Professional Documents
Culture Documents
Introduction 04
Risk management 06
Resilience 08
Key types of data centre 10
7 security risks 12
Geography and ownership risks 12
Risks to data centres’ physical perimeter and buildings 14
Risks to the data hall 16
Risks to the meet-me rooms 20
People risks 22
Risks to the supply chain 24
Cyber security risks 26
INTRODUCTION CASE STUDIES
1 2 3
Data centres and the data they To combat these diversified threats, we need to
hold are attractive targets approach data centre security holistically. By bringing
together the physical, personnel and cyber security T-Mobile United States Meta
of data centres into a single strategy you can better Office of Personnel
One of the UK’s most valuable assets is its data. withstand the diversified methods state threat actors, Management (OPM)
Together with the data centres that hold and cyber criminals and others may use to attack them. In July 2021, a Turkey-based In October 2021, a misconfigured
process it, it underpins almost all facets of modern individual claimed to have gained piece of networking equipment
life. This makes data centres an attractive target for There is no one-size-fits-all approach to holistic data unauthorised access to over 100 In June 2015, the United States involved in ensuring
threat actors, due to the large and diverse amount centre security. Every data centre user will need servers based in the United States Office of Personnel Management interconnectivity between US
of information they hold that supports our national to consider this guidance based on their own risk belonging to telecommunications (OPM) revealed that sensitive company Meta’s data centres
infrastructure and businesses. assessments. This guidance contains the security provider T-Mobile. This access information relating to millions of caused a global outage of its
considerations you need to be aware of to make sure was reportedly initially gained US federal employees had been services for over six hours. This
The opportunities for attack are diverse. Threat actors your data stays protected. by remotely exploiting a exfiltrated via an intrusion on its outage affected billions of Meta’s
will target vulnerabilities in data centres’ ownership, misconfigured router on the networks. users and businesses who were
geography, physical perimeter, data halls, meet-me This guidance is laid out by key areas of risk company’s network. unable to access the company’s
rooms (MMRs), supply chains, staff and cyber security This information included platforms Facebook, Instagram,
in a concerted effort to breach data centres’ defences Each of these areas should be considered when T-Mobile subsequently classified details of federal WhatsApp and Messenger.
and acquire or tamper with sensitive information or developing a risk management strategy that confirmed in a statement that employees, including their level
disrupt critical services. encourages a holistic security approach in data centres its systems had been accessed of security clearances, personal The outage was prolonged
– moving from where the data centre is located, and in an unauthorised manner and and family information and their because Meta managed its own
The security and resilience of your data and who manages and operates it, to protecting against information belonging to several biometric details. data centres, so the issue could
infrastructure are critical. cyber threats. You should use this guidance to inform million customers were exposed. not be resolved remotely. Instead,
your own risk management strategy that is unique to This information is reported to The breach is reported to have a team of engineers had to visit
High-profile data breaches and disruption to services your organisation’s needs. have included the names, dates of been facilitated by a combination the affected data centres in
are frequently reported with each incident causing birth and telephone numbers of of poor cyber security measures, person to reconfigure the affected
operators and data owners potentially huge financial Yellow call out boxes indicate that further guidance customers. including a lack of two-factor equipment.
losses in regulatory fines, loss of sensitive IP, downtime, can be found on a specific topic. A full list of URLs for authentication and sub-standard
post-incident recovery, security improvements, and all the CPNI and NCSC guidance referenced within this malware protection. This incident compounded
perhaps most valuably of all, reputation. document is available at page 32. https://www.zdnet.com/article/t- reputational issues that Meta
mobile-hack-everything-you- State-sponsored Chinese hacking was facing at the time, and
Cyber intrusion methodology evolves constantly, need-to-know/ groups are reported to have shortly after the outage, Meta’s
and sophisticated attackers have a strong incentive conducted this attack in order to share price was reported to have
to defeat the defences you put in place. It should be increase its intelligence collection dropped by 4.9%
assumed that at some point your defences will be on American citizens.
breached and therefore it is also important to be able
respond proactively by detecting attacks and having https://www.theguardian.
measures in place to minimise the impact of any cyber https://www.csoonline.com/ com/technology/2021/oct/05/
security incidents. article/3318238/the-opm- facebook-outage-what-went-
hack-explained-bad-security- wrong-and-why-did-it-take-so-
practices-meet-chinas-captain- long-to-fix
america.html
https://www.nytimes.
com/2021/10/04/technology/
facebook-down.html
Data Centres - Guidance for Users | 4 5 | Data Centres - Guidance for Users
RISK MANAGEMENT
Implementing a risk management strategy Is your data centre robust? This information should be used to inform your
organisation’s risk-based assessments and wider risk
management strategy, regardless of whether you are a
Data centre operators and their customers should have individual risk management strategies As a data centre customer, you will want to seek data centre owner, or a data centre customer.
designed to protect their critical assets and systems. assurances that a data centre is robust enough to
hold your sensitive data, whether that is financial, Should you judge these threats to pose sufficient risk
CPNI’s risk management framework encourages any organisation to follow these steps to manage risk: communications, medical, travel or other kinds to your own assets and systems, we provide further
of personal data belonging to your customers information on the mitigations you might consider to
or staff, or your own sensitive commercial data. better manage these risks, and where appropriate, we
» Identify your assets. Doing so securely also ensures your reputation and will direct you to CPNI or the National Cyber Security
commercial advantage. Centre (NCSC) comprehensive guidance on each topic.
» Categorise and classify your assets in relation to their level of criticality in supporting your business. To be most effective, risk management strategies You can also learn more about how to approach
will be driven by senior leaders who understand the protective security risk management in more depth
risks and protective security options available to help on CPNI’s website.
» Identify threats (based on intent and capability). mitigate these risks.
