It doesn’t happen very often but when a data centre security breach occurs, it sends a shockwave through the business community.
In its latest ‘Worldwide Infrastructure Security Report’, US-based Arbor Networks reveals that 71 per cent of data centre operators reported distributed denial of service or DDoS attacks this year, up dramatically from 45 per cent in 2012. DDoS attacks attempt to make, in this case, the data centre unavailable to other users by flooding the resource with external communication requests.
The survey, based on responses from 220 Tier 1 and Tier 2/3 service providers also found that 36 per cent experienced attacks that exceeded total available Internet bandwidth, nearly double last year.
But it’s not always some nameless, faceless botnet which poses a threat to the data centre and the critical business data held within. Human error also plays its part.
Leading US web services provider GoDaddy, recently admitted that one of its employees was ‘socially engineered’ into divulging information that allowed a hacker to gain access to Naoki Hiroshima’s GoDaddy account, resulting in the subsequent loss of his coveted “@N” Twitter handle. It’s not exactly a mission-critical security breach, some might say, but it represents a serious process weakness, nonetheless.
So how safe are our data centres and how important a role does security play in choosing a service provider?
“The physical layers of security that go into a data centre are a big factor but it’s also about your processes and procedures in running that and trying to mitigate any chance of human error,” according to Tanya Duncan, managing director with Interxion. “Some clients want the extra ‘belt and braces’ service and it depends on that client in terms of compliance or how they might be audited.
“You try to take the human element out of it as much as possible. So where traditionally you would have had someone handing out a set of keys to get access to a customer rack, now you have automated proximity card access to the rack so little nuances including biometrics leave less possibility for human error,” she said.
“We have found a high level of security in Irish data centres,” said Geoffrey McGowan, head of pre-sales with IT infrastructure support company, Comsys.
“The key point to make is that very rarely is the data centre the cause of the breach, as it owns the physical location and security and the customer owns the virtual security such as firewalls and encryption policies. We find that almost 99 per cent of security breaches will happen because of a virtual hole in the customer’s security or user negligence.”
Bryan Hickson, client solutions executive with IBM Ireland believes that understanding the traffic profile in and out of the data centre is key to mitigating risk.
“People are hacking for fun and there’s an incredibly large black market out there for information. Being able to ensure your data centre is secure from a network and application perspective is really important so we have application scanning and dynamic resource allocation to understand where resources are going at any given time. You can’t negate the human aspect so you have to perform an analysis of where the weak points in your organisation are,” he said.
Enda Doyle, director of cloud computing and managed services with Eircom points to the importance of industry standards with agreed security frameworks for data protection.
“Standards like ISO27001 and PCI for protection of customer financial data are a must have for industrial-strength data centres but customers need to understand that how they design their own applications sitting within that data centre is important as well.”
But it’s not just about standards, according to Mark Fagan, head of data centres with BT Ireland. It’s about the maturity of that accreditation.
“Like every standard, the first question you have to ask as a customer is how long the data centre operator has had that standard and how embedded is it in their DNA?” he said.
BT’s approach to security extends beyond the data centre, right into the boardroom as an extension of the customer’s own security team.
“We typically don’t have access to credit card data for example but our systems have an indirect link to it, so we can facilitate PCI standards’ compliance by sitting with customers as part of their audit. We provide documentation, accreditations and our policies which underpin their own PCI compliance,” he said.
“Security is always the top of the agenda with any client,” according to Brian Larkin, Digital Planet operations director with HiberniaEvros. “But it is less of a concern than it would have been a few years back, particularly in the area of data protection in the cloud. Companies are more educated now and know what to look for from a potential supplier,” he said.v