What you will learn from this tip: Not all third-party data centers are secured equally. Here are eight tips to make sure your data will be protected.
Outsourcing data center services is becoming a popular practice in the new millennium for small-, medium- and large-sized organizations. Leasing, purchasing or perhaps building your own data center is a costly proposition and in an attempt to grab as much market share and client/customer base as possible, businesses are turning more and more to third-party data centers and collocation data service providers.
Businesses beware. What you don't know can hurt you.
In response to a recent interview by the California-based Palm Springs Desert Sun newspaper regarding this very topic, I attended an invitation-only facility tour hosted by an organization that provides third-party data center and colocation services. The facility in which the tour was conducted was very large, nearly 1 million square feet, consisting of eight floors and housing a large number of other technology-based organizations, including the tour host. I was eager to tour the facility, touted as the "technology center of the city," in hopes of learning what physical security practices were in place. Surely, the facility must be protected like Fort Knox given the number of technology-based tenants. Unfortunately, I was disappointed. The physical security design and the devices that were being used were rudimentary at best.
For the most part, the space that we toured was what we call common building space. That is, space that is controlled by a base building landlord. The third-party provider hosting the tour merely occupies space within this multi-tenant facility. There were no security layering effects to this design. Access to the host's most critical space was gained from common-space hallways. Access to this critical space was controlled by biometric access control authentication technology; however, the most critical aspects of design were ignored, such as the doors. Double swing doors with magnetic locking devices and mechanical flush bolt pins on the stationary leafs were the only things standing between the common building corridor and the rooms to which they are storing customer servers. Magnetic locks are generally a bad idea when it comes to securing one's most critical space. A simple fire alarm activation will drop the lock power supplies and unlock the doors. Positive latching will be nonexistent and access to the heart of their operation will be open to anyone in the area who desires to enter. Service providers may tout that their security program is sound and that customers have nothing to worry about. However, when in the middle of the tour I observed a biometrically controlled set of double doors "propped open" for me or anyone else to enter, I began to question this data center's security. The other downside of this particular service provider's overall design is that the fire-alarm system for the facility is shared with another major tenant…a retail department store. It's a scary thing when a retail shopper in another part of the building can activate the fire alarm and cause this service provider's computer room doors to unlock!
Another area of concern was raised when we visited the facility's fuel storage area. This area was located in the basement/loading dock section of the facility. Interestingly enough, access to the fuel tank room was under lock and key only. No cameras were present and no access-control devices were used to protect the area. The main entry to the loading dock, which was at street level, was wide open. A security officer was present at the dock entry, but did not appear to be that interested in stopping vehicles and performing inspections. As an added note, the fuel storage area is home to approximately 10 diesel fuel tanks used to power generators that are part of each tenant's alternative power sources.
Although the presentation on the providers business and the facility tour were well done, businesses thinking of colocating their services or utilizing third party data center providers need to be aware of the inherent risks involved in doing so. Performing a Risk Assessment of the facility where you are thinking of colocating or sending your data center services to is a good place to start. Businesses need to really understand the financial impact and risk associated with relinquishing physical control of the space in which your data will reside.
The security for this major facility, located in the hub of this particular large U.S. city, falls far below what corporations are doing for their own data centers. I have seen general high-rise office buildings with better security design layout and equipment than what I witnessed on this particular tour. And I haven't even covered the facility's exterior threats and exposures.
Below is what you need to look for when considering which third-party data center or colocation service provider you should do business with:
- Visit the provider's Web site. Make sure they do not list the addresses of all their data centers for the viewing public's edification. Everyone has a business address, but we don't all need to advertise it on the Web.
- If the provider's Web site has a "virtual tour" of their data center, make sure it is only a cursory tour. Providers should not be placing accurate or even semi-accurate schematics, design layouts or space layouts on the Web for everyone to view. The generic data center footprint should not be displayed. On the tour I attended, the actual space layout of the data center that I toured was pretty accurate to what I found on their Web site. I was able to locate the area in which customer/client servers were racked.
- Make sure the providers security design layout is not displayed on the Web, relative to the data center's space layout. Indicating where they place their security devices and protection should set off alarms in your head.
- Lean toward providers that own their own buildings or are the sole occupying tenant. The provider of choice should not be a tenant in a multi-tenant facility unless the physical security design and protection program in place are adequate and address the issues I have raised above. If the building is owned by a provider, they will have more control over physical security design and practices that are implemented.
- If the provider is located in a multi-tenant facility, make it your business to know who the other tenants are and what other businesses will be sharing the same general rack space area as your own. Although your business may not be the target of sabotage or terrorism or extremist activists, one of your "rack mates" might be. If this is the case, consider another provider as you may be at risk by association.
- Make sure the provider has their own security plan, policies, and procedures, and that they monitor their own physical security systems. This task should not be relinquished to landlord or base building security departments.
- Ask to see and evaluate the provider's disaster recovery plan. If they do not have one or if the one they provide for your review does not meet your standards, consider another provider.
- Consider hiring a security consultant to provide a Physical Security Risk Assessment and a one-time physical security survey of the provider's facility. A physical security consultant can assist you in making the best, most secure and lowest-risk choice for your organization. Physical Security surveys are not as expensive as one might think. In fact, they are pretty reasonable and the information you will gain will be invaluable.
Lastly, most third-party data center and colocation service providers probably provide great state-of-the-art network and IT intrusion security to their clients. But what good is that network and IT security if someone can physically penetrate the site and get to the hardware itself? The bottom line here is this: if you decide in favor of colocation or partake in third-party data center services, the provider that you select MUST provide the same level, if not better, physical security/access control and monitoring capabilities as what you would deploy to protect your data at your own site. If you are not sure what that level is, then it is time to consult a physical security consultant to assist you.
Thor A. Mollung is a Security Consultant with Massachusetts-based Mollung Systems Management. He is a member in good standing of the American Society for Industrial Security (ASIS International), the American College of Forensic Examiners Institute, where he holds the certification of CHS-II, the National Fire Protection Association (NFPA), Building Industry Consultants International (Bicsi) and the Technical Advisory Service for Attorneys (TASA). He can be reached at 781-393-0100, electronically at firstname.lastname@example.org or through his Web site www.mollungsystems.com.
This was first published in September 2005