Although recognised as important, the absolute criticality of the data centre is often underestimated and this is possibly due to its relative cost in comparison to other elements of the IT stack. While a rack footprint might cost £10K pa, the hardware might cost over £50K and the managed service £100K.
However, if the data centre fails the lost business can reach millions of pounds per day. So, while the data centre is considered the least important element when it is working, it immediately becomes the most important element if it fails.
While this is of course recognised by data centre designers who are focused on building a resilient mechanical and electrical infrastructure – normally with the objective of achieving “concurrent maintainability” – ensuring a comparable focus on security measures is being overlooked.
Targeting physical infrastructure is commonplace in time of war. Ports, airports and road arteries have been the traditional targets of those seeking to disrupt and destroy. In today’s world, where data is the oxygen that drives almost everything we do and there is hardly a business in the land without some form of information technology at its core, it is unsurprising that the locations which store active data, the data centres, have become recognised as threatened.
In their recent research paper Predicts 2013: Infrastructure Services Threatened as New Structural, Political, Competitive and Commercial Challenges Emerge, Gartner note that the flip side of greatly enhanced cyber security through the use of mind-bending algorithms is that it pushes those with an axe to grind to consider a plan B where a physical assault makes the most sense. The recent London riots of 2011 might have created just such a spark had the rioters wished to target a particular company or government department on which to vent their frustration.
Gartner’s report forewarn senior IT decision makers that by 2016 it is likely government regulation will dictate minimum physical levels of security for data centre infrastructure. No longer will it be acceptable to store data in facilities that do not have rigorous security protocols so executives must prepare now for this change.
In the UK, while 2012 saw the government mount its most visible campaign to date for raising business awareness of cyber security threats, 2013 is the year when this focus is extended to the physical security of the data centre which thus far has often been downplayed.
In the current world this lack of focus on the physical aspects of security is somewhat surprising as not only have we seen the destruction of the World Trade Center (which housed many data centres) and the London bombings of 2005, but as Gartner point out, going back further there is an even more pertinent example: “The bombing of the financial district of London’s Docklands in February 1996 demonstrated the vulnerability of data center buildings and surrounding areas to major disruption caused by a terrorist bomb.”
The emphasis that most data centre operators have placed on London is understandable. The vast majority of companies have their headquarters in London and the financial sector is almost exclusively based there. In the days when IT was unreliable and communication links were expensive it made sense to house equipment close to the main office – to be a “server hugger”. The focus on maintain cheaper communications links meant that companies’ IT equipment began to cluster together in a few mega data centres in London’s Docklands.
However, this clustering has created a concentration of risk as Gartner point out: “As large data centers serve more and more enduser organizations, their potential as a target for criminal and terrorist activity increases.
And according to Gartner it is also the risk to critical infrastructure that means the Government might be required to legislate: “Targeting critical infrastructure is a well-established strategy in times of war, and by terrorists (international and domestic alike). Data centers are critical infrastructure for the effective operations of most world economies. Information security measures continue to make “getting inside” harder for those with malicious intentions, thus requiring a reversion to the oldest form of gaining access — kick down the door!”
Such actions could be taken by disenfranchised domestic groups, contracted corporate espionage agents, or even the result of international conflict. Although the actual success of such efforts may be limited, the mere attempt will be enough to cause many governments to recognize data centers as being vital critical infrastructure requiring regulations potentially on par with those found in nuclear facilities.
Fortunately, thanks to increasingly sophisticated remote control and monitoring, and cheap fibre, the data centre no longer needs to be tightly shackled to the Head Office. Responsible CIOs should therefore focus on priorities other than convenience and consider data centre locations which are more secure than central London.
So why is a more remote out of town location more secure? Firstly, good security requires space – space enough for double layer fencing, space enough for the data centre building to be at least 25m from the road. In congested and expensive London this is very difficult to achieve whereas NGD’s facility in South Wales, for example, has a 25 acre site with military grade fences.
Secondly, a secure site should have a low footfall – remote from highly populated focal points for crowd unrest or riots, a location where unwanted strangers are easy to spot. And of course, the data centre should not be in the vicinity of natural terrorist targets such as Canary Wharf, flight paths or flood plains.
In summary, the UK government has already begun to recognise the growing security threat facing data centres noting that in 2013 it will widen its cyber security campaign to include the protection of physical technology assets. In order to minimise risk, buyers will in turn need to assess physical security capabilities far more rigorously than at present and look toward the selection of redundant delivery centres that are more geographically dispersed.