In 2020, datacentres are estimated to be cleaner, greener and more flexible — but will they be any safer?
You don't even need an explosion to create disaster — all you need is some incident and you cannot get into your datacentre.
Harry Archer, head of security practice for BT Australia
By then, attackers targeting datacentres will have had another decade to perfect their assaults on enterprises, and in turn those enterprises will have had another 10 years to develop strategies to fight them off. So how will the datacentres of 2020 adapt?
If experts are correct, it will be the physical security of datacentres that will undergo the most change: datacentres will be moved out of the central business districts of cities, in an effort to tackle today's remaining physical threats.
The move from the CBD
Harry Archer, recently appointed head of security practice for BT Australia, says he was shocked on arriving in Australia to find datacentres located in the heart of Sydney's central business district.
"The datacentres I've seen in Australia seem to be located in cities, which is a concern. You don't even need an explosion to create disaster — all you need is some incident and you cannot get into your datacentre," Archer told ZDNet.com.au.
If there were even a small disaster — a gas leak, or a lengthy power outage — the response would be seriously hampered by a lack of space.
"If you started one of these backup generators, you would choke everyone in Sydney," said Archer.
The problems associated with locating datacentres in cities is one that UK businesses tackled in response to the September 11 bombings in 2001. Nowadays, he says, datacentres are outside the cities, in buildings that disguise their true role.
A shift is now occurring in datacentres Down Under, according to David Cowell, a consultant who has managed Australian datacentres for 30 years. "All the big banks have moved out to the suburbs and to regional areas in Melbourne, Sydney and Brisbane. Technology parks such as Norwest, which provide infrastructure for Westpac and Woolworths, are commonplace."
Projects like Norwest are already underway in Queensland, such as the Polaris datacentre in Springfield — Suncorp Metway is currently relocating there from its ageing Brisbane-based datacentre. The yet-to-be approved Canberra Technology Park being developed by Technical Real Estate (TRE) is also looking at a new approach to energy supplies to protect against physical threats.
If you started one of these backup generators, you would choke everyone in Sydney
Harry Archer, head of security practice for BT Australia
"What's unique about this is that it's a joint venture between a utility and datacentre developer. Normally you take power off the grid and the backup is a diesel generator in the building. We're doing the reverse. The primary energy will come from on-site gas generators and the backup will come from the grid," Stephen Ellis, TRE's director told ZDNet.com.au.
But the trend towards "co-location" at super datacentres, where companies share hardware or space, is presenting problems which could take years to resolve — in no small part due to the human element involved.
"All these colos have networks that terminate in the same room, which is full of cables with multiple customers connected to the world. If someone was in there and leant on a switch, bang, you could shut down an entire datacentre," he told ZDNet.com.au.
An entrance to a 2020 datacentre?
Given the risks posed by errant individuals making their way into datacentres, according to Olaf Moon, general manager for government hosting at Macquarie Telecom, the biggest challenge for the datacentre is identity management.
For Moon, best practice needs several layers of security. "For a person to get access, you must get past a check point where you must prove your identity. Visitors must enter the mantrap, which is like a sub-room, before entering the datacentre — that's where your authentication is checked. On top of that there is CCTV," he said.
Moon believes security technologies currently in use by Defence will trickle down to mainstream... ..... datacentres in the future, which may include weighing and taking the temperature of people as they enter and leave the datacentre to ensure visitors can take nothing with them when they leave a room.
Can $40 overalls crack the best security?
But to protect against a determined and well informed attacker, identity management technologies have a long way to go, according to Pure Hacking penetration tester Chris Gatford.
During a social engineering penetration test, Gatford bought some AU$40 overalls, rang the datacentre manager and pretended to be the CEO of a company whose servers were located there.
"Feigning to be the CEO, I said, 'We have people coming into work on the electricity in rack four. As soon as they come in, do not let them slack off — they charge a lot of money for this work, so show them directly to the rack and ensure they get to work straight away," he said.
"We didn't even get asked for ID and were just wearing our $40 overalls and it was quite a successful test — we got to the server. And if you're ever standing in front a box, it's as good as owned. Physical access means you can reset passwords and do all sorts of attacks, such as auto run CDs to install trojans. It only takes one minute to reset a Cisco switch or router to change the password and restore it back."
According to datacentre consultant David Cowell, cage design is symptomatic of security being "token" at the datacentre.
"Most security I've seen is token. People put cages around their infrastructure but the cage only goes from the floor to the ceiling. But then there is a false floor and false ceiling between two concrete slabs. You hardly ever see one where the cage goes under computer room floors. It's not done properly," he said.
But how, with virtualisation driving shared hardware, will businesses keep data separated when sharing physical server space?
"That's the big concern — how to apply security from one physical device to another," David Endler, director of security research at TippingPoint DVLabs told ZDNet.com.au.
Pure Hacking's Gatford agreed. "When a shared system is compromised, which is usually connected to a shared switch, it doesn't affect just that customer. There's no dedicated switch for them. So you have to really hope that the host is up on their game on securing the Internet connectivity because if you compromise one box, you've got full access and can then start launching network layer attacks which affects customers connecting to that switch," he said.
But a bigger problem is looming on the horizon in the form of wireless-enabled devices, which Mikko HyppÃƒÂ¶nen, F-Secure's chief research officer, reckons will become integral to the datacentre.
And if you're ever standing in front a box, it's as good as owned.
Chris Gatford, Pure Hacking penetration tester
"By 2020, any device — car, a switch, fridges, phones — will automatically assume that it needs to find an IP address to go online," HyppÃƒÂ¶nen told ZDNet.com.au.
"Devices can get connected too easily and it will be harder and harder to restrict. Now, you might put in a firewall, but in the future, when you're building a datacentre, there will be plenty of hardware in there," he said.
"Many of these devices might get online alone, not via switches, but wireless. These might become a problem for those who are security conscious. I can easily see a scenario where you plug in some cheap modem switch to do something simple and it will go online alone, not using cables. That would open up risk and you might see rooms being built which is shielded against radio traffic."
However, as 2020 draws closer, it looks like information will hold a higher burden of risk to organisations that host it and successive reviews of the Privacy Act will continue to keep data security at the front of businesses' minds. With the threat of ever tighter legislation around e-discovery and data loss hanging over them, 2020 could perhaps see datacentre security hitting the top of CIOs must-do lists.