UK gov issues new datacentre security guidance
The UK’s NCSC and CPNI have laid out a datacentre security strategy for owners and users of datacentre facilities, covering everything from physical and cyber security to supply chain and personnel.
The National Cyber Security Centre and Centre for the Protection of National Infrastructure datacentre security guidance covers seven areas of risk: Geography and ownership security; Data centres’ physical perimeter and buildings; The data hall; Meet-me room considerations; People security considerations; Supply chain considerations; and Cyber security.
Here's the guidance for Datacentre owners and Datacentre users.
"There is no one-size-fits-all approach to holistic data centre security. Every data centre operator and user will need to consider this guidance based on their own risk assessments. This guidance contains the security considerations you need to be aware of to make sure your data stays protected," the CPNI's advice noted.
Each section goes through up to a dozen or so different considerations – for example under physical security, the guidance looks at everything from hostile reconnaissance to cable pit security.
“Operators and users of data centres have a clear responsibility to protect the data that they hold and process – failing to do this poses a massive financial, reputational and, in some cases, national security risk,” said NCSC technical director Dr Ian Levy in a press release.
“Owning these responsibilities means understanding the array of methods that malicious actors could use to compromise a data centre both physically and digitally. I urge operators and users of data centres to consult this joint guidance and adopt the holistic security strategy it recommends.”
Datacentre security is a growing consideration, as the UK – and particularly London – remains the largest, and the second-fastest-growing location for datacentres in EMEA. The Data Centre Report from Knight Frank and DC Byte showed London had almost 940MW of live datacentre capacity measured by power consumption, ahead of Amsterdam on 898MW and Dublin on 699MW.
See also: Ranked: The Top 10 data centre locations in 2022
While the guidance may not offer anything revolutionary to seasoned security professionals, it does provide a clear and comprehensive checklist for enterprises to follow, whether they are setting up their own datacentre or provisioning space in a facility.
The Meet-me Rooms section is a good example of this, giving a list of eight questions to put to a datacentre operator, from access control and types of racks to entry and exit searches and asset destruction.
The guidance also includes short case studies highlighting the importance of various datacentre security aspects, referencing the 2021 Meta outage, and a 2015 breach at the US Office of Personnel Management. Under the Geography section it notes Russia’s FSB and China’s government authorities both have the right to access data or compel organisations to assist them.
Russia's invasion of Ukraine has provided an unfortunately salient example of the importance of physical datacentre security; following the ejection of Russian banks from SWIFT, local police in Thurgau, Switzerland stepped up their protection of the town's SWIFT datacentre, one of three the company operates. (We should note the new security perimeter set up by the police is in large part for show: the datacentre in question is heavily protected, and mostly underground.)
The CPNI, which is part of MI5, takes its own security very seriously, to the point that its press release quotes but does not reveal the name of the organisation’s director. The Home Office and the NCSC said they were unable to reveal the director’s identity.
“Data centres and the data they hold are invaluable to the UK’s economy, security and prosperity. Threat actors constantly seek to evolve their methods to exploit any weaknesses in data infrastructure security, often concurrently,” said the un-named head of CPNI in the release.
“To minimise the risk of a breach it is critical that data centre security is viewed holistically with physical, people and cyber security risks considered with other factors such as where in the world infrastructure is located. By doing so, data centre owners and users can better safeguard their customer’s data, their business operations and keep the UK’s digital infrastructure running,” they added.
“In this period of stark geopolitical uncertainty, there is no better time than now for data centre operators and users to read the full guidance and make sure they’re best protected.”