The ‘cloud’ is has been growing rapidly. Data centres have an increasingly critical role in the supply of effective and efficient cloud-related services, but adoption can be hindered by concerns over data centre security. Having the correct data centre security in place is vital.
The ‘correct level’, however, is not always clearly defined, and clients don’t often know what questions they should ask of a service provider. It becomes important, therefore, that data centres implement controls as part of their risk mitigation strategy. Where data centres fail to provide business continuity or personnel security, customers are at risk (and often unaware of this fact). It is unacceptable.
Not only is it imperative that data centre providers have the appropriate security measures in place, but they should also establish strong communication channels to quickly notify their customers of any security breach. This issue was highlighted in a recent incident with a Victorian data centre provider.
Whilst it was argued that the data centre provided services as per contract, how they managed to get away with omitting to employ backup and recovery services should be questioned. Another example involving a large Japanese gaming company included a breach which was discovered days before affected customers were advised.
It’s a big challenge for data centres to ensure adequate compliance and assure their clients that they use robust, sustainable and secure processes in the provisioning of their services. Data centres have moved from merely providing physical premises, redundant power, network and environmental controls, to a much more complex environment that is governed by legal and regulatory frameworks with (sometimes conflicting) multiple service contracts.
As data centres move into offering fully managed services, they also have a duty of care for their customer information and ICT assets. Knowing what information assets they have, how they should be handled and when a security breach should be reported becomes crucial — and is a question that clients should ask.
Like most other developed nations, Australia has a regulatory framework and various policies issued by state and federal governments with which custodians of information assets must comply. However, unlike other nations such as Japan, the USA and various European countries, failure to comply with the policies does not result in disciplinary or financial penalties. Whilst standards and mandates exist in Australia, they are not policed to a level sufficient enough to lead to desired behaviours.
While it has been argued that Australia is fairly secure, being geographically separated from the rest of the world, from a technological point of view this safety net is no longer applicable. Network connectivity and adoption of cloud based services have crossed geographic boundaries. Organisations in foreign nations that fail to comply with regulations are fined and potentially prosecuted, and they therefore take a far more serious approach to adoption of industry standards and implementation of mitigating controls. On this basis, it could be argued that Australia’s ‘cloud’ security is somewhat lower than the rest of the world’s.
So how can Australian data centres ensure they are secure?
When analysing how to manage compliance risk and the numerous (and sometimes conflicting) customer contracts, a data centre will often choose to implement a suite of technologies. Whilst technology is a significant part of the total solution, it is imperative that the solution design begins with an understanding of the business objectives and underpinning processes. This enables identification of core assets and the ability to conduct a thorough risk assessment on how those assets may be affected and/or compromised.
This thought process is specified in various management systems standards such as ISO 27001 — information security; ISO 20000 — IT service management; ISO 14000 — environmental management and ISO 9001 — quality management.
A data centre needs to be able to take a systemic view to their risk profile and not only build a solution that meets their current challenges, but also build a solution with agility to cater for an ever changing business environment and threat landscape.
Certain large data centres in Australia already have robust processes in places in the way their services are provided to clients. Some have even attained internationally recognised certification to the Information Security Management Standard ISO/IEC 27001 and the IT Service Management Standard ISO/IEC 20000. With such data centres it is easy to identify specifically what services are provided, what controls are in place, and why controls are implemented a certain way.
Asking if a data centre is certified is an easy way for a customer to identify security standards. As a result, clients engaging with such data centres know what to expect. If they need a particular control or service implemented, they can see if it is included, and if not, they are aware of their risk.
The not-so-good data centres have no managed processes in place and will treat every individual contract on its own merits. This can lead to both process and cost inefficiencies for the data centre and will increase their risk, ultimately affecting their sustainability. The increased cost resulting from this inefficiency is then passed onto the customer.
Having a common standard in place could eliminate these risks and inefficiencies. It would also improve interconnectivity and interoperability between systems and business environments and help manage expectations of internal, external and regulatory stakeholders.
Even though there are no strict guidelines or legislation currently in place to comply with standards such as ISO 27001 and ISO 20000, it is only a matter of time before Australia is brought into line with other countries and regulations are introduced. With many data centres now also in the process of providing cloud-based services, data centres and customers alike must realise that we cannot wait for a new set of standards to be developed — the security risks are too high and the cloud migration has begun.
Security and service management are core to data centre operations and customers need to be able to feel that their data is safe. The development and implementation of a standards-driven system would provide crucial peace of mind and an assessable industry baseline which is vital for data centres to remain competitive in an increasingly crowded cloud.