Don’t Forget the ‘Physical’ Part of Security
MSSPs often are charged with keeping data safe as it traverses the ether and have turned to the latest cybersecurity technologies and solutions to ensure that data is not intercepted, lost, or stolen.
The extreme focus, however, on what transpires across the wires and airwaves that data traverses might create a blind spot when it comes to fully protecting an organization’s intellectual property and customer data — a blind spot so large that it might conceal the physical manifestation of a data center.
Truth be told, cybersecurity is all about protecting data in motion. After all, it takes motion to access data; data can not leap into other systems without some type of processing or transmission. Yet, there is still a risk to data, even when it is not in motion and at rest — a state of data exemplified by archival storage, storage on a powered-down system, stored on a hard drive in a service cabinet, or most any other place that data can rest. Protecting data at rest manifests itself in the physical realm, a realm many have come to ignore in the age of the cloud and the internet. Even so, MSSPs need to be aware of all the threats that can impact data and need to establish the necessary protections.
That need becomes even more clear when an MSSP also serves clientele as an MSP, SaaS provider, backup-as-a-service provider, or most any other situation where a solution provider is actually storing and managing that data, especially if it involves data at rest. What’s more, many solution providers today might be responsible for the physical storage of the data, but actually have little control over the physical environment that data rests in.
Take for example the growing cloud-services market, as well as the traditional colocation and data-center markets — where services are provided, but physical access and control might not be part of the bargain. Simply put, if a solution provider is using a physical premises, other than one they own, they have to place their trust in cloud service providers such as AWS, Azure, and Google Cloud, and their SLAs and contracts. Or, solution providers have to come to trust their colocation or data-center partners to protect physical assets.
However, MSSPs and their peers should not rely on blind trust, but heed the old Russian proverb, “Doveryai, no proveryai,” made famous by President Ronald Reagan as “trust, but verify” back in 1984. Today, that translates to knowing the best practices of physical security as it pertains to a data center, best practices that Interxion, a provider of carrier and cloud-neutral colocation data-center services, was willing to discuss with Channel Futures’ MSSP Insider. There are enough security practices to fill a large tome, and several books have been written on that very subject. But those detailed best practices far exceed what a solution provider must know to achieve a level of confidence that their colocation provider or data-center host is keeping things secure.
Lex Coors, Chief Data Center Technology and Engineering Officer, Interxion broke physical security best practices down into digestible chunks, which should help solution providers ask the right questions of their data center/ cloud partners. Coors explained “there are two sides to security, the infrastructure and the procedure side. Each has it own requirements, but must intersect to decrease risk.”
It’s that intersection that can confuse some. Many think of physical security as little more than a barrier of some type, forgetting that procedures and policies are just as critical as the physical manifestation of security. In other words, there also has to be a culture supporting the ideologies of physical security.
“On the infrastructure side, it starts typically with no names on the data center to decrease the risk of the so-called emotional event-acting people, who may get triggered by the name or word data center,” Coors explains.
For Interxion and many other providers like it, data centers are designed to be nondescript buildings, that are usually located in industrial parks, and do not stand out in anyway. The lack of a name furthers the anonymity of the building, helping to reduce any attention toward the data center.
Coors also talks about the physical infrastructure security ideology as a layered model.
“Layer 1 is the perimeter fence with remotely secured car and person gates, followed by Layer 2, which are the CCTV cameras overlooking the fenced area. The next step, Layer 3, is the mantrap access to general areas in the data center; this mantrap is operated by card and biometrics,” Coors said. “Layer 4 is by the CCTV system overlooking all corridors in the general purpose area, and Layer 5 is access by card and/or biometrics to the customer room.”
While that layered approach is somewhat an industry standard, there’s more to layers than just the physical manifestations of access prevention.
“From an operations perspective, to get access is not easy, as there is a large set of procedures including but not limited to pre-announcement of a visitor through our ECSC (European Customer Service Center) and name check by physical security officers versus the pre-announcement list before you would even have access to the first layer,” Coors explained. “That’s followed by passport checks [and so on]. Once inside the security lobby, you will be checked again; your personal ID will be verified, after which you will receive a badge that allows specific access to those areas only mentioned in the signed customer contract. Any visitor can only access based on pre-approval from the customer-authorized representative.”
For solution providers, what Coors has explained serves as a good foundation to understand the aspects of physical security; that said, there are some other industry practices that are worth considering, and then using as a litmus test to determine how comfortable the “trust but verify” approach is for the business. Determine if the data-center operator can:
- Track People: Physical access management to data centers is a critical component of the overall physical security of the environment. Both providing access and understanding movement through the data center is key. The use of biometric readers, anti-tailgating systems, mantraps and other physical access control systems to ensure access to spaces is authorized and monitored is critical.
- Define Layers: Physical security is one of the classic examples of defense in depth. To provide comprehensive physical security, multiple systems and process esmust work together, like perimeter security, access control and process management.
- Train the staff: Ensuring that all personnel adhere to physical security procedures and understand the importance of their responsibilities to a data center’s physical security program is a key concept. Intruders will always look for weak links, and it has been proven time and time again that weaknesses can often be on the human side of the equation.
- Test physical controls: Internal testing of physical security controls is an important concept in relation to physical security. Validating access grants, ensuring that video footage is recording, and verifying that anti-tailgate mechanisms are working as intended are three areas that should be checked. Testing of physical controls should be part of normal operating procedures.
Understanding the physical and procedural security around a data center is one of the critical elements of properly protecting data. What’s more, solution providers can use the information garnered as a sales tactic, helping their clients to better understand how all-encompassing security policies should be, and that the physical can be just as important as the cyber when it comes to protecting intellectual property, customer data and even business operations.