https://www.channelfutures.com/wp-content/themes/channelfutures_child/assets/images/logo/footer-new-logo.png
  • Home
  • Technologies
    • Back
    • SDN/SD-WAN
    • Cloud
    • RMM/PSA
    • Security
    • Telephony/UC/Collaboration
    • Cable
    • Mobility & Wireless
    • Fiber/Ethernet
    • Data Centers
    • Backup & Disaster Recovery
    • IoT
    • Desktop
    • Artificial Intelligence
    • Analytics
  • Strategy
    • Back
    • Mergers and Acquisitions
    • Channel Research
    • Business Models
    • Distribution
    • Technology Solutions Brokerages
    • Sales & Marketing
    • Best Practices
    • Vertical Markets
    • Regulation & Compliance
  • MSP 501
    • Back
    • 2022 MSP 501 Rankings
    • 2022 NextGen 101 Rankings
  • Intelligence
    • Back
    • Galleries
    • Podcasts
    • From the Industry
    • Reports/Digital Issues
    • Webinars
    • White Papers
  • Channel Futures TV
  • EMEA
  • Channel Chatter
    • Back
    • People on the Move
    • New/Changing Channel Programs
    • New Products & Services
    • Industry Honors
  • Resources
    • Back
    • Advisory Boards
    • Industry Organizations
    • Our Sponsors
    • Advertise
    • 2022 Editorial Calendar
  • Awards
    • Back
    • 2022 MSP 501
    • Channel Influencers
    • Circle of Excellence
    • DE&I 101
    • Channel Partners 101 (CP 101)
  • Events
    • Back
    • CP Conference & Expo
    • MSP Summit
    • Channel Partners Europe
    • Channel Partners Event Coverage
    • Webinars
    • Industry Events
  • About Us
  • DE&I
Channel Futures
  • NEWSLETTER
  • Home
  • Technologies
    • Back
    • SDN/SD-WAN
    • Cloud
    • RMM/PSA
    • Security
    • Telephony/UC/Collaboration
    • Cable
    • Mobility & Wireless
    • Fiber/Ethernet
    • Data Centers
    • Backup & Disaster Recovery
    • IoT
    • Desktop
    • Artificial Intelligence
    • Analytics
  • Strategy
    • Back
    • Mergers and Acquisitions
    • Channel Research
    • Business Models
    • Distribution
    • Technology Solutions Brokerages
    • Sales & Marketing
    • Best Practices
    • Vertical Markets
    • Regulation & Compliance
  • MSP 501
    • Back
    • 2022 MSP 501 Rankings
    • 2022 NextGen 101 Rankings
  • Intelligence
    • Back
    • Galleries
    • Podcasts
    • From the Industry
    • Reports/Digital Issues
    • Webinars
    • White Papers
  • Channel Futures TV
  • EMEA
  • Channel Chatter
    • Back
    • People on the Move
    • New/Changing Channel Programs
    • New Products & Services
    • Industry Honors
  • Resources
    • Back
    • Advisory Boards
    • Industry Organizations
    • Our Sponsors
    • Advertise
    • 2022 Editorial Calendar
  • Awards
    • Back
    • 2022 MSP 501
    • Channel Influencers
    • Circle of Excellence
    • DE&I 101
    • Channel Partners 101 (CP 101)
  • Events
    • Back
    • CP Conference & Expo
    • MSP Summit
    • Channel Partners Europe
    • Channel Partners Event Coverage
    • Webinars
    • Industry Events
  • About Us
  • DE&I
    • Newsletter
  • REGISTER
  • MSPs
  • VARs / SIs
  • Agents
  • Cloud Service Providers
  • Channel Partners Events
 Channel Futures

MSSP Insider


Shutterstock

Data center

Don’t Forget the ‘Physical’ Part of Security

  • Written by Frank J. Ohlhorst
  • December 7, 2018
Keeping data safe takes more than cybersecurity and antimalware solutions.

MSSPs often are charged with keeping data safe as it traverses the ether and have turned to the latest cybersecurity technologies and solutions to ensure that data is not intercepted, lost, or stolen.

The extreme focus, however, on what transpires across the wires and airwaves that data traverses might create a blind spot when it comes to fully protecting an organization’s intellectual property and customer data — a blind spot so large that it might conceal the physical manifestation of a data center.

Truth be told, cybersecurity is all about protecting data in motion. After all, it takes motion to access data; data can not leap into other systems without some type of processing or transmission. Yet, there is still a risk to data, even when it is not in motion and at rest — a state of data exemplified by archival storage, storage on a powered-down system, stored on a hard drive in a service cabinet, or most any other place that data can rest. Protecting data at rest manifests itself in the physical realm, a realm many have come to ignore in the age of the cloud and the internet. Even so, MSSPs need to be aware of all the threats that can impact data and need to establish the necessary protections.

