When enterprise infrastructure is housed in a data centre, it’s essential to ensure that the third-party location is physically and virtually secure. Data centre security involves the physical and virtual cybersecurity that protects corporate data from attackers. Most data centres house sensitive data for numerous enterprise businesses, so just one vulnerability could mean a breach for dozens of businesses. Data centre security prevents threats like data breaches, but it also ensures uptime and integrity of corporate infrastructure and any services offloaded in the cloud.
How to Secure a Data Centre: Physical and Virtual
In most organisations, the biggest threat to data is virtual attackers finding vulnerabilities in software or network infrastructure. Data centres must not only protect against the same kinds of threats, but they have the added responsibility of physically safeguarding the infrastructure. Providers have their own compliance standards that they must follow to stay certified, but these standards are audited to ensure that procedures support advanced cybersecurity practices.
Data Centre Physical Security
Data centres are built in strategic locations away from big cities. This is part of the physical security, but it’s also meant to allow the data centre to run without affecting local homes and businesses. Being in a remote location eliminates much of the physical threats, but the data centre could still be the target of an attacker walking into the facility. If an attacker gains access to the premises, data could be exfiltrated from servers using USB or other physical devices.
The first defence towards physical security is cameras and security guards around the perimeter. The data centre positions cameras on entryways. Data centres don’t have glass windows, so they are not an issue, but any door is a risk to physical security. Cameras, locks, and security guards protect from this level of attack.
If an attacker can get into the door, the next level of physical security is a Faraday cage. Without authorisation, the attacker cannot continue past the Faraday cage without the right key. The key could be a traditional key, a key code entered into a security device, a card that slides through a scanner, or a biometrics system. Biometric systems are the most secure, but they are also the most expensive. Tier 4 data centres always have biometrics as a security layer.
Visitors are closely monitored at a data centre as there should be very few people who must walk the premises. For any visitors, they must have limited access to equipment and must be escorted by an employee. Visitors are given a badge that indicates they are visiting, and a log entry is made when the visitor arrives and leaves the premises.
Data Centre Virtual Security
Several strategies are used to protect data centres from virtual attackers. Enterprises with local on-premise infrastructure can use many of the strategies used at data centres. To avoid many of the common malware and virtual attacks in the wild, data centres adhere to strict monitoring and auditing rules.
All customers using data centre resources must not be able to access other customer account information. It’s common for data centres to use a security information and event management (SIEM) tool that provides a 360-degree view of all assets and traffic activity. These tools are combined with risk management and threat detection monitoring to identify suspicious activity.
Network activity is segmented across zones. This cybersecurity method is not much different from an enterprise network setup, but it’s much stricter, and customer traffic should not interact or expose other customer data. The network configurations must allow customers to freely run their own software on their virtual environment but protect other customers and the data centre from vulnerabilities within customer software.
Before any application is deployed on data centre infrastructure, it’s thoroughly penetration tested and code reviewed for any vulnerabilities. If malware can be introduced to a data centre environment, it can be detrimental to the security of not only the data centre but any customer who uses it.
Data Centre Security Tiers
Data centre security is described in tiers. Tier levels are important for businesses that entrust their data to a specific provider. When shopping for a cloud provider, the business must find a data centre with a particular tier level to ensure that they follow their own regulatory standards. Higher tiers indicate that the data centre is a larger facility with more advanced cybersecurity surrounding it. Data centre tiers are also used to determine uptime assurance.
- Tier 1: Tier 1 is the lowest tier and the most basic of data centre security. It’s mainly used by small businesses that do not store extremely sensitive information and have their own infrastructure redundancy. Data centres have a 99.671% uptime guarantee, which means its service level agreement allows for 28.8 hours of downtime per year.
- Tier 2: This tier level is mainly used by businesses that need collocation services. The business houses much of its own infrastructure, but they need failover or distribute resources to the data centre without relying solely on its infrastructure. Both Tier 1 and Tier 2 data centre security has one source of power and cooling, which means that should these resources fail, it could mean downtime for the data centre as a whole and its customers. Tier 2 has a guarantee of 99.741% or 22 hours of downtime per year.
- Tier 3: Tier 3 data centre security is a huge step up from Tiers 1 and 2. The main difference between this tier and the previous two is that it uses dual power and cooling resources, giving redundancy to its uptime. Redundant resources provide failover, so customers would not experience any downtime should one fail. No downtime is required during maintenance, either. Tier 3 provides a 99.982% uptime guarantee or 1.6 hours of possible downtime a year.
- Tier 4: For large enterprises depending on guaranteed uptime, Tier 4 data centre security offers redundancy on all resources providing fault tolerance against downtime. With Tier 4, customers rarely experience downtime. Tier 4 data centres provide 99.995% uptime or only 26.3 minutes of possible downtime.
The higher the tier, the more reliable and secure a data centre. Any big vendor in the public cloud space (e.g., Amazon Web Services, Google Cloud Platform, Microsoft Azure) has Tier 4 data centres. Physical access is secured by biometrics systems and backup systems to protect data integrity and reliability.
Important Data Centre Security Standards
Every data centre follows its own security standards in cybersecurity, but there are also global guidelines that most follow. Cloud providers have their own digital compliance standards to follow, and customers looking for the right provider should look for a data centre that follows compliance guidelines.
Data centres that are up to PCI and HIPAA compliance standards can be used by customers who must adhere to financial and medical transactions, but data centre security mainly follows auditing guidelines that certify they follow unified practices according to Service Organization Control (SOC). SOC standards are guidelines surrounding risk assessment, risk reporting, and regular reviews of risk technology. It’s important to note that SOC is an audit report created and distributed by auditors who review procedures.
The following list is a brief explanation of SOC levels and compliance:
- SOC 1: SOC 1 focuses on procedures used to host financial applications. Any application hosted on data centre infrastructure that works with customer or business financial data falls under this report.
- SOC 2: SOC 2 applies to any SaaS company that stores customer information at a data centre. It’s one of the most common audits. Auditors will review cybersecurity strategy and procedures to ensure that they keep data confidential, offer integrity and availability.
- SOC 3: A SOC 3 audit is the same as a SOC 2 report, but the main difference is that this report is meant for review of the general public to ensure that the data centre is compliant with SOC 2 standards.
Who Needs Data Centre Security
The importance of data centre security is not just for the cloud provider, but it’s also essential that customers work with a provider that is up to the standards set forth by compliance. Cloud customers should look for a SOC 3 report when storing sensitive data at a data centre. Data centre providers that host services for customers must ensure that all security protocols, procedures, and redundancy resources that they offer have the best integrity for their users.
Learn About Proofpoint Cloud Security
With Proofpoint cloud app security solutions, you can detect, investigate, and defend against cybercriminals accessing your sensitive data and trusted accounts.
Webinar: Best Practices to Simplify Your Legacy Data Migration
The scope of data migration projects is increasing from terabytes to petabytes. You need to make sure you address your speed and compliance needs.
The 2020 State of CASB: Cloud Security Alliance and Proofpoint Research
With the shift to work from home, cloud security is a bigger concern than ever. As the network perimeter is replaced by a user-defined security perimeter, you need a people-focused approach to threat detection and data protection in the cloud.