Geography and ownership security
In the UK, GDPR sets out principles data controllers must comply with. Understanding regulations on data security in the country where your data centre is located is important. Some foreign governments may mandate access to data that limits your control and ability to provide assurances.
Data centres’ physical perimeter and buildings
In most data centre operating models, the security of the perimeter, site, and building will be the responsibility of the operator. To successfully mitigate the risk of an attack, it is important to understand how threats to your site, workforce or assets can manifest themselves.
The data hall
In addition to the layered security you provide to protect data halls, data owners should be encouraged to implement extra security measures and controls on the perimeter of their own networking equipment.
Meet-me room considerations
Data centre operators should strictly control access to meet-me rooms (MMRs). You may decide not to allow customers access to view security arrangements. However, it is important that MMR security details and assurances are provided during tendering under a non-disclosure agreement.
People security considerations
It’s important to mitigate any security and ‘insider’ risks by having a robust and integrated ecosystem of policies, procedures, interventions and effects. These include optimising use of people by improving measures to detect, deter and disrupt hostile actors during the reconnaissance phase of attack planning.
Supply chain considerations
Attackers have both the intent and ability to exploit vulnerabilities in supply chain security. However, before you can do anything to secure your supply chain, you need to understand the risks (and benefits) you are taking on by engaging suppliers delivering products, systems and services.
Cyber security
Data centres are a valuable target for threat actors seeking to steal data or disrupt operations and services. Data centre owners should assume that a cyber compromise is inevitable. We advise taking steps to detect intrusions and minimise their impact and preventative cyber security measures.