The Cloud Goes Underground: Why Physical Data Center Security Matters
View the original article published in Mission Critical magazine: https://www.missioncriticalmagazine.com/articles/90013-the-cloud-goes-underground
Extreme weather, seismic events, and even rodents have compromised the physical security of cloud servers and other data center infrastructure. Selecting an underground colocation facility with above industry standards provides the solution to these and other threats.
With cyberattacks such as Petya and WannaCry making big headlines recently, it’s understandable that fortifying cybersecurity is top-of-mind for many CIOs. Last May, WannaCry invaded 200,000 computers in 150 countries, including the U.S., UK, Russia, and China, as it attacked hospitals, banks, and telecommunications companies.
A mere six weeks later, Petya struck — first hitting targets in the Ukraine, including its central bank, main airport, and even the Chernobyl nuclear power plant before quickly spreading and infecting organizations across Europe, North America, and Australia. Its victims included a UK-based global advertising agency, a Danish container ship company, and an American pharmaceutical giant.
Virtual Security Is Only Half the Equation
According to the 2017 BDO Technology Outlook Survey, 74% of technology chief financial officers say cloud computing will have the most measurable impact on their business this year, while IDC predicts that at least 50% of IT spending will be cloud-based in 2018. Although cyberattacks remain a significant threat in this environment, it’s important to remember that virtual security is only half of the equation. With the cloud growing ever more critical to businesses, ensuring the physical security of cloud servers is also essential.
Physical security at the colocation or data center facility is critical to effectively safeguarding not only cloud computing, of course, but also mission-critical business applications, data storage, networking, and computing related to Big Data analytics and emerging technologies such as artificial intelligence and IoT-enabled devices. To be fully secure, companies must ensure that their colocation provider can deliver a high level of physical resilience on-site. As evidenced by the devastation wreaked by Hurricanes Harvey and Irma, these physical threats include extreme weather events, but also seismic disturbances, breaches by unauthorized intruders, and given the current geopolitical climate, terrorism.
Explosives and Squirrels
In recent years, many customers have deprioritized physical security from their data center to-do list. However, physical threats remain real and have the potential to become much more sophisticated. As the late Uptime Institute founder Kenneth Brill wrote, “The oldest cyber frontier is actual physical attack or the threat of attack to disable data centers. Previously in the realm of science fiction, asymmetrical physical attacks on data centers by explosives, biological agents, electromagnetic pulse, electric utility, or other means are now credible.”
While electromagnetic pulses do sound like the stuff of science fiction, some physical security breaches perpetrated against data centers have been more suggestive of a Quentin Tarantino crime drama, and others, a Pixar animated movie for children starring woodland creatures. This is not to minimize the economic impact or the damage these attacks on record have caused to business reputation.
Consider the Chicago-based data center that experienced a physical security breach not once but twice in the span of two years. In the first breach, a lone IT staffer working the graveyard shift was held hostage and his biometric card reader taken from him, allowing the masked assailants to freely enter the facility. They made off with computer equipment estimated at a cost of upwards to $100,000. In the second, resourceful miscreants managed to break through a wall using a chainsaw and stole servers.
Yahoo once saw half its Santa Clara data center taken down by squirrels that managed to chew their way through powerlines and fiber-optic cables. Google “Yahoo and frying squirrels” if you think this episode is referenced merely for entertainment purposes. It is not.
Among the most infamous physical breaches to have taken place was a 2011 attack on Vodafone’s data center in Basingstoke, England. A gang broke in and stole servers and networking equipment, causing systems to go down and the telecom company’s business reputation to suffer greatly.
The Rock-Solid Safety of Colocating Underground
For some companies, the cloud and IT infrastructure altogether have moved even farther from the skies to underground data centers. Data center operators have been retrofitting underground bunkers into functional data centers for many years. But as security and energy demands as well as concerns about terrorism have lately intensified, there’s an increasing trend towards building subterranean colocation facilities to host mission-critical infrastructure and data.
Today, you’ll find underground data center facilities in Lithuania, the Netherlands, Switzerland, Ukraine, the United Kingdom, and Sweden, as well as the U.S. Some of these facilities were previously the site of mining operations while others were originally Cold War era bunkers designed to protect citizens in the event of a nuclear attack.
Surrounded by rock, underground data centers are highly physically secure, and since subterranean temperatures are naturally regulated, environmental conditions are more efficient. But not all underground data centers are created equal. Key design factors to consider during the site selection process include utilities infrastructure, availability and capacity of fiber-optic systems, the risk of natural and man-made risks, and how well the physical perimeter of the facility can be secured.
The issue of location is especially critical, and any data center selection needs to consider whether the facility is in a flood zone or if the region has an unstable seismic profile. The most fortified underground data centers also implement multi-layered security access methods, including visual inspections from multiple 24×7 guard stations, keycard access, video monitoring, and biometric scanning. Best practices incorporate mantraps and restrictive access policies for each customer’s space, providing security within each zone of the facility.
To ensure business continuity, it’s advantageous that all critical infrastructure of a subterranean data center be located underground. This extends to dual utility feeds backed up by two MW generators and N+1 critical infrastructure components, including UPS, chillers, and battery back-up. Such a design is further enhanced by being a SOC 2, Type 2 certified data center, ensuring the customer’s confidence in the provider’s 100% uptime guarantee, if indeed they offer one at all.
And because connectivity means everything, subterranean facilities should also have access to high-speed, carrier-class internet and data services through a fiber network that runs in and out of the data center via multiple fiber paths and entrances.
From presidential bunkers and NORAD facilities hosting military analysts, to scientists studying astrophysics in subterranean laboratories, and to Warner Brothers film archives stored safely away from the elements, some of the world’s most essential personnel, valued assets and activities are located underground, protected from natural and most man-made disasters. So, why should your cloud servers and critical data be any different?
But the crux of the matter is this: while cyberattacks are on the increase and the cloud can be vulnerable, the importance of physical data center security cannot be overstated. The underground data center is a prime example of using the earth’s resource to offer protection from natural and unnatural disasters.