- Data centres as targets
- The risks of breaches and disruption
- Holistic approach
- Guidance structure
- Case Studies
- Risk Management
- Key Types of Data Centre
- Enterprise or ‘wholly-owned’ data centres
- Co-located data centres
- Managed-hosting data centres
- Cloud-hosting data centres
- Data Centre Security Risks
- 7 Areas of Risk
- Further resources
Data centres as targets
Data centres and the data they hold are attractive targets. One of the UK’s most valuable assets is its data. Together with the data centres that hold and process it, they underpin almost all facets of modern life. This makes data centres an attractive target for threat actors, due to the large and diverse amount of information that supports our national infrastructure and businesses.
The opportunities for attack are diverse. Threat actors will target vulnerabilities in data centres’ ownership, geography, physical perimeter, data halls, Meet Me Rooms (MMRs), supply chains, staff, and cyber security in a concerted effort to breach data centres’ defences or tamper with sensitive information or disrupt critical services.
The risks of breaches and disruption
The security and resilience of your data and the infrastructure beneath it are therefore critical. High-profile data breaches and disruption to services are frequently reported, with each incident, causing operators and data owners potentially huge financial losses in regulatory fines, loss of sensitive IP, downtime, post-incident recovery, security improvements, and perhaps most valuably of all, reputation.
Cyber intrusion methodology evolves constantly, and sophisticated attackers have a strong incentive to defeat the defences you put in place. It should be assumed that at some point your defences will be breached and therefore it is also important to be able to respond proactively by detecting attacks and having measures in place to minimise the impact of any cyber security incidents.
To combat theses diversified threats, we need to approach data centre security holistically. By bringing together the physical, personnel and cyber security of data centres into a single strategy so that you can better withstand the diversified methods state threat actors, cyber criminals and others may use to attack them.
There is no one-size-fits-all approach to holistic data centre security. Every data centre operator and user will need to consider this guidance based on their own risk assessments. This guidance contains the security considerations you need to be aware of to make sure your data stays protected.
This guidance is laid out by key areas of risk. Each of these areas should be considered when developing a risk management strategy that encourages a holistic security approach in data centres – moving from where the data centre is located, and who manages and operates it, to protecting against cyber threats. You should use this guidance to inform your own risk management strategy that is unique to your organisation’s needs.
In July 2021, a Turkey-based individual claimed to have gained unauthorised access to over 100 servers based in the United States belonging to telecommunications provider T-Mobile. This access was reportedly initially gained by remotely exploiting a misconfigured router on the company’s network.
T-Mobile subsequently confirmed in a statement that its systems had been accessed in an unauthorised manner and information belonging to several million customers were exposed. This information is reported to have included the names, dates of birth and telephone numbers of customers.
In June 2015, the United States Office of Personnel Management (OPM) revealed that sensitive information relating to millions of US federal employees had been exfiltrated via an intrusion on its networks.
This information included classified details of federal employees, including their level of security clearances, personal and family information and their biometric details.
The breach is reported to have been facilitated by a combination of poor cyber security measures, including a lack of two-factor authentication and sub-standard malware protection.
State-sponsored Chinese hacking groups are reported to have conducted this attack in order to increase its intelligence collection on American citizens.
In October 2021, a misconfigured piece of networking equipment involved in ensuring interconnectivity between US company Meta’s data centres caused a global outage of its services for over six hours. This outage affected billions of Meta’s users and businesses who were unable to access the company’s platforms Facebook, Instagram, WhatsApp and Messenger.
The outage was prolonged because Meta managed its own data centres, so the issue could not be resolved remotely. Instead, a team of engineers had to visit the affected data centres in person to reconfigure the affected equipment.
This incident compounded reputational issues that Meta was facing at the time, and shortly after the outage, Meta’s share price was reported to have dropped by 4.9%.
Data centres operators and their customers should both have individual risk management strategies designed to protect their critical assets and systems.
CPNI’s risk management framework encourages any organisation to follow these steps to manage risk:
- Identify your assets
- Categorise and classify your assets in relation to their level of criticality in supporting your business
- Identify threats (based on intent and capability)
- Assess the risks, based on the likelihood of the threat happening and the impact should the threat transpire
- Build a risk register to allow senior decision makers to make informed judgements on risk appetite and resource allocation
- Develop a protective security strategy for mitigating the risks identified and review the adequacy of existing countermeasures
- Implementation: Propose new proportionate measures using a process, such as the CPNI Operational Requirement (OR) process
- Review the process periodically and when there is a change in threat or change in operational environment
- Risk management strategies between data centre operators and their customers are inter-dependent
As a data centre customer, you will want to seek assurance that a data centre is robust enough to hold your sensitive data. Whether that is financial, communications, medical, travel or other kinds of personal data belonging to your customers or staff, or your own sensitive commercial data. Doing so securely also ensures your reputation and commercial advantage.
