The data hall
Data centre operators are responsible for data hall security. Data owners may have additional security layers in place.
Control of access is especially important when operating shared data centres. The shared environment means people unknown to the DC customer could have access to the same data hall and in proximity to their networking equipment.
- Have you agreed the actions you would take in the event of a fire, power outage or when maintenance work is required (e.g. involving the building management system), as well as records of any outages and notification of planned work?
- Can grills on egress/ingress of heating ventilation and air conditioning equipment and cable runs be installed to make it difficult to gain access to your racks?
- Is building services equipment situated outside the data hall to reduce the need for technicians to enter it?
- Do you have post-incident investigation policies and procedures for unplanned outages? Will you provide customers with sufficient detail to allow them identify any suspicious patterns to these?
- ‘Anonymity’: avoiding labelling racks, rooms, uniforms and buildings.
- Regular inspection for signs of damage and tampering.
- Minimal cable runs.
- Encoded labelling designed to frustrate any attacker’s understanding.
- Keys and code protection to stop unauthorised disclosure.
Do you need to learn more about CCTV? Here is some key information to consider.
Any equipment brought into a data centre which can store, record, and/or transmit text, images/video, or audio data is a security risk.
Mobile phones and personal electronic devices with cameras, apps and network connectivity are a particularly high security risk. It is worth considering whether mobile phones should be handed in when entering sensitive areas.
This may include introducing electronic device booking management, which keeps a register of authorised devices and implements controls on their entry and exit to sensitive areas.
If health and safety is an issue, dedicated phones without additional functionality may help. Signage and phone lockers at entrances to sensitive areas can increase compliance, along with CCTV monitoring.
CPNI has further guidance on screening people and their belongings to identify prohibited items.
UK NACE is the National Technical Authority for technical security. It protects organisations from technical espionage, keeping information and premises safe from technical attack.
Technical security is the practice of detecting the compromise of security systems, analysis and prevention of technical attack, mitigation of technology vulnerabilities, and the deployment of countermeasures.
The following technical vulnerabilities should be considered:
Radio transmitters are present in a broad range of technology products – from building system sense and control (e.g. fire alarms, door locks), to IT network data transfer (such as wi-fi).
These technologies are vulnerable to manipulation, interception and denial of service through a range of techniques, or can be used to obfuscate technical attacks by operating within heavily populated spectrum bands (e.g. wi-fi and Bluetooth).
Consideration should be given to the coverage of these systems. How are they managed and monitored for adversarial behaviour such as spoofing of SSID of the network, or use of internet broadcast access points as an egress route for a covert implant in conventional equipment.
Avoidance of use of smart or connected systems (such as wireless fire detection) would be advised to mitigate the risk of an actor triggering such a system in order to facilitate a secondary attack.
Watch out for crosstalk
Crosstalk is a phenomenon where data travelling down a wire can be detected by another wire running close to it. This can allow unintentional ‘bleed’ of secure data into insecure networks.
As additional networks are installed for protective security measures, such as CCTV or access control, there is an increased chance of crosstalk causing a problem.
To reduce the chances of crosstalk:
- Physically segregate secure and insecure cabling.
- Use shielded twist pair and fibre-optic cabling.
- Segregate and filter power between secure and insecure systems.
More information on dealing with crosstalk can be found at the UK National Authority for Counter-Eavesdropping.