Protecting your physical perimeter and buildings
In most data centre operating models, security of the perimeter, the site, and the building will be the responsibility of the operator. In an enterprise-owned facility, site security is defined by the enterprise based on its own risk assessment.
Data centre operators should be able to demonstrate they have used a risk-based layered approach to security. The process for implementing security at a data centre is no different from implementing security at any other sensitive or critical site.
To counter the threat from forcible attack such as theft or terrorism the 3Ds philosophy should be used. The 3Ds ask you to Deter, Detect and Delay attackers. The goal is to Deter the attacker from targeting your site or assets by creating a strong security appearance or messaging. Detect attacks at the earliest opportunity, and use security products that Delay the attacker for a period that enables response and intervention prior to any loss.
To counter the threat from surreptitious attack such as espionage the BAD philosophy should be used: implement effective Barriers, control Access, and Detect attacks. In a reverse approach to forcible attack protection, layers that form Barriers, control Access and Detect attacks should be created as close to the asset as possible. This philosophy focuses on detection and not delay of attacks, due to differing measures of success for the attacker. Taking this approach allows you to focus security measures on the asset, which in turn can also help mitigate the risk from insiders.
The BAD philosophy is part of the Surreptitious Threat Mitigation Process (STaMP) which should be used by those responsible for Government classified data that is deemed to be under threat from espionage. More information about STaMP, the NPSA Surreptitious Attack Protective Security Philosophy and its principles is available through a NPSA adviser or via our restricted access extranet.
What should I be thinking about?
Although most data owners will not be responsible for the external security of the perimeter, site or building, there is a number of questions you should ask the operator to understand the level of security. You should consider:
- Are there layered physical security measures to prevent unauthorised access to critical parts of the site?
- What types of threats have the security measures been designed to mitigate? You will need to ensure these cover the threat methodologies identified in your own risk assessment.
- What assurance can the data centre provider give you about ensuring those accessing the data centre are legitimate? Is a pass-wearing policy in place? Is a stringent visitor management system in place? What checks are in place for facilities (e.g. cleaners)?
- How does the data centre ensure and demonstrate good security culture amongst its staff?
- How many security staff operate on site? What are their roles and how is the security control room staffed and operated?
- Have you discussed with the data centre the option of implementing your own detection layers to maximise your opportunities for detection, at rack, room or hall level?
- If you require multiple racks, have you asked your data centre provider to locate them together to better control access – and limit the number of cables running across the data centre? What level of protection is there on cable runs?
You should be provided with security details under a non-disclosure agreement at contract tendering stage. Physically visiting a prospective provider is the best way to ensure the correct levels of protection are used.
Meet-me rooms also form part of your perimeter
Meet-me rooms act as the physical interface between your services and the internet, allowing two separate networks to peer and transfer data. Where data is transferred between networks, depending on the scenario, encryption may be shared, or may not be used. This provides a particularly vulnerable point and is therefore attractive to an attacker.
Building management systems
Building management systems (BMS), also known as building automation and control systems (BACS), are a type of system used to control and monitor the mechanical and electrical equipment in most modern buildings – such as ventilation, lighting, power, fire, and facilities management functions. In a data centre, the BMS usually controls the heating, ventilation, and air conditioning (and humidity). The BMS may be integrated with other building systems, e.g., the fire alarm and suppression systems to limit the spread of smoke and toxic fumes in the event of a fire.
Though BMS tend to be controlled by the data centre provider, a disruption to any one of these systems could cause an outage, potentially impacting your network. It is worth finding out what measures the data centre has put in place to manage BMS issues. With this in mind, key considerations relevant to your risk assessment as a customer within a shared data centre include:
- Whether you are connected to the data centre provider's BMS.
- What assurance the data centre provider can give you regarding access to these systems, so only essential personnel have access with rights limited to what is needed to undertake their role efficiently and safely.
- Confirmation from the data centre provider that the BMS itself is protected as a secure system, and operated from a secure area (i.e. not the building's reception or guest areas). Whether a cyber-vulnerability assessment of the BMS has been undertaken with recommendations acted upon.
More detailed guidance on BMS security is available here.
Learn more about the principles of how NPSA recommends you protect your perimeter and building and the security measures that can be used to protect your building and infrastructure.