To be most effective, risk management strategies will be driven by senior leaders who understand the risks and protective security options available to help mitigate these risks.
The areas of security risk relevant to both data centres, and the data they hold, are detailed throughout this guidance.
This information should be used to inform your organisation’s risk-based assessments and wider risk management strategy, regardless of whether you are a data centre owner, or a data centre customer.
Should you judge these threats to pose sufficient risk to your own assets and systems, we provide further information on the mitigations you might consider to better manage these risks, and where appropriate, we will direct you to CPNI or the NCSC’s comprehensive guidance on each topic.
You can also learn more about how to approach protective security risk management in more depth on CPNI’s website.
The NCSC also provide guidance on approaching risk management from a cyber security perspective.
Whilst less likely than attacks that focus on acquiring or degrading data, threat actors may also seek to disrupt services by targeting data centres through either a destructive cyber-attack or a physical attack against a data centre.
In March 2021, a fire broke out at French cloud services provider OVHCloud destroying one of its four data centres and damaging another at its Strasbourg campus in France. This resulted in the company directing its clients, which include the French government, to activate their disaster recovery plans and reportedly denied access to a large number of domains and services.
Reuters, ‘Millions of websites offline after fire at French cloud services firm’, 10/02/2021
Ensuring that a data centre is resilient is therefore key
For Data Centres, worst case risk scenarios tend to focus on availability issues such as service disruption due to natural hazards, power outages, hardware failures or denial-of-service attacks.
Data centres need to ensure they are resilient against a range of threats and hazards. They are typically already designed to be resilient to these types of availability issues, with numerous standards and guidance widely available. We provide some of these standards in the additional resources section at the end of this guidance.
As there is extensive guidance available on data centre resilience, we will not cover it in detail here. However, there are some questions about resilience that we would advise a data owner to ask of a data centre operator to ensure they are less vulnerable to deliberate acts to disrupt services:
- Can the data centre demonstrate that they have physically separate communications routes into the data centre?
- Can the data centre demonstrate that they have diverse power supply and backup power options?
- Are the building service rooms critical to the functioning of the data centre e.g., electrical, battery and mechanical rooms, backup generators etc., protected from physical attack and sabotage?
- Can data centre operators demonstrate that in the event of a physical or cyber incident, they have sufficient people-power, e.g., adequate numbers of security personnel, engineers, and other incident management staff, who can provide a sustained response?
- Can the data centre demonstrate a resilient and diversified supply chain, including services, hardware, and software, which can withstand disruption and minimise bottleneck effects?
- Lastly, you should consider using multiple data centres or storage locations to increase resilience and reduce the associated risk of having a single point of failure.
Key Types of Data Centre
There are several options for the type of data centre you may choose as a data owner. They offer different levels of service which can impact the control you have over security arrangements.
It is important to remember that as a data owner, whichever option you choose to go with, the responsibility for managing the risks to your own information remains with you.
You should therefore understand the benefits and disadvantages of each option and use this to inform your risk management strategy.
Enterprise or ‘wholly-owned’ data centres
These are data centres that an organisation solely owns and operate for their own use. This gives you complete oversight of your security and operational arrangements, which often incurs higher costs.
Co-located data centres
These are centres where your organisation's data system is housed within a shared facility, along with other organisations’ data. This is often more cost effective due to the lack of upfront costs of building and running a data centre. Whilst allowing flexibility and the ability to scale at speed, you don’t have sole access to the data centre and may have fewer, or sometimes no customisable options for its security.
Managed-hosting data centres
The hybrid model – a customised data-hosting package provided by a third-party in a data centre. The servers you use can be dedicated or shared with other customers. This option removes the need to hire staff and places responsibility for security on the third party. Whilst attractive from a convenience point of view, this is balanced with the fact that you have less oversight or control of your security arrangements.
Cloud-hosting data centres
Your data is stored in a network of servers across different data centres, in different locations, which increases your flexibility to scale at speed and may also improve your resilience in the case of an outage due to the distributed nature of your data. However, you will need to be clear on how your data is stored and managed; for example, where and how your data will be moved, stored, or split while in the cloud. Cloud service administration systems are often also highly privileged; if they are compromised, they could have a significant impact on your data.
