How to choose the safest data center [Q&A]
Data centers around the world are currently home to an estimated 1,327 exabytes of data. This information has a potentially huge value so it needs protecting.
But as more businesses choose to trust their information to external data centers how can they be sure that it's going to be properly secured? We spoke to Oliver Pinson-Roxburgh, CEO of Defense.com, to find out how organizations can choose the most secure data center possible?
BN: What are the biggest risks when migrating your data?
OPR: When you migrate your data to a new data center, you have to consider the inherent risks of the operational technology (OT) used by most data centers. Because the security systems used in many of these centers are outdated, they can be vulnerable to attack. In many cases, these outdated systems are insecurely connected to the internet, leading to a situation where a threat actor can access both IT and OT security systems simultaneously. This is why it's important to consider the strength of a data center's OT security when migrating your data. If an OT system is compromised, it could lead to data center wide outages or disruption to service and, in the worst-case scenario, could lead to the data center customer networks being compromised.
BN: What questions should you be asking data center providers?
OPR: When chatting to various data center providers, the questions to be asked are surprisingly simple. First and foremost, you should ensure that the storage environment is suitable, focusing questions on air conditioning, the correct bolting of data racks, and power supplies. Once you know the environment is right, questions should move towards network and operational technology security. As the customer, it's imperative that both are secure. Finally, you should ask questions about procedural and technical security. Don't be afraid to take a 'paranoid' approach -- asking the correct questions is vital to ensuring your data is secure.
BN: Are there warning signs that a provider may not be right for you?
OPR: Legacy security systems are a tell-tale sign that a data center might not be secure. When many data centers in the UK were originally built, the technology used to provide building control and management systems didn't focus entirely on security. Unfortunately, equipment for data centers can be very costly, so the upgrade to new and updated technologies isn't going to happen overnight. Businesses should focus on providers who have clearly taken steps to modernize their security systems and policies -- investment in air-gapping is an excellent indicator of a firm commitment to this goal. Data centers that don't hold cybersecurity certifications like ISO and PCI should be challenged. It is also worth asking whether the data center is carrier agnostic or not. If not, they manage the networks your servers sit on, and you rely on them for network security. Ask them what you get and be clear about the shared responsibility model. These considerations are very similar to moving to the cloud. Cloud providers will give you enough rope to hang yourself with, so make sure you harden and monitor in both scenarios.
BN: How can you compare data center pricing?
OPR: The data center market is already full of so many providers. So companies shouldn't necessarily be concentrating on comparing pricing, as they are often very similar between centers. Instead, they should set up their own baseline requirements. This baseline should focus on important and often overlooked aspects such as access location, networking requirements, the company's inner workings, and who you can contact if something goes wrong. Once you've figured out this baseline, you can then narrow down the field and begin comparing costs.
BN: What aspects of the data center can serve to boost your data security?
OPR: There’s a common misconception that links between two data centers are inherently secure because that link is direct, but this often isn't the case. Providers buy a link between two data centers and it goes over the internet, using MPLS or VPLS, which are both very different to a 'normal network' and far more secure modes of transport. However, there is still no dedicated fiber connection in the ground. Because of this, threat actors could still access that connection should they want to or have the determination to gain access. If I was to get one key message across to any customer trying to keep their data secure, it's this: as soon as any data leaves your physical rack, it should be treated like anything else on the internet. This mindset will go a long way to keeping your data safe.