5 Security Considerations When Choosing a Data Center Provider
Approximately one year ago, a man in Texas was arrested for attempting to purchase an explosive device from an FBI agent. His plans for that device involved driving to Ashburn – the capital of Virginia’s “Data Center Alley” – to attack an Amazon Web Services data center. His intent, as he told authorities, was to “kill off about 70 percent of the Internet.”
Data Center Security Risks
It’s threats like these that make the physical security of data centers so essential. The physical threat to data centers is so real that the UK government has solicited feedback from data center providers and operators on strengthening the security and resilience of local data centers, with a focus on physical security.
The threat of physical attacks such as these has increased exponentially in the past few years, but the threats facing data centers aren’t limited to just physical infrastructure. There is also the ever-increasing threat of cyberattack to worry about.
In their 2022 Global Threat Report, cybersecurity powerhouse CrowdStrike reported increases in ransomware attacks and targeted intrusions over the past year. In their report, CrowdStrike noted that they, “observed adversaries continue to adapt to security environments impacted by the ongoing COVID pandemic,” and that they’re now “…[looking at] novel ways in which they can bypass security measures to conduct successful initial infections, impede analysis by researchers and continue tried-and-tested techniques into 2022.”
A cyber breach may not only have a significant financial impact on both customers and data center providers, the reputational impact has the potential to shift customer confidence resulting in a loss of customers altogether.
Organizations should be looking for a data center provider that takes cybersecurity seriously. One that has implemented multiple levels of security. One that validates the identity of users on its network constantly and only gives them access to what they need.
In this elevated threat environment, and with so much potential for harm to organizations, the cybersecurity and cyber hygiene of data center providers are of equal importance as the physical security of their data centers. So, what should customers be looking for in their data center partners? What indicators show a data center provider has implemented the security measures necessary to protect its customers from both physical attacks and cyberattacks?
Here are five security considerations that every data center consumer should keep in mind when evaluating data center partners:
Do they have defined safety policies and procedures that enable scalability?
For many hyperscalers, the allure of working with a data center provider is speed and scalability. These organizations are looking to rapidly increase their ability and capacity to sell solutions and services to more customers. Or, they’re looking to quickly add data centers in new markets to expand their reach or improve their user experience by decreasing latency.
If they’re going to successfully and rapidly scale their operations they need the right partner – one with established security policies and procedures.
By partnering with a data center provider that makes security a priority and has established security procedures that are consistent across the organization, hyperscalers can feel confident that their partner will have the same strict security standards in place across their entire portfolio. This can drastically decrease the time and effort needed for security audits, expediting the process and enabling hyperscalers to scale more quickly to meet demand.
Do they have a relationship with a global, third-party physical security partner?
Some data center providers choose to hire and train their own physical security personnel to protect their facilities. Others choose to establish a partnership with a global security company that can work to outfit their entire data center portfolio with the personnel they need. When given the choice, I strongly believe that organizations should choose data center providers that have elected the latter.
Partnering with a global security company ensures consistency and accountability in the security across the portfolio. A third-party security company will train its staff across the globe exactly the same way and hold them to the same standards. They will also have an established service level agreement (SLA) with their data center customer, which ensures that the service provided by the company and their representatives will meet established metrics and be consistent.
Finally, by working with a third-party security company, data center providers can increase the redundancy of their physical security force, which is another important consideration.
Do they have redundancy in their security solutions and workforce?
If a data center provider’s security systems and applications are powered by a single source or generator in one location, what happens if that location is compromised or damaged? What if there is catastrophic failure? The established security solutions will fail if the physical infrastructure that powers them is damaged.
Redundancy is essential if a data center provider is going to ensure consistency in their security. That redundancy needs to extend beyond the infrastructure that powers the security systems, applications and technologies that keep the data center safe. It also must extend to the security workforce.
Likewise, if a data center provider has a small force of security personnel that they’ve hired and trained themselves, what happens when there is a global pandemic, and multiple security personnel call out sick at the same time? Can the data center operator simply pick up the phone and ask for additional resources? Or will they find themselves quickly running out of security officers in the unlikely event of an outbreak?
