Information security has become a topic that is at the forefront of every business owner’s mind. With the influx of information stored in a data center, it’s becoming increasingly important that data centers take the right steps towards ensuring that they have the proper controls in place to provide secure and efficient services to their clients. Let’s explore the challenges of data center security and look at ways we can overcome these challenges.
What are the biggest risks to Data Center Security?
Something that we commonly see when auditing our data center clients are personnel without relevant job responsibilities who have access to secure areas such as the data center computer room. Limiting physical access to systems with sensitive information should be restricted to only those individuals whose job function requires them to have access.
Physical security is another major risk to data centers. We often see data centers with a lack of vigilance who rely too heavily on monitoring instead of implementing physical patrols. This can eliminate tailgating risks and ensure that unauthorized access to secure and restricted areas doesn’t happen.
Lastly, one of the greatest risks to data centers are cyber threats. With new and emerging threats bringing new forms of malware, social engineering, brute force attacks, and other forms of unauthorized access, organizations must be on their toes when it comes to cyber security.
How can Data Centers protect their assets and information?
From a logical access perspective, data centers should have a robust information security program in place. Utilizing an industry framework such as the CIS Critical Security Controls can be a great start towards protecting information, security, and building management systems at a data center.
It should always start with a Risk Assessment. Performing regular risk assessments on information security systems can help you determine the need for redundancy, additional hardening, failover, or business continuity procedures. Risk Assessments can help you prioritize your assets, analyze the risks to the assets, and implement controls to address those risks, improving overall data center security.
What role does Penetration Testing play in securing a data center?
Penetration testing is a critical element of data center security. Testing the organization’s facilities, networks, systems, and applications should be a regular part of your information security program. Testing should include network and application layer testing of security and monitoring systems (door access control systems, video surveillance systems, etc.). Additionally, physical controls should also be tested. These tests should include perimeter and internal physical access controls, social engineering assessments of onsite personnel.
How can Data Centers meet client and industry demands without sacrificing security?
One of the main reasons companies choose to house their systems in a third-party data center is the physical security features that the center offers. Data centers are typically located in hardened buildings and in areas where risk from natural disasters is minimized. 24-Hour onsite security and monitoring are also important features that companies want in their data centers. A lot of our customers also appreciate the customer/visitor/vendor access controls in place, which often time require the data center customer to provide advanced notice when they intent to bring a visitor to the data center for a tour.
What are the best ways to safeguard a Data Center against a breach?
Protecting your data center against a breach doesn’t have to be a daunting task. Here are four great ways you can safeguard your data center against a breach:
- Perform a formal and ongoing risk assessment – The risk assessment process should always be continual. It allows you to identify and mitigate against potential threat.
- Maintain well document policies and procedures – If it’s not written down, it’s likely you’re not really doing it. That’s why it’s important to ensure that your policies and procedures are well documented. Do you have the appropriate policies and procedures in place to ensure security controls?
- Implement logical and physical security controls – It’s always a good idea to consistently track and monitor the effective implementation of your logical and physical security controls.
- Provide ongoing training – Personnel should be continually training on all logical and physical security responsibilities. Remember, you’re only as strong as your weakest link.
For more information on how you can overcome security challenges at your data center, contact us today. This article was based on a conversation with Steve McEnroe, CISA, QSA, GWAPT.