Datacentre security: a 10-point checklist

Security is always at the heart of datacentre thinking, so it makes sense to have a checklist of the key measures, says Manek Dubash

Security is always jockeying for a place at the top of the datacentre agenda, and that's why it makes sense to have a handy checklist of key measures, says Manek Dubash.

Whether you are a hosting or co-location organisation or running your own datacentre, security issues never go away. Not only do you need to keep data safe and meet service-level agreements (SLAs), but the cost of a breach is also high.

That cost will vary depending on a number of factors, such as the type of breach or how you value your data. According to the Ponemon Institute's Annual Cost of a Data Breach study, the cost of a breach in 2009 was $202 (£134) per customer record, an amount made up of what the institute describes as "direct, indirect and opportunity costs from the loss or theft of personal information".

Yet securing a datacentre is a huge task that includes physical as well as electronic and procedural issues. Here is a 10-point checklist to help you verify that your security arrangements cover the ground.

1. Secure the physical environment
Does the location of your datacentre reduce the risk of accidental or deliberate ingress by the unauthorised? Having a secure location means siting it where the risk of external threats, such as flooding, is low. You also need take into account the security of supply of external resources such as electricity, water and communications.

2. Hide the datacentre
Locate surveillance cameras around the perimeter of the premises and remove signs that might provide clues to its function. The datacentre should be set as far back from the road as possible, and it is worth using landscaping to help keep intruders and vehicles at bay. It is best to have concrete walls without windows. If there are windows, use those areas for administrative purposes only.

3. Hire a security officer
Make security the responsibility of a nominated individual, who should not only understand the technology involved but also be business oriented. He or she will need to be a good manager — especially of specialists who can shoulder specific tasks — and be able to adapt both the security infrastructure and the role as business needs change.

Good communication skills are essential, along with the ability to evaluate and assess the impact of a threat on the business and to communicate it in non-technical language.

4. Secure your people
Ensure that physical access is restricted to those who need to be there. The closer people are to the data, the tighter the access control measures and the smaller the numbers of those with access privileges should be.

This approach can start with deploying crash barriers, retractable bollards, a guardhouse to restrict access to the site, and limiting ingress points to the main entrance and a loading bay. Use two-factor authentication — via either a keycard or preferably biometric authentication — and an access code.

Provide each individual with an access level appropriate to their role, using the general principle that only those who absolutely need to touch the equipment gain physical access to the datacentre itself. Use a similar process to restrict access to other critical equipment such as the back-up power systems.

5. Check who your people are
Don't take the word of an employee about where they worked or their present and previous home addresses. Run an analytics application on every employee to cross-check issues...

...such as addresses shared with undesirable individuals.

Get people's permission to run these checks: not only will they prefer checks to be run as it will add to their standing within the company, it also means those refusing a check will stand out.

6. Test your backup and security procedures
Test backup systems regularly in accordance with manufacturer's specifications. Test your disaster-recovery plan by failing-over a test area to the second datacentre. Define carefully what you mean by a disaster and ensure everyone knows what to do in the event of one happening. Check the recovery plan works and still allows you to meet your SLAs.

Also, regularly check that more general security procedures are working correctly: for example, privilege levels should remain consistent with the roles of each individual. Check physical practices too. Are fire doors being propped open for convenience's sake? Are people leaving their PCs logged in and unprotected by password-enabled screen-savers?

7. Secure your network perimeter
Use a wireline speed intrusion prevention system with zero-day attack prevention. Although this provision can add to the management load, such systems and the way they are deployed can also be differentiators when selling the datacentre's facilities internally and to third parties.

Configure the intrusion prevention system (IPS) to suit your needs. According to security test specialist NSS Labs, "organisations that do not tune their IPS products could be missing up to 44 percent of 'catchable' attacks".

8. Secure your applications
Securing your virtual servers and desktops using antivirus tools and either host- or client-based firewalls are baseline security measures. But, according to Gartner, over 75 percent of all hacks occur at the application level, so web-based applications, especially those using multimedia development languages, such as Ajax and Flash, need particularly to be secured.

The problem with such tools is that, as HP's Jonathan Rende told me, "stuff gets developed that you didn't ask for, called accidental functionality". Proof comes from the Web Application Security Consortium, which reports that, from scans of 31,373 sites, over 85 percent showed a vulnerability that could give hackers the ability to read, modify and transmit sensitive data.

9. Build a second datacentre
Ideally, ensure a second datacentre is constantly mirroring the first so in event of a disaster shutting down the first one, the second is always online. Preferably, build your datacentre on a separate tectonic plate, in a different country or — if high-speed access is paramount — as far away as possible while remaining connected via your chosen communications technology. If you use it for load-balancing, you can improve throughput too.

10. Undertake a risk assessment
A lot of the measures to protect datacentres are obvious — some less so — but you will never know which are the most cost-effective until you measure the cost against the benefits. This process will also allow you to prioritise and focus your security spending where it matters most.

Better still, get a third-party security assessment company to evaluate your security. Fresh eyes often see things embedded personnel may miss, but run a security audit on that company first.