Data centres need to lift their standards

Having the correct data centre security in place is vital.

The ‘cloud’ is has been growing rapidly. Data centres have an increasingly critical role in the supply of effective and efficient cloud-related services, but adoption can be hindered by concerns over data centre security. Having the correct data centre security in place is vital.

The ‘correct level’, however, is not always clearly defined, and clients don’t often know what questions they should ask of a service provider. It becomes important, therefore, that data centres implement controls as part of their risk mitigation strategy. Where data centres fail to provide business continuity or personnel security, customers are at risk (and often unaware of this fact). It is unacceptable.

Not only is it imperative that data centre providers have the appropriate security measures in place, but they should also establish strong communication channels to quickly notify their customers of any security breach. This issue was highlighted in a recent incident with a Victorian data centre provider.

Whilst it was argued that the data centre provided services as per contract, how they managed to get away with omitting to employ backup and recovery services should be questioned. Another example involving a large Japanese gaming company included a breach which was discovered days before affected customers were advised.

It’s a big challenge for data centres to ensure adequate compliance and assure their clients that they use robust, sustainable and secure processes in the provisioning of their services. Data centres have moved from merely providing physical premises, redundant power, network and environmental controls, to a much more complex environment that is governed by legal and regulatory frameworks with (sometimes conflicting) multiple service contracts.

As data centres move into offering fully managed services, they also have a duty of care for their customer information and ICT assets. Knowing what information assets they have, how they should be handled and when a security breach should be reported becomes crucial — and is a question that clients should ask.

Like most other developed nations, Australia has a regulatory framework and various policies issued by state and federal governments with which custodians of information assets must comply. However, unlike other nations such as Japan, the USA and various European countries, failure to comply with the policies does not result in disciplinary or financial penalties. Whilst standards and mandates exist in Australia, they are not policed to a level sufficient enough to lead to desired behaviours.

While it has been argued that Australia is fairly secure, being geographically separated from the rest of the world, from a technological point of view this safety net is no longer applicable. Network connectivity and adoption of cloud based services have crossed geographic boundaries. Organisations in foreign nations that fail to comply with regulations are fined and potentially prosecuted, and they therefore take a far more serious approach to adoption of industry standards and implementation of mitigating controls. On this basis, it could be argued that Australia’s ‘cloud’ security is somewhat lower than the rest of the world’s.

So how can Australian data centres ensure they are secure?

When analysing how to manage compliance risk and the numerous (and sometimes conflicting) customer contracts, a data centre will often choose to implement a suite of technologies. Whilst technology is a significant part of the total solution, it is imperative that the solution design begins with an understanding of the business objectives and underpinning processes. This enables identification of core assets and the ability to conduct a thorough risk assessment on how those assets may be affected and/or compromised.

This thought process is specified in various management systems standards such as ISO 27001 — information security; ISO 20000 — IT service management; ISO 14000 — environmental management and ISO 9001 — quality management.

A data centre needs to be able to take a systemic view to their risk profile and not only build a solution that meets their current challenges, but also build a solution with agility to cater for an ever changing business environment and threat landscape.

Certain large data centres in Australia already have robust processes in places in the way their services are provided to clients. Some have even attained internationally recognised certification to the Information Security Management Standard ISO/IEC 27001 and the IT Service Management Standard ISO/IEC 20000. With such data centres it is easy to identify specifically what services are provided, what controls are in place, and why controls are implemented a certain way.

Asking if a data centre is certified is an easy way for a customer to identify security standards. As a result, clients engaging with such data centres know what to expect. If they need a particular control or service implemented, they can see if it is included, and if not, they are aware of their risk.

The not-so-good data centres have no managed processes in place and will treat every individual contract on its own merits. This can lead to both process and cost inefficiencies for the data centre and will increase their risk, ultimately affecting their sustainability. The increased cost resulting from this inefficiency is then passed onto the customer.

Having a common standard in place could eliminate these risks and inefficiencies. It would also improve interconnectivity and interoperability between systems and business environments and help manage expectations of internal, external and regulatory stakeholders.

Even though there are no strict guidelines or legislation currently in place to comply with standards such as ISO 27001 and ISO 20000, it is only a matter of time before Australia is brought into line with other countries and regulations are introduced. With many data centres now also in the process of providing cloud-based services, data centres and customers alike must realise that we cannot wait for a new set of standards to be developed — the security risks are too high and the cloud migration has begun.

Security and service management are core to data centre operations and customers need to be able to feel that their data is safe. The development and implementation of a standards-driven system would provide crucial peace of mind and an assessable industry baseline which is vital for data centres to remain competitive in an increasingly crowded cloud.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitydata centre securitydata centres

More about etworkISO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Brahman Thiyagalingham

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place