrastructure upgrades or changes, Operational Technology (OT) cybersecurity should be reviewed. New IIOT connected devices or systems potentially bypass traditional firewall deployment strategies and exclude endpoint security protection.
The connectivity of OT devices presents the opportunity for a threat actor to exploit weaknesses of the device from the outside. With this change comes many new cybersecurity challenges for OT departments and a host of new OT security vendors that can help resolve.
But first, OT departments must recognise this emerging threat and take appropriate action. And while the threat is virtual, physical security has a key role to play.
What innovation should you be considering?
Our engineers and project management teams are used to working within high security environments and often work on demanding, time sensitive projects with limited or demanding access constraints.
G4S is a specialist integrator of best-in-class products – what this means is that having gained a detailed understanding of the client’s requirements, we take what we believe are the best products in the marketplace and blend these into a bespoke solution that meets the client’s security needs. We can provide a full end to end solution from the initial design, procurement, installation, on-going maintenance and management and monitoring of all the services and products. All provided by G4S in house using highly trained, experienced, qualified employees.
Together with our Academy and People Services we’re able to deliver unique value through a truly integrated effects-based security design.