Redundancy is essential if a data center provider is going to ensure consistency in their security. That redundancy needs to extend beyond the infrastructure that powers the security systems, applications and technologies that keep the data center safe. It also must extend to the security workforce.
It’s one thing for a data center provider to put effective security systems and protocols in place, hire and train a dedicated security workforce, and invest in cutting-edge security technologies. It’s another thing to bake redundancy into those systems, technologies and workforces to ensure that they’re always available. Hyperscalers should be looking for data center partners that make redundancy a priority across all aspects of their security infrastructure.
Is transparency a fundamental part of their security operations?
Many data center providers treat security incidents as “inside baseball” and don’t necessarily report them to their customers. If there is a security incident that impacts a data center, all the companies leasing space in that data center should have the right to know about it.
A security incident could result in a data center provider’s customers asking difficult questions about their existing security policies and procedures. Or it could lead to them asking for new security requirements or systems to be implemented to keep their people and infrastructure safe. But they can’t ask those questions or make those requests if they don’t know a security incident has taken place and what was involved.
This is why Vantage provides our customers with an online portal with access to real-time security information. This portal allows them to pull security data such as who was in their space, what did they access, as well as any security incidents that may have occurred.
Transparency is essential to strong security that is constantly adapting to meet new threats and customer requirements. Not only should customers know about any security incidents that have occurred, they, too, should be able to get access to security information at will.
Are they serious about cyber/physical convergence and cybersecurity?
It might be strange to talk about cybersecurity when discussing what organizations should be looking for in their data center providers. After all, isn’t cybersecurity the responsibility of the data center customer? Aren’t they responsible, exclusively, for building a network infrastructure that is free of vulnerabilities and secure against cyberthreats?
Yes, and no. While hyperscale data center customers are responsible for securing their own networks, infrastructure and data—the data center provider has a role to play in cybersecurity as well.
Data center providers have sensitive information about their customers and the employees of their customers, including biometric data. Customers need to feel confident that their partners are securing that information and keeping it safe.
But there is another cybersecurity trend and challenge that has an even larger impact on the data center provider—cyber/physical convergence.
By partnering with a data center provider that makes security a priority and has established security procedures that are consistent across the organization, hyperscalers can feel confident that their partner will have the same strict security standards in place across their entire portfolio.
In today’s world of “network-enabled everything,” the systems that keep a data center operating – from HVAC to water supply and electricity – are connected. These systems can be controlled and managed with Building Management Solutions (BMS) and other automation tools – even remotely. This opens the door for malicious actors to compromise a data center provider’s BMS solution and cause real physical damage to the data center.
For example, if a data center provider’s BMS solution enables remote access and controls, and that BMS system is left unsecured or vulnerable, a malicious actor could gain access, enabling him/her to control the systems in the data center. They could decide to disable the cooling, turn off power to a room, or even disable physical security tools and systems. Any of these things could have serious, negative impacts on the data center.
Organizations should be looking for a data center provider that takes cybersecurity seriously. One that has implemented multiple levels of security. One that validates the identity of users on its network constantly and only gives them access to what they need.
They should also be looking for a data center partner that fosters good relationships and communication between their IT department, operations department and security organization.
Learn more about data center security at Vantage Data Centers by visiting www.vantage-dc.com.
Greg Thompson
Greg Thompson serves as senior director, physical security and information security at Vantage Data Centers. He is responsible for developing and implementing the company’s physical and cybersecurity initiatives.
Thompson has more than 10 years of experience in building and maintaining safe and secure environments. Prior to Vantage, Thompson supervised and directed industrial, physical and information security measures for more than 400 employees at General Dynamics Corporate. While at the Federal Bureau of Investigation, he directed security initiatives and strategies for various business units ensuring security measures aligned with and supported company agency objectives.
Thompson holds a Bachelor of Arts degree in government international politics and religious studies from George Mason University, a Master of Public Administration degree in emergency management homeland security from George Mason University, and an MBA and a Master of Science degree in cybersecurity from the University of Maryland Global Campus. As part of his focus on security, Thompson is a Certified Business Continuity Professional (CBCP) and holds a Lean Six Sigma Green Belt certification.