What are the key physical security threats currently facing owners, operators, and users of data centres, and are these facilities now considered prime targets? Is security taken seriously enough and what can be done to mitigate any risks and protect data centres from those with malicious intent?
Data centres are becoming increasingly at risk from an array of physical threats. From the potential theft of data from those on the inside to defending malicious intent to break in or, in an extreme circumstance, destroy their business.
The ongoing challenge is around who is likely to commit such crimes and their motives – a potential perpetrator may not always seem the obvious criminal. For example, in April of this year, a misplaced belief that damaging the buildings that “run 70 percent of the internet” would frustrate the “oligarchy” in power in the United States is alleged to have been behind a Texan’s plot to bomb an Amazon Web Services facility in Virginia.
This is just one incident that was thankfully foiled, and whilst these attacks may be a rarity, data centre operators are becoming more cautious today than they were even five years ago. In our view there are three major physical security risks:
- the insider that has either a grievance or is generally untrustworthy, or an unassuming impersonator
- corporate damage through espionage or deliberate intent to destroy a government or corporate entity and its reputation
- theft of hardware such as racks within the servers or theft of data from devices that are secretly taken into the data centre. One extreme example was in 2007, where a Verizon building in London was infiltrated by a group of men who, posing as police officers, tied up five employees before stealing computer hardware.
Security firms have experienced an increase in demand for improved security to mitigate the risk of such threats. There has been a scaling up of operations and technology, including the use of increased physical presence, thermal imagery CCTV, tighter control access measures, pre-authorised access checks, and installation of state-of-the-art security pods to entrances.
To address these unknowns, the security industry must implement significant changes to standard operating procedures and be one step ahead of their clients. While such events may be rare, data centre operators must be mindful that it does not take scenes lifted from the script of a Hollywood Heist movie to realise the significant disruption security breaches can have.