Data centres and cyber security
Data centres’ infrastructure and systems are required to store, process, and transfer data at scale, and are complex.
They are a valuable target for threat actors seeking to conduct cyber-attacks. The motivation for these attacks may include:
- To steal valuable or sensitive data.
- To deny access to, disrupt, degrade, or destroy data centre operations and services.
- To compromise data integrity.
Managing cyber security risks to data centres is about protecting the data held there (data at rest) and the data that passes through them (data in transit). Data centre operators (and their customers) should assume that a successful cyber-attack will happen, and therefore take steps to ensure that attacks can be detected, and the impact minimised.
IT infrastructure and network connectivity
Data centres require operational technology (OT) networks for building management services. These services are vital to maintaining and protecting data centre operations. This includes services such as power and cooling. Physical data centre security is also dependent on network connected systems such as access control.
External network systems are provided by data centre operators to allow customers the means to access the services they run from there. Data centre operators can also use these external networks to remotely manage their data centre infrastructure. Since the management of the data centre infrastructure is often carried out by managed service providers (who will also access these communications networks to provide support services), there are implications for the supply chain. External connections can provide pathways into the heart of data centre operations. Attackers will see these as a vector to try and exploit weak data centre cyber defences to target sensitive or valuable data or disrupt data centre operations.
Managing cyber security risk
A comprehensive cyber risk management regime is invaluable, should be embedded throughout your organisation, and should complement the way you manage other business risks.
The section on risk management above provides links to NPSA and the NCSC guidance to help manage your cyber risks. That guidance provides information on the tools, methods, and frameworks available to help you manage this important aspect of your business. The NCSC has also published the 10 Steps to Cyber Security guidance, which includes further information on why risk management is important for organisations to help protect themselves in cyberspace.
The NCSC Cyber Assessment Framework provides some indicators of good practice which can be used to provide operators and data centre customers a baseline for risk management.
Protect against cyber-attack
There is no guaranteed way to avoid cyber-attacks. However, the worst outcomes can be avoided if an organisation’s services are designed and operated with security as a core consideration. This requires the following areas to be considered:
The production and implementation of policies and procedures that are owned and approved by the board is an important step in helping you manage the cyber risk to your business. These should be developed as part of the risk management process.
Policies and procedures need to be communicated in order that the organisation’s approach to the security of its networks and information systems is clearly understood by all that use them. It is important that anyone accessing data centre systems understands their obligations in protecting those systems, which can include internal staff and contracted service providers.
You should verify, authenticate and authorise any access to data or systems. Unauthorised access to data, systems and services could lead to loss of data or disruption of services. Good identity and access management on your networks should make it hard for attackers to pretend they are legitimate. The NCSC has published guidance to help you manage access to your resources.
It is vital that remote access to data centre resources is managed properly. This is particularly important where there is a requirement for users to carry out activities that require privileged access.
If an attacker can compromise a person with privileged access rights or a device used for administration activities, they can inherit privileged accesses, which provides potential for more impactful attacks. This also means an attacker may have the potential to cover their tracks so that their attack is more difficult to detect or remediate. The NCSC publishes specific guidance on privileged access management and how to avoid repeating ineffective solutions with administering a network.
Data used by business can take a variety of forms, and could include information that would be valuable to an attacker, including personal data related to customers or staff; design details of networks and information systems; or intellectual property (IP).
Even if there is no legal requirement to protect data, there is often a commercial or security reason for it to be protected from unauthorised access, modification, or deletion. Measures should be taken to protect data in transit, at rest, and at end of life – that is, effectively sanitising or destroying storage media after use.
In many cases your data will be outside your direct control, so it is important to consider the protections that you can apply, as well as the assurances you may need from third parties.
With the rise in increasingly tailored ransomware attacks preventing organisations from accessing their systems and data stored on them, other relevant security measures should include measures such as maintaining up-to-date, isolated, offline backup copies of all important data.
The NCSC Ten Steps to Cyber Security provides further information to help you protect your data.
Organisations should ensure that good cyber security is built into their systems and services from the outset, and that those systems and services can be maintained and updated to adapt effectively to emerging threats and risks in the cyber security landscape.
The worst outcomes of cyber-attacks can be avoided if your services are designed and operated with security as a core consideration. The NCSC publishes guidance describing a set of secure design principles to help with this. This provides information on how you can:
- Make compromise of and disruption to your systems more difficult.
- Make compromise detection easier.
- Reduce the impact of any compromise (see below for further information on detection and reduction of impact).
This guidance can be used to help you build new systems but is also helpful in reviewing the cyber security of existing systems.
The NCSC 10 Steps to Cyber Security guidance provides information on approaches to securely building systems and services.
The NCSC cyber security design principles guidance provides further information to help you secure your systems.
Detecting cyber security events
There is no guarantee that the protective measures in place will mitigate an attack and organisations should prepare by assuming that cyber compromises will occur. These preparations should aim to ensure quick response times and support decision-making. In addition, exposing the root cause can help manage future attacks and resolve any ongoing issues.
The following factors can aid your organisation’s response in the event of a cyber intrusion:
- Audited and logged information with access controls and isolated from other corporate trust domains can help identify suspicious user behaviour for either an attacker or insider.
- Monitoring and analysis tools used to compare log and audit data against ‘indicators of compromise’ (from threat intelligence sources – see below) can help identify and investigate events of interest.
- Threat intelligence can come from discussion forums, trusted relationships, paid-for contracts with threat intelligence companies, or even generated internally. It should be routinely collected from quality sources and kept up to date.
- Governance, roles, and workflows help operational monitoring teams establish roles and responsibilities that cover both security and performance-related monitoring. Monitoring teams should include members who:
- Know the network, its hardware and software, and the types of data they process and produce.
- Can work with threat intelligence to identify, investigate and triage security events.
- Understand the organisation's business and assess the significance of security events in terms of their potential to cause harm, such as disrupting operations or leaking sensitive corporate or personal data.
Security monitoring takes this further and involves the active analysis of logging information to look for signs of known attacks or unusual system behaviour, enabling organisations to detect events that could be deemed a security incident.
Your monitoring capability should work seamlessly with your incident management (see below for more information on incident management) and may even comprise some of the same staff in order to help you respond and minimise the impact.
Minimising impact of cyber security incidents
Once a cyber intrusion has been detected, good incident management should help reduce the impact, and this includes:
- Quickly responding to incidents after detection to help prevent further damage, as well as reducing the financial and operational impact.
- Managing the incident while in the media spotlight to reduce reputational impact.
- Applying what you have learned in the aftermath of an incident to make you better prepared for any future incidents.
Businesses should therefore put in place measures to plan for this eventuality. This should include putting the appropriate governance in place for the business such as an information security management system (ISMS).
Ensure there are well-defined and tested incident management responses in place that aim to ensure continuity of essential functions in the event of system or service failure. Mitigation activities designed to contain the impact of compromise should be in place.
In the event of a concern or potential security incident, good logging practices (also see above) will allow you to retrospectively look at what has happened and understand the impact of the incident.
You may consider implementing the NCSC’s guidance on Security Operations Centres (SOC) where the use of a Security Information and Event Management (SIEM) tool will allow real-time analysis of security alerts and give indication of abnormal behaviour.