Data centres as targets
Data centres and the data they hold are attractive targets. One of the UK's most valuable assets is its data. Together with the data centres that hold and process it, they underpin almost all facets of modern life. This makes data centres an attractive target for threat actors, due to the large and diverse amount of information that supports our national infrastructure and businesses.
The opportunities for attack are diverse. Threat actors will target vulnerabilities in data centres' ownership, geography, physical perimeter, data halls, Meet Me Rooms (MMRs), supply chains, staff, and cyber security in a concerted effort to breach data centre's defences or tamper with sensitive information or disrupt critical services.
The risks of breaches and disruption
The security and resilience of your data and the infrastructure beneath it are therefore critical. High-profile data breaches and disruption to services are frequently reported, with each incident, causing operators and data owners potentially huge financial losses in regulatory fines, loss of sensitive IP, downtime, post-incident recovery, security improvements, and perhaps most valuably of all, reputation.
Cyber intrusion methodology evolves constantly, and sophisticated attackers have a strong incentive to defeat the defences you put in place. It should be assumed that at some point your defences will be breached and therefore it is also important to be able to respond proactively by detecting attacks and having measures in place to minimise the impact of any cyber security incidents.
To combat theses diversified threats, we need to approach data centre security holistically. By bringing together the physical, personnel and cyber security of data centres into a single strategy so that you can better withstand the diversified methods state threat actors, cyber criminals and others may use to attack them.
There is no one-size-fits-all approach to holistic data centre security. Every data centre operator and user will need to consider this guidance based on their own risk assessments. This guidance contains the security considerations you need to be aware of to make sure your data stays protected.
This guidance is laid out by key areas of risk. Each of these areas should be considered when developing a risk management strategy that encourages a holistic security approach in data centres - moving from where the data centre is located, and who manages and operates it, to protecting against cyber threats. You should use this guidance to inform your own risk management strategy that is unique to your organisation's needs.
In July 2021, a Turkey-based individual claimed to have gained unauthorised access to over 100 servers based in the United States belonging to telecommunications provider T-Mobile. This access was reportedly initially gained by remotely exploiting a misconfigured router on the company's network.
T-Mobile subsequently confirmed in a statement that its systems had been accessed in an unauthorised manner and information belonging to several million customers were exposed. This information is reported to have included the names, dates of birth and telephone numbers of customers.
In June 2015, the United States Office of Personnel Management (OPM) revealed that sensitive information relating to millions of US federal employees had been exfiltrated via an intrusion on its networks.
This information included classified details of federal employees, including their level of security clearances, personal and family information and their biometric details.
The breach is reported to have been facilitated by a combination of poor cyber security measures, including a lack of two-factor authentication and sub-standard malware protection.
State-sponsored Chinese hacking groups are reported to have conducted this attack in order to increase its intelligence collection on American citizens.
In October 2021, a misconfigured piece of networking equipment involved in ensuring interconnectivity between US company Meta's data centres caused a global outage of its services for over six hours. This outage affected billions of Meta's users and businesses who were unable to access the company's platforms Facebook, Instagram, WhatsApp and Messenger.
The outage was prolonged because Meta managed its own data centres, so the issue could not be resolved remotely. Instead, a team of engineers had to visit the affected data centres in person to reconfigure the affected equipment.
This incident compounded reputational issues that Meta was facing at the time, and shortly after the outage, Meta's share price was reported to have dropped by 4.9%.
Data centres operators and their customers should both have individual risk management strategies designed to protect their critical assets and systems.
NPSAs risk management framework encourages any organisation to follow these steps to manage risk:
- Identify your assets
- Categorise and classify your assets in relation to their level of criticality in supporting your business
- Identify threats (based on intent and capability)
- Assess the risks, based on the likelihood of the threat happening and the impact should the threat transpire
- Build a risk register to allow senior decision makers to make informed judgements on risk appetite and resource allocation
- Develop a protective security strategy for mitigating the risks identified and review the adequacy of existing countermeasures
- Implementation: Propose new proportionate measures using a process, such as the NPSA Operational Requirement (OR) process.
- Review the process periodically and when there is a change in threat or change in operational environment
Risk management strategies between data centre operators and their customers are therefore interdependent.
I.e., as a data centre operator, you will want to ensure your risk management is robust to attract your clients, maintain your reputation, and comply with relevant regulatory compliance regimes.
To be most effective, risk management strategies will be driven by senior leaders who understand the risks and protective security options available to help mitigate these risks.
The areas of security risk relevant to both data centres, and the data they hold, are detailed throughout this guidance.
This information should be used to inform your organisation's risk-based assessments and wider risk management strategy, regardless of whether you are a data centre owner, or a data centre customer.
Should you judge these threats to pose sufficient risk to your own assets and systems, we provide further information on the mitigations you might consider to better manage these risks, and where appropriate, we will direct you to NPSA or the NCSCs comprehensive guidance on each topic.
Learn more about how to approach protective security risk management in more depth on NPSAs website.
The NCSC also provide guidance on approaching risk management from a cyber security perspective.
Whilst less likely than attacks that focus on acquiring or degrading data, threat actors may also seek to disrupt services by targeting data centres through either a destructive cyber-attack or a physical attack against a data centre.
In March 2021, a fire broke out at French cloud services provider OVHCloud destroying one of its four data centres and damaging another at its Strasbourg campus in France. This resulted in the company directing its clients, which include the French government, to activate their disaster recovery plans and reportedly denied access to a large number of domains and services.