That need becomes even more clear when an MSSP also serves clientele as an MSP, SaaS provider, backup-as-a-service provider, or most any other situation where a solution provider is actually storing and managing that data, especially if it involves data at rest. What’s more, many solution providers today might be responsible for the physical storage of the data, but actually have little control over the physical environment that data rests in.

Take for example the growing cloud-services market, as well as the traditional colocation and data-center markets — where services are provided, but physical access and control might not be part of the bargain. Simply put, if a solution provider is using a physical premises, other than one they own, they have to place their trust in cloud service providers such as AWS, Azure, and Google Cloud, and their SLAs and contracts. Or, solution providers have to come to trust their colocation or data-center partners to protect physical assets.

However, MSSPs and their peers should not rely on blind trust, but heed the old Russian proverb, “Doveryai, no proveryai,” made famous by President Ronald Reagan as “trust, but verify” back in 1984. Today, that translates to knowing the best practices of physical security as it pertains to a data center, best practices that Interxion, a provider of carrier and cloud-neutral colocation data-center services, was willing to discuss with Channel Futures’ MSSP Insider. There are enough security practices to fill a large tome, and several books have been written on that very subject. But those detailed best practices far exceed what a solution provider must know to achieve a level of confidence that their colocation provider or data-center host is keeping things secure.

Lex Coors, Chief Data Center Technology and Engineering Officer, Interxion broke physical security best practices down into digestible chunks, which should help solution providers ask the right questions of their data center/ cloud partners. Coors explained “there are two sides to security, the infrastructure and the procedure side. Each has it own requirements, but must intersect to decrease risk.”

Interxion's Lex Coors

Interxion’s Lex Coors

It’s that intersection that can confuse some. Many think of physical security as little more than a barrier of some type, forgetting that procedures and policies are just as critical as the physical manifestation of security. In other words, there also has to be a culture supporting the ideologies of physical security.

“On the infrastructure side, it starts typically with no names on the data center to decrease the risk of the so-called emotional event-acting people, who may get triggered by the name or word data center,” Coors explains.

For Interxion and many other providers like it, data centers are designed to be nondescript buildings, that are usually located in industrial parks, and do not stand out in anyway. The lack of a name furthers the anonymity of the building, helping to reduce any attention toward the data center.

Coors also talks about the physical infrastructure security ideology as a layered model.

“Layer 1 is the perimeter fence with remotely secured car and person gates, followed by Layer 2, which are the CCTV cameras overlooking the fenced area. The next step, Layer 3, is the mantrap access to general areas in the data center; this mantrap is operated by card and biometrics,” Coors said. “Layer 4 is by the CCTV system overlooking all corridors in the general purpose area, and Layer 5 is access by card and/or biometrics to the customer room.”

While that layered approach is somewhat an industry standard, there’s more to layers than just the physical manifestations of access prevention.

“From an operations perspective, to get access is not easy, as there is a large set of procedures including but not limited to pre-announcement of a visitor through our ECSC (European Customer Service Center) and name check by physical security officers versus the pre-announcement list before you would even have access to the first layer,” Coors explained. “That’s followed by passport checks [and so on]. Once inside the security lobby, you will be checked again; your personal ID will be verified, after which you will receive a badge that allows specific access to those areas only mentioned in the signed customer contract. Any visitor can only access based on pre-approval from the customer-authorized representative.”

For solution providers, what Coors has explained serves as a good foundation to understand the aspects of physical security; that said, there are some other industry practices that are worth considering, and then using as a litmus test to determine how comfortable the “trust but verify” approach is for the business. Determine if the data-center operator can:

  • Track People: Physical access management to data centers is a critical component of the overall physical security of the environment. Both providing access and understanding movement through the data center is key. The use of biometric readers, anti-tailgating systems, mantraps and other physical access control systems to ensure access to spaces is authorized and monitored is critical.
  • Define Layers: Physical security is one of the classic examples of defense in depth. To provide comprehensive physical security, multiple systems and process esmust work together, like perimeter security, access control and process management.
  • Train the staff: Ensuring that all personnel adhere to physical security procedures and understand the importance of their responsibilities to a data center’s physical security program is a key concept. Intruders will always look for weak links, and it has been proven time and time again that weaknesses can often be on the human side of the equation.
  • Test physical controls: Internal testing of physical security controls is an important concept in relation to physical security. Validating access grants, ensuring that video footage is recording, and verifying that anti-tailgate mechanisms are working as intended are three areas that should be checked. Testing of physical controls should be part of normal operating procedures.

Understanding the physical and procedural security around a data center is one of the critical elements of properly protecting data. What’s more, solution providers can use the information garnered as a sales tactic, helping their clients to better understand how all-encompassing security policies should be, and that the physical can be just as important as the cyber when it comes to protecting intellectual property, customer data and even business operations.