The NCSC provides comprehensive guidance on the use of cloud services and their security.
The below table summarises the degree of control you may have over areas of risk for data centres, depending on the option you choose:
|Control of aspects of a data centre||Enterprise||Co-located||Managed hosting||Cloud|
|Data hall occupancy||High||No||No||No|
|Data hall operations||High||Medium||No||No|
|Building services operation||High||No||No||No|
|Access to data centre||High||Medium||No||No|
|Access to your equipment||High||Medium||No||No|
|Security procedures (physical/personnel)||High||Low||No||No|
Data Centre Security Risks
Data Centre Security: The seven areas of risk.
From a data centre’s location to its security culture, workforce, and even the companies it partners with in the supply chain, there are a number of areas where threat actors can take advantage.
In this guidance, CPNI and the NCSC have identified seven areas of risk that data centre owners and data centre users should consider when thinking about security.
It’s important to take a holistic view on data centre security and the seven areas of risk should help you do this.
Let’s look at some examples of these potential vulnerabilities…
One is geography and ownership. Data centres overseas may be subject to laws that allow the state to access the information they hold. This could be the case in countries China and Russia, for example.
If you are a data centre owner, it’s crucial to understand this risk. And if you are a data centre user, you should always be aware of potential threats posed by their information being hosted outside the UK.
There’s also the security of the physical perimeter and the data hall to consider and any other risks posed by boundaries within the centre itself, such as the potential of meet-me rooms being used to compromise or steal data.
Another risk relates to the people data centres employ. As in any organisation, people are one of the biggest strengths of a data centre. As force multipliers, they can vastly enhance security.
But the workforce is a point of vulnerability, too.
Insider risk means threats presented by people within the data centre. Data centres should have a good security culture and staff that are motivated and engaged with security.
Data centre owners and users alike rely on the protection provided by good personnel.
Next, there is supply chain. Have you considered the security of all the companies and suppliers you work with? Compromise and theft of data and disruption to services can take place at any point where there’s a gap in security. Supply chain vulnerabilities may be inherent or changing all the time.
Data centre users need to understand the risks posed by outsourcing to suppliers.
Data centre owners need to think about the level of protection suppliers will give to assets and information, as well as the protection afforded by the products or services they deliver.
And finally, while cyber-attacks may not be the only threat to data centres, they are an ever-evolving risk that’s growing in sophistication all the time. In fact, you should expect a cyber breach at some point and plan accordingly.
To summarise, the seven areas of risks identified in the data centre security guidance are:
Geography and ownership risks
Risks to physical perimeter and buildings
Risks to the data hall
Risks to Meet-Me Rooms
Risks to supply chain
Now, for more information on how to identify and address the seven types of risk, click on each risk type on the data lock below.
7 Areas of Risk
7 areas of risk have been identified from which attacks can originate and these should be factored into an overarching risk management strategy.
Use the tool below to work through the 7 areas of risk. Click on the titles around the data lock and ‘read more’ in the centre for more information on this risk and additional resources.
For an accessible verison of the data centre lock click here.
Vulnerabilities in the physical security of the data centre in which your data is stored may leave data at risk. Data centre owners should be able to demonstrate a robust layered approach to physical security at their sites, including perimeter and buildings.Read More
At the data centre’s heart, data halls are where your servers are located. No matter how secure the data centre, as a customer, it is your responsibility to ensure sufficient controls are in place to limit who might be able to access your networking equipment.Read More
Meet-me rooms are the areas in a co-located data centre where communications service providers, such as telecommunications companies, physically connect their data servers and exchange traffic. Access should be strictly controlled given the higher level of risks that meet-me rooms introduce.Read More
People and personnel security seeks to enhance an organisation’s or site’s protective security through policies, procedures, interventions and effects. It is important that any security risks related to people are mitigated.Read More
Most organisations rely on suppliers to deliver products, systems and services. Securing the supply chain can be difficult because vulnerabilities are inherent and can be introduced and exploited at any point. A vulnerable supply chain may cause damage and disruption.Read More
Data centres are a valuable target for threat actors seeking to steal data or disrupt operations and services. Data centre operators should assume that a cyber compromise is inevitable. We advise taking steps to detect intrusions and minimise their impact and preventative cyber security measures.Read More
Managed hosting or cloud hosting providers sometimes seek to store your data in multiple locations, including outside the UK. It is important you know where your data is stored, since some countries have laws that could put it at risk.Read More