Reuters, 'Millions of website offline after fire at French cloud services firm', 10/02/2021
Ensuring that a data centre is resilient is therefore key
For Data Centres, worst case risk scenarios tend to focus on availability issues such as service disruption due to natural hazards, power outages, hardware failures or denial-of-service attacks.
Data centres need to ensure they are resilient against a range of threats and hazards. They are typically already designed to be resilient to these types of availability issues, with numerous standards and guidance widely available. We provide some of these standards in the additional resources section at the end of this guidance. As there is extensive guidance available on data centre resilience, we will not cover it in detail here. However, there are some questions about resilience that we would advise a data owner to ask of a data centre operator to ensure they are less vulnerable to deliberate acts to disrupt services.
As a data centre owner are you able to demonstrate that:
- you have physically separate communications routes into the data centre?
- you have diverse power supply and backup power options?
- the building service rooms critical to the functioning of the data centre e.g., electrical, battery and mechanical rooms, backup generators etc., protected from physical attack and sabotage?
- in the event of a physical or cyber incident, you have sufficient people-power, e.g., adequate numbers of security personnel, engineers and other incident management staff, who can provide a sustained response?
- you have a resilient and diversified supply chain, including services, hardware and software, which can withstand disruption and minimise bottleneck effects?
- you have thought about having multiple data centres or storage locations to increase resilience and reduce the associated risk of having a single point of failure?
Data Centre Security Risks
Data Centre Security: The seven areas of risk.
From a data centre’s location to its security culture, workforce, and even the companies it partners with in the supply chain, there are a number of areas where threat actors can take advantage.
In this guidance, NPSA and the NCSC have identified seven areas of risk that data centre owners and data centre users should consider when thinking about security.
It’s important to take a holistic view on data centre security and the seven areas of risk should help you do this.
Let’s look at some examples of these potential vulnerabilities…
One is geography and ownership. Data centres overseas may be subject to laws that allow the state to access the information they hold. This could be the case in countries China and Russia, for example.
If you are a data centre owner, it’s crucial to understand this risk. And if you are a data centre user, you should always be aware of potential threats posed by their information being hosted outside the UK.
There’s also the security of the physical perimeter and the data hall to consider and any other risks posed by boundaries within the centre itself, such as the potential of meet-me rooms being used to compromise or steal data.
Another risk relates to the people data centres employ. As in any organisation, people are one of the biggest strengths of a data centre. As force multipliers, they can vastly enhance security.
But the workforce is a point of vulnerability, too.
Insider risk means threats presented by people within the data centre. Data centres should have a good security culture and staff that are motivated and engaged with security.
Data centre owners and users alike rely on the protection provided by good personnel.
Next, there is supply chain. Have you considered the security of all the companies and suppliers you work with? Compromise and theft of data and disruption to services can take place at any point where there’s a gap in security. Supply chain vulnerabilities may be inherent or changing all the time.
Data centre users need to understand the risks posed by outsourcing to suppliers.
Data centre owners need to think about the level of protection suppliers will give to assets and information, as well as the protection afforded by the products or services they deliver.
And finally, while cyber-attacks may not be the only threat to data centres, they are an ever-evolving risk that’s growing in sophistication all the time. In fact, you should expect a cyber breach at some point and plan accordingly.
To summarise, the seven areas of risks identified in the data centre security guidance are:
Geography and ownership risks
Risks to physical perimeter and buildings
Risks to the data hall
Risks to Meet-Me Rooms
Risks to supply chain
Now, for more information on how to identify and address the seven types of risk, click on each risk type on the data lock below.
7 Areas of Risk
7 areas of risk have been identified from which attacks can originate and these should be factored into an overarching risk management strategy.
Use the tool below to work through the 7 areas of risk. Click on the titles around the data lock and 'read more' in the centre for more information on this risk and additional resources.
For an accessible version of the data centre lock click here.
In most data centre operating models, the security of the perimeter, site, and building will be the responsibility of the operator. To successfully mitigate the risk of an attack, it is important to understand how threats to your site, workforce or assets can manifest themselves.Read More
In addition to the layered security you provide to protect data halls, data owners should be encouraged to implement extra security measures and controls on the perimeter of their own networking equipment.Read More
Data centre operators should strictly control access to meet-me rooms (MMRs). You may decide not to allow customers access to view security arrangements. However, it is important that MMR security details and assurances are provided during tendering under a non-disclosure agreement.Read More
Its important to mitigate any security and insider risks by having a robust and integrated ecosystem of policies, procedures, interventions and effects. These include optimising use of people by improving measures to detect, deter and disrupt hostile actors during the reconnaissance phase of attack planning.Read More
Attackers have both the intent and ability to exploit vulnerabilities in supply chain security. However, before you can do anything to secure your supply chain, you need to understand the risks (and benefits) you are taking on by engaging suppliers delivering products, systems and services.Read More
Data centres are a valuable target for threat actors seeking to steal data or disrupt operations and services. Data centre operators should assume that a cyber compromise is inevitable. We advise taking steps to detect intrusions and minimise their impact and preventative cyber security measures.Read More
In the UK, GDPR sets out principles data controllers must comply with. Understanding the regulations in the country where your data centre is located is important. Some governments may mandate access to data that limits your control and ability to provide assurances.Read More
You can find information on further external resources and standards relevant to data centre security here.