Data is private to organizations and individuals, but data centers are usually shared. This is a security issue that the hosting data center service provider must face.
Many companies want to move their business to the cloud, but their on-premises data centers still have a lot of IT resources. To make the business easier to handle, companies often migrate them to managed data centers. A survey conducted by industry firm Vertiv in 2017 found that 57% of enterprises plan to increase data center outsourcing services. Technavio’s research predicts that by 2022, the managed data center market will grow at a rate of about 9%.
At the same time, most cloud platforms run in managed data center spaces. Cloud computing giants like AWS use a large number of shared facilities to fill the gap in coverage.
For customers, the managed data center industry reduces investment costs, expands scale, and achieves effective geographic distribution. But there is also a disadvantage: tenants must trust the hosting service provider responsible for hosting hardware and data and must know that the hosting data center may also be subject to potential attacks.
Russell Poole, general manager of Equinix UK and Northern Europe, said: “Data center users need to pay attention to security, which is the most important requirement for all of our customers when they want to deploy together.”
High priority for hosting data center suppliers
The security incidents that occur in the hosted data center have the same impact and harm on customers as the data center that they own and operate. But for the managed data center service providers affected, the security failure may be more embarrassing, because it represents the failure of its core business.
Hosted data center service provider CI Host’s managed data center in Chicago hosted four thefts between 2005 and 2007, and the thieves stole tens of thousands of dollars worth of servers in the data center. In December 2018, Australian telecommunications provider Vocus was complained by customers, pointing out that the company’s data center facilities were open to the public for several months. In addition to the theft of physical infrastructure, unauthorized server access also allows intruders to steal data or modify data and processes running on the hardware.
Although the two companies are still operating the hosted data center business, if the security of data center facilities and equipment cannot be ensured, it will have devastating consequences. Even if its terms of service are impeccable in terms of liability for security incidents, losing trust can easily lead to loss of customers, especially when the market is highly competitive and there are many service providers.
Poole said, “In the event of a data breach that can cause businesses that do business globally to be in trouble overnight, data centers play a vital role in preventing this from happening. The hidden dangers of security breaches are not only for hosted data centers The reputation of the service provider has a disastrous impact, and it also has a disastrous impact on the tenant’s reputation. “
Managed data centers also face all the security issues of deploying data facilities within the enterprise. However, they face another challenge because they provide services to multiple tenants, and there may be tenants accessing the data center at any time.
It is best not to install signs and advertising in the data center building, which can reduce the chance of unexpected or unwelcome visitors. Perimeter fences, general warning signs, and minimal entrances and exits will help prevent the entry of people with bad intentions. Guards, barriers, surveillance systems (such as closed-circuit television) and potential access controls (such as key cards) will control and reduce the number of people entering data center facilities.
However, while ensuring the security of the periphery of the data center, internal security is the key. Compared with data centers owned and operated by enterprises, the entry of outsiders means that data center employees should remain highly vigilant and adopt stricter control measures. They may be accustomed to seeing unfamiliar people perform seemingly harmless work inside data center facilities, but may be an attacker targeting tenants or facilities.
When asked about examples of possible attack methods for customers renting hosted data centers, Holly Grace Williams, technical director of penetration testing vendor Secarma, said that one of the effective methods is to rent space in the same data center facility.
He said, “If someone wants to attack a facility or tenant hosting a data center, then he can rent space in the data center and gain access. Then he can try to use and attack the equipment of other tenants in the data center; If the rack enclosure is not locked and there is a time window, you can insert the U disk into the server port to steal data. Because of this, the key is that the hosting data center service provider needs to properly segment the customers, as well as monitor and Train employees. Managed data center service providers should build a narrow passage that allows only one person to pass through. In the managed data center, a solid mesh enclosure that can separate the rack and the room should be used. “
Hosted data center service providers should have a tamper-proof mechanism to be able to detect when a customer ’s rack is opened and integrate it with a monitoring system, whose monitoring system can immediately tell tenants ’employees whether they are present and possible lock-up and The situation of forcibly opening the enclosure.
He said, “The team hosting the data center service provider needs to pay close attention to the staff working in the facility to ensure that they can only use their toolbox, and if the employees of the tenant company do not open their racks, they will immediately take action.”
When outsiders enter the data, they should use biometrics, key cards, and other access control devices, and record when and where someone has gone. Internal monitoring facilities (such as closed-circuit televisions and cameras) should also be spread throughout the facility and staffed 24/7.
Equinix ’s Poole suggested, “When potential tenants access the data center to assess its suitability, they should ask themselves, If I forgot the password, how difficult would it be to enter? The answer should be Prohibited enter’. “
He explained that if someone needs to enter Equinix ’s data center, it can only be accessed by appointment, and a series of security measures (such as biometrics, fingerprint readers, etc.) are required to control personnel access. These readers can be encrypted from Fingerprints and permissions are identified in the database.
He said, “Once someone enters, trained security personnel will let them sign and visually confirm that only authorized visitors can enter. The data center uses hundreds of cameras and handheld readers Monitoring, providing detailed monitoring and archiving for critical infrastructure areas and all customers. “
Security personnel and staff in the data center should be well trained and aware of the potential risks of social engineering. If on-site staff defies conventional procedures and allows unauthorized personnel to enter, then all of their control and defense measures will fail. Therefore, it is necessary to ensure that employees have sufficient confidence to comply with the regulations even in the face of pressure, dare to ask questions or carefully check their uncertainties, and be vigilant about bad behavior.
Regular penetration testing conducted by managed data center service providers and tenants can not only ensure that security control measures are properly implemented, function effectively, and find potential vulnerabilities or deficiencies for improvement. Similarly, tenants should also be encouraged to check on their own and ensure that the security of the data center meets the standards they expect or require.
Williams of Secarma explained: “There is a difference between a secure hosted data center and a very secure hosted data center, but most people do not make a distinction based on intuition, but based on certain compliance or regulatory requirements To distinguish. “