Tags: MSPs Business of Security MSSP Insider Security Training and Policies

Most Recent


  • Black Hat expo hall 2022
    The Gately Report: Black Hat USA Edition with Cisco, IBM, CISA, More
    Black Hat USA has come roaring back since the COVID-19 pandemic.
  • Making Waves
    7 Channel People Making Waves This Week at Microsoft, Rackspace, RingCentral, Avaya
    Hackers targeted one UCaaS firm by impersonating the company's IT department.
  • Welcome Mat
    Okta Names Splunk Vet New Global Channel Chief
    Okta's global channel chief left the company in June.
  • Mergers acquisitions m&a goldfish crackers
    Latest M&A: IBM, Vonage, Nokia, GoTo, Nitel, Ensono, Huntress, More
    One cybersecurity company's $22 million July acquisition was its largest to date.

Leave a comment Cancel reply

-or-

Log in with your Channel Futures account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

Related Content

  • Security Vulnerability
    Older Fortinet Vulnerabilities Lead to Attack on Local Government Office
  • Threats
    Cybersecurity and Threat Protection: MSSPs, Get Your Advice Here
  • DevSecOps
    ServiceNow, Microsoft Set to Deliver Broad SecOps Integration
  • Dunce Cap Businessman
    Tired of MSSPs ‘Failing,’ Nuspire Debuts Platform to Combat Cyberattacks

Upcoming Events

View all

MSP Summit

September 13, 2022 - September 16, 2022

Channel Partners Conference & Expo

May 1, 2023 - May 4, 2023

Galleries

View all

The Gately Report: Black Hat USA Edition with Cisco, IBM, CISA, More

August 12, 2022

7 Channel People Making Waves This Week at Microsoft, Rackspace, RingCentral, Avaya

August 12, 2022

Oracle Cloud & AT&T, AWS Lead Cloud News Roundup

August 12, 2022

Industry Perspectives

View all

How to Take Shared Responsibility for Securing Cloud

August 11, 2022

Seize the Application Modernization Opportunity

August 2, 2022

A Growth Mindset: Your Organization’s Strategic Differentiator

August 1, 2022

Webinars

View all

Outsmarting RaaS: Implementation Strategies To Help Your Clients Before, During, and After a Ransomware Attack

August 23, 2022

Why it is Important to Upgrade Aging Servers and How to use Live Optics to Upgrade Efficiently

August 25, 2022

Executives at Home are Not Alright: An Intro to Digital Executive Protection

September 8, 2022

White Papers

View all

Work Goes Remote – (and Other Top ITOps Trends)

May 25, 2022

The New Bottom Line: How MSPs Can Meet the Healthcare Crisis While Evolving Their Businesses

April 19, 2022

How to build a Security Operations Center (on a budget)

April 4, 2022

Channel Futures TV

View all

ThreatLocker Preaches Zero Trust, Addresses Industry Competition

ScienceLogic Debuts New Partner Portal

August 9, 2022

Vonage a ‘Single Communications Stack Provider’ for Partners, Customers

June 27, 2022

IBM, Partners and the $1 Trillion Hybrid Cloud Opportunity

June 26, 2022

Twitter

ChannelFutures

.@splunk vet Bill Hustad named @Okta's new #channelchief. dlvr.it/SWXmws https://t.co/ILQesul0Cz

August 12, 2022
ChannelFutures

The Gately Report: #BHUSA edition with @Hacker0x01, @Cisco, @SaltSecurity, @CISAgov, @ExtraHop, @IBMSecurity, more.… twitter.com/i/web/status/1…

August 12, 2022
ChannelFutures

Channel People Making Waves Include: @kencarnesi, @szebenisz, @vasujakkal, @brettsmith52, @DaveMichels… twitter.com/i/web/status/1…

August 12, 2022
ChannelFutures

Nancy Henriquez, VP of Sales & Marketing at MSP 501 award-winning @synetek, touches on the importance of gathering… twitter.com/i/web/status/1…

August 12, 2022
ChannelFutures

.@Equinix's new hire is a familiar face in the telco channel. dlvr.it/SWXV6v https://t.co/jIg0LrZ4DO

August 12, 2022
ChannelFutures

Missed the news this week from @OracleCloud and @ATTBusiness? We've got it here. Plus, news from @AWSCloud and… twitter.com/i/web/status/1…

August 12, 2022
ChannelFutures

Huge channel-impacting acquisitions in the past month. We've got details on @IBM, @nokia, @GoTo, @EnsonoIT,… twitter.com/i/web/status/1…

August 12, 2022
ChannelFutures

Boost privacy by design with #shiftleft mindset and add #security to cloud deployments from start, says… twitter.com/i/web/status/1…

August 12, 2022

MSP 501

The industry's largest and most comprehensive partner awards program.

Newsletters and Updates

Sign up for The Channel Report, Channel Futures Update, MSP 501 Newsletter and more.

Live Channel Events

Get the latest information on the next industry-leading Channel Partners event.

Galleries

Educational slide shows and images from live events.

Media Kit And Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • Channel Partners Events
  • Telecoms.com
  • MSP 501
  • Black Hat
  • IoT World Today
  • Omdia

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Newsletter

FOLLOW Channel Futures ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookie Policy
  • Terms
Copyright © 2022 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X