The data hall
At a data centre’s heart, you will find data halls. They contain the data servers customers rely on.
Data centre customers renting entire suites and halls are usually responsible for their own security – effectively creating a second perimeter which must be secured.
Whether you are using network equipment racks within a shared hall, suite, or your own floor/hall, you should consider measures to detect and verify unauthorised access to your rack and rigorous procedures for access control and intrusion detection, including controls over doors and service corridors. Consider access arrangements in case of emergency.
Control of access is especially important when using shared data centres. The shared environment means people unknown to you could have access to the same data hall and proximity to your networking equipment. No matter how secure the data centre may be, as a data centre customer, it is your responsibility to ensure sufficient controls are in place to limit who might be able to access your networking equipment.
Securing the data hall
If you have your own suite or hall, you need to conduct your own risk assessment and identify the security measures you need. The limit of the area you control should be considered your perimeter. This is the first line at which you would be able to detect an intruder targeting your data.
- Decide who will have legitimate access to your suite/hall/racks.
- Consider the most appropriate method of controlling access. It could include an automated access control system (AACS) (which may be independent from that used by the data centre to give you maximum control) or locks with an audit function (which can provide the same function without the need for supporting infrastructure).
- Enhance security of the automated access control system by using two-factor authentication and anti-pass-back technology.
- Decide how access control will be managed (e.g. will your own security team monitor access control logs and check against permit to work for maximum security?).
- CCTV should cover all access points you control (consider both visible CCTV and CCTV embedded in racks).
- Remember that your CCTV system could have a network, wi-fi or internet-facing presence and could be compromised by an attacker (see our advice on how to protect physical security systems against cyber attack – CAPSS guidance).
- If you have an intrusion detection system used with CCTV, consider what level of monitoring, verification and response is required.
- Consider the most appropriate locking systems, ensure you understand the standards that it has been tested to and any operational limitations.
- Cages can be used as an additional layer of protection around your racks in shared data halls. You may want to introduce a search and screening process for the area you control.
- A tamper-evident seal should be used on secure racks, cables, etc. to deter (or show evidence of) an attack.
- Have you factored in anonymity considerations such as the locations of your racks, references to your organisation’s name in other areas of the data centre, the staff you employ and the uniforms they wear?
- Have you agreed the actions your data centre would take in the event of a fire, power outage or when maintenance work is required (e.g. involving the Building Management System), as well as records of any outages and notification of planned work? Do you know if fault and maintenance records are kept by the data centre?
- Can grills on egress/ingress of heating ventilation and air conditioning equipment and cable runs be installed to make it more difficult to gain access to your rack(s)?
- Is building services equipment situated outside the data hall to reduce the need for plant and equipment technicians to enter it?
- Are you satisfied with post-incident investigation policies and procedures in place for unplanned outages?
- Will you be provided with sufficient detail to allow you to identify any suspicious patterns to these?'
- ‘Anonymity’: avoiding labelling racks, rooms, uniforms and buildings.
- Regular inspection for signs of damage and tampering.
- Minimal cable runs and requesting that your data racks are located together if sharing a corridor with other customers.
- Encoded labelling designed to frustrate any attacker’s understanding.
- Keys and code protection to stop unauthorised disclosure.
Do you need to learn more about CCTV? Here is some key information to consider.
Any equipment brought into a data centre which can store, record, and/or transmit text, images/video, or audio data presents a security risk.
Mobile phone and personal electronic devices with cameras, apps and network connectivity are a particularly high risk. It is worth considering whether mobile phones should be handed in when entering sensitive areas. The data centre operator may have a policy on this. If they do not, you could introduce restrictions on devices in the area you control.
This may include introducing an electronic device booking management process, which keeps a register of authorised devices and implements controls on their entry and exit to sensitive areas.
If health and safety is an issue, dedicated phones without additional functionality may help. Signage and phone lockers at entrances to sensitive areas can increase compliance, along with CCTV monitoring.
UK NACE is the National Technical Authority for technical security. It protects organisations from technical espionage, keeping information and premises safe from technical attack.
Technical security is the practice of detecting the compromise of protective security systems, analysis and prevention of technical attack, mitigation of technology vulnerabilities, and the deployment of countermeasures.
The following technical vulnerabilities should be considered:
Radio transmitters are present within a broad range of technology products – from building system sense and control (e.g. fire alarms, door locks), to IT network data transfer (such as wi-fi).
These technologies are vulnerable to manipulation, interception, and denial of service through a range of techniques, or can be used to obfuscate technical attacks by operating within heavily populated spectrum bands (e.g. wi-fi and Bluetooth).
Consideration should be given to the coverage of these systems and how they are managed and monitored for adversarial behaviour such as spoofing of SSID of network, or use of internet broadcast access points as an egress route for a covert implant in conventional equipment.
Avoidance of use of smart or connected systems (such as wireless fire detection) would be advised to mitigate the risk of an actor triggering such a system in order to facilitate a secondary attack.
Watch out for crosstalk
Crosstalk is a phenomenon where data travelling down a wire can be detected by another wire running close to it. This can allow unintentional ‘bleed’ of secure data into insecure networks.
As additional networks are installed for protective security measures, such as CCTV or access control, there is an increased chance of crosstalk causing a problem.
How do data centre owners demonstrate they have measures in place to reduce the risk of crosstalk?
- Physically segregating secure and insecure cabling.
- Using shielded twist pair and fibre-optic cabling.
- Segregating and filtering power between secure and insecure systems.
More information on dealing with crosstalk can be found at the UK National Authority for Counter-Eavesdropping.