When enterprise infrastructure is housed in a data center, it’s essential to ensure that the third-party location is physically and virtually secure. Data center security involves the physical and virtual cybersecurity that protects corporate data from attackers. Most data centers house sensitive data for numerous enterprise businesses, so just one vulnerability could mean a breach for dozens of businesses. Data center security prevents threats like data breaches, but it also ensures uptime and integrity of corporate infrastructure and any services offloaded in the cloud.
How to Secure a Data Center: Physical and Virtual
In most organizations, the biggest threat to data is virtual attackers finding vulnerabilities in software or network infrastructure. Data centers must not only protect against the same kinds of threats, but they have the added responsibility of physically safeguarding the infrastructure. Providers have their own compliance standards that they must follow to stay certified, but these standards are audited to ensure that procedures support advanced cybersecurity practices.
Data Center Physical Security
Data centers are built in strategic locations away from big cities. This is part of the physical security, but it’s also meant to allow the data center to run without affecting local homes and businesses. Being in a remote location eliminates much of the physical threats, but the data center could still be the target of an attacker walking into the facility. If an attacker gains access to the premises, data could be exfiltrated from servers using USB or other physical devices.
The first defense towards physical security is cameras and security guards around the perimeter. The data center positions cameras on entryways. Data centers don’t have glass windows, so they are not an issue, but any door is a risk to physical security. Cameras, locks, and security guards protect from this level of attack.
If an attacker can get into the door, the next level of physical security is a Faraday cage. Without authorization, the attacker cannot continue past the Faraday cage without the right key. The key could be a traditional key, a key code entered into a security device, a card that slides through a scanner, or a biometrics system. Biometric systems are the most secure, but they are also the most expensive. Tier 4 data centers always have biometrics as a security layer.
Visitors are closely monitored at a data center as there should be very few people who must walk the premises. For any visitors, they must have limited access to equipment and must be escorted by an employee. Visitors are given a badge that indicates they are visiting, and a log entry is made when the visitor arrives and leaves the premises.
Data Center Virtual Security
Several strategies are used to protect data centers from virtual attackers. Enterprises with local on-premise infrastructure can use many of the strategies used at data centers. To avoid many of the common malware and virtual attacks in the wild, data centers adhere to strict monitoring and auditing rules.
All customers using data center resources must not be able to access other customer account information. It’s common for data centers to use a security information and event management (SIEM) tool that provides a 360-degree view of all assets and traffic activity. These tools are combined with risk management and threat detection monitoring to identify suspicious activity.
Network activity is segmented across zones. This cybersecurity method is not much different from an enterprise network setup, but it’s much stricter, and customer traffic should not interact or expose other customer data. The network configurations must allow customers to freely run their own software on their virtual environment but protect other customers and the data center from vulnerabilities within customer software.
Before any application is deployed on data center infrastructure, it’s thoroughly penetration tested and code reviewed for any vulnerabilities. If malware can be introduced to a data center environment, it can be detrimental to the security of not only the data center but any customer who uses it.
Data Center Security Tiers
Data center security is described in tiers. Tier levels are important for businesses that entrust their data to a specific provider. When shopping for a cloud provider, the business must find a data center with a particular tier level to ensure that they follow their own regulatory standards. Higher tiers indicate that the data center is a larger facility with more advanced cybersecurity surrounding it. Data center tiers are also used to determine uptime assurance.
- Tier 1: Tier 1 is the lowest tier and the most basic of data center security. It’s mainly used by small businesses that do not store extremely sensitive information and have their own infrastructure redundancy. Data centers have a 99.671% uptime guarantee, which means its service level agreement allows for 28.8 hours of downtime per year.
- Tier 2: This tier level is mainly used by businesses that need colocation services. The business houses much of its own infrastructure, but they need failover or distribute resources to the data center without relying solely on its infrastructure. Both Tier 1 and Tier 2 data center security has one source of power and cooling, which means that should these resources fail, it could mean downtime for the data center as a whole and its customers. Tier 2 has a guarantee of 99.741% or 22 hours of downtime per year.
- Tier 3: Tier 3 data center security is a huge step up from Tiers 1 and 2. The main difference between this tier and the previous two is that it uses dual power and cooling resources, giving redundancy to its uptime. Redundant resources provide failover, so customers would not experience any downtime should one fail. No downtime is required during maintenance, either. Tier 3 provides a 99.982% uptime guarantee or 1.6 hours of possible downtime a year.
- Tier 4: For large enterprises depending on guaranteed uptime, Tier 4 data center security offers redundancy on all resources providing fault tolerance against downtime. With Tier 4, customers rarely experience downtime. Tier 4 data centers provide 99.995% uptime or only 26.3 minutes of possible downtime.
The higher the tier, the more reliable and secure a data center. Any big vendor in the public cloud space (e.g., Amazon Web Services, Google Cloud Platform, Microsoft Azure) has Tier 4 data centers. Physical access is secured by biometrics systems and backup systems to protect data integrity and reliability.
Important Data Center Security Standards
Every data center follows its own security standards in cybersecurity, but there are also global guidelines that most follow. Cloud providers have their own digital compliance standards to follow, and customers looking for the right provider should look for a data center that follows compliance guidelines.
Data centers that are up to PCI and HIPAA compliance standards can be used by customers who must adhere to financial and medical transactions, but data center security mainly follows auditing guidelines that certify they follow unified practices according to Service Organization Control (SOC). SOC standards are guidelines surrounding risk assessment, risk reporting, and regular reviews of risk technology. It’s important to note that SOC is an audit report created and distributed by auditors who review procedures.
The following list is a brief explanation of SOC levels and compliance:
- SOC 1: SOC 1 focuses on procedures used to host financial applications. Any application hosted on data center infrastructure that works with customer or business financial data falls under this report.
- SOC 2: SOC 2 applies to any SaaS company that stores customer information at a data center. It’s one of the most common audits. Auditors will review cybersecurity strategy and procedures to ensure that they keep data confidential, offer integrity and availability.
- SOC 3: A SOC 3 audit is the same as a SOC 2 report, but the main difference is that this report is meant for review of the general public to ensure that the data center is compliant with SOC 2 standards.
Who Needs Data Center Security
The importance of data center security is not just for the cloud provider, but it’s also essential that customers work with a provider that is up to the standards set forth by compliance. Cloud customers should look for a SOC 3 report when storing sensitive data at a data center. Data center providers that host services for customers must ensure that all security protocols, procedures, and redundancy resources that they offer have the best integrity for their users.
Learn about Proofpoint Cloud Security
With Proofpoint cloud app security solutions, you can detect, investigate, and defend against cybercriminals accessing your sensitive data and trusted accounts.
Webinar: Best Practices to Simplify Your Legacy Data Migration
The scope of data migration projects is increasing from terabytes to petabytes. You need to make sure you address your speed and compliance needs.
The 2020 State of CASB: Cloud Security Alliance and Proofpoint Research
With the shift to work from home, cloud security is a bigger concern than ever. As the network perimeter is replaced by a user-defined security perimeter, you need a people-focused approach to threat detection and data protection in the cloud.