On October 1, 2021, Facebook went down for several hours, taking Instagram and WhatsApp with it, and costing the company nearly $100,000 in revenue.
This ended up being both an information security issue (someone made a protocol error during maintenance that caused the outage) and a physical security issue (Facebook runs everything, including its buildings’ door locks and internal messaging, using Facebook). The incident illustrates a key point — data centers are the heart of your organization as well as its brain. What should organizations know about server safety in 2022?
How can you protect your data centers? Contact us now for a demo.
8 issues facing data centers in 2022
Physical security is an important issue for data centers: Most of the time, we think of cyber security when we think of servers, but—as the Facebook outage showed us – data center security also encompasses physical security concerns. Organizations need to make sure their data centers, or data rooms, are physically secure. That means ensuring the doors are controlled, the climate is controlled and the room itself is safe from issues like water leaks or other incidents that can damage servers. Don’t just focus on the cyber side of security.
Many organizations are complacent about access control: As a security consultant, the top problem I’ve seen in nearly every single organization with a data center is access control. Almost all organizations use the same access control on their data center that is used throughout the whole facility. The data center should be on a separate access control system, so that if the organization’s access control is compromised, the data center is still secure.
Power outages: You cannot simply rely on the electrical grid to power your servers. Make sure you have a backup power source, and a backup for that backup. Servers take a long time to boot up – and if your servers are down for a long time, that means a huge interruption of productivity and revenue.
Unvetted contractors: If you use contractors to service your data rooms, use the same vetting process you use for hiring employees, if not a tighter one. I’ve learned that many organizations don’t have a strong hiring process, and often, for contractors, it’s even worse. Don’t assume the company you’re hiring a contractor from has completed background checks or spoken to references. If they’re going to be in your data center, vet them thoroughly.
Companies don’t always consider hazards when they build your data center in. Ty Richmond, president of Allied Universal and a member of the CSO Risk Council, tells a story in the council’s book, A Culture of Risk, about a data center built in Georgia by a company based in California. The building was designed using Californian standards and didn’t take into account the fact that Georgia has cold, snowy winters. One winter, the pipes froze, burst, and soaked the servers. Know the area you’re building your data center in. Make sure it’s secured against any possible natural disaster. The best data center I’ve ever seen in my own career belongs to an insurance company. It’s a standalone building able to withstand an F4 tornado with two layers of access control, a man-trap system, and a room full of car batteries as one backup power source. This company had prepared for all foreseeable problems.
There aren’t cameras in server rooms: It’s hard to know who is tampering with servers if there are no cameras in your server rooms, however many companies don’t use cameras in server rooms because that may compromise security if the feed is hacked by a criminal. If your company has a policy against cameras in server rooms, make sure cameras monitor every ingress and egress points with a camera, so you know who has been in the room at all times.
Social engineering attacks: Social engineering attacks are more than simply phishing campaigns. A criminal can also con their way onto your site without using technology. Test your data center staff’s competency when it comes to checking badges, calling security on people they don’t know, and confirming whether or not a phone call or message is coming from a trusted source.
Data centers are assets and should be protected
If your data center goes offline, you’re likely to face significant problems, so physical security needs to be on organizations’ minds at least as much as cybersecurity is. Criminals don’t necessarily separate the two when they’re trying to gain access to your assets, so security leaders shouldn’t either.
Need help with data center security? Talk to us now about assessing your security.