The NCSC also provide guidance on approaching risk
The areas of security risk relevant to both data centres, management from a cyber security perspective.
» Assess the risks, based on the likelihood of the threat happening and the impact should the threat and the data they hold, are detailed throughout this
transpire. guidance.
» Build a risk register to allow senior decision-makers to make informed judgements on risk appetite and
resource allocation.
» Develop a protective security strategy for mitigating the risks identified and review the adequacy of
existing countermeasures.
» Implementation: propose new proportionate measures using a process, such as the CPNI Operational
Requirement (OR) process.
» Review the process periodically and when there is a change in threat or change in operational
environment.
» Recognise that risk management strategies between data centre operators and their customers are
interdependent.
A wide range of attacks As there is extensive guidance available on data centre resilience, we will not cover it in detail here. However,
there are some questions about resilience that we would advise a data owner to ask of a data centre operator to
ensure they are less vulnerable to deliberate acts to disrupt services:
While less likely than attacks that focus on
Ensuring that a data centre
acquiring or degrading data, threat actors may
also seek to disrupt services by targeting data is resilient is key » Can the data centre demonstrate that it has physically separate communications routes into the
centres through either a destructive cyber- For data centres, worst case risk scenarios data centre?
attack or a physical attack against a data tend to focus on availability issues such as
service disruption due to natural hazards,
centre.
power outages, hardware failures or » Can the data centre demonstrate it has diverse power supply and backup power options?
denial-of-service attacks.
OVHCloud
Data centres need to ensure they are » Are the building service rooms critical to the functioning of the data centre (e.g. electrical, battery and
As demonstrated by the October 2021 Facebook resilient against a range of threats mechanical rooms, backup generators etc.) protected from physical attack and sabotage?
outage incident, the cascading effects of a loss of and hazards. They are typically already
service can be huge. designed to be resilient to these types
of availability issues, with numerous » Can data centre operators demonstrate that in the event of a physical or cyber incident, they have
In March 2021, a fire broke out at French cloud standards and guidance widely available. sufficient people power, e.g. adequate numbers of security personnel, engineers, and other incident
services provider OVHCloud destroying one of its four We provide some of these standards in management staff, who can provide a sustained response?
data centres and damaging another at its Strasbourg the additional resources section at the
campus in France. This resulted in the company end of this guidance.
directing its clients, which include the French » Can the data centre demonstrate a resilient and diversified supply chain, including services, hardware,
government, to activate their disaster recovery plans and software, which can withstand disruption and minimise bottleneck effects?
and reportedly denied access to a large number of
domains and services.
Lastly, you should consider using multiple data centres or storage locations to increase resilience and reduce the
associated risk of having a single point of failure.
Data Centres - Guidance for Users | 8 9 | Data Centres - Guidance for Users
KEY TYPES OF DATA CENTRE
There are several options for the type of data centre The hybrid model – a customised data-hosting
you may choose as a data owner. They offer different package provided by a third-party in a data centre.
levels of service which can impact the control you have The servers you use can be dedicated or shared with
over security arrangements. other customers. This option removes the need to hire
staff and places responsibility for security on the third-
It is important to remember that as a data owner, party. While attractive from a convenience point of
whichever option you choose to go with, the view, you have less oversight or control of your security
responsibility for managing the risks to your arrangements.
information remains with you.
Cloud-hosting data centres
You should therefore understand the benefits and
disadvantages of each option and use this to inform Your data is stored in a network of servers across
your risk management strategy. different data centres, in different locations, which
increases your flexibility to scale at speed and may also
Enterprise or ‘wholly-owned’ data centres improve your resilience in the case of an outage due
to the distributed nature of your data. However, you
These are data centres that an organisation solely will need to be clear on how your data is stored and
owns and operates for their own use, giving managed; where and how your data will be moved,
complete oversight of your security and operational stored, or split while in the cloud, for example. Cloud
arrangements, but often incurring higher costs. service administration systems are often also highly
privileged: if they are compromised, they could have a
Co-located data centres significant impact on your data.
These are centres where your organisation’s data The NCSC provides comprehensive guidance on the
system is housed within a shared facility, along with use of cloud services and their security.
other organisations’ data. This is often more cost-
effective due to the lack of upfront costs of building The table below summarises the degree of control you
and running a data centre. While this option allows may have over areas of risk for data centres, depending
flexibility and the ability to scale at speed, you don’t on the option you choose:
have sole access to the data centre and may have
fewer (or no) customisable security options.
Where is your data stored? obliged to provide CSPs or commercial companies UK GDPR considerations
with any details of their monitoring by SORM. To prevent this you can take a number of steps:
Managed hosting or cloud hosting providers may The UK General Data Protection Regulation (GDPR)
sometimes seek to store your data or manage your This may mean that you are unaware of how your sets out key principles which data controllers and » Conduct your own due diligence
service in multiple locations, including outside of the sensitive communications and information may data processors must comply with when processing Be sure to conduct appropriate due diligence on
UK. When this happens, it is important you know where be used in Russia or with Russian individuals and personal data, including restrictions on personal data who is invested in the data centres you use and
your data is stored and from where it may be accessed. companies. being transferred out of the UK unless the jurisdiction consider their geography and ownership.
has adequate levels of data protection or there are
Some governments mandate easy access to privately appropriate safeguards in place. Failure to comply
held information in data centres within their countries. with the principles of the UK GDPR can result in » Create contractual agreements
Here are two examples: Once you are confident substantial fines – up to 4% of your company’s total
worldwide annual turnover, or up to £17.5 million
You should consider contractual clauses that
could ensure that your data will remain in the
Russia’s System of Operative Search Measures (SORM) that where your data is (whichever is higher) in the most serious cases, as UK, regardless of who takes ownership of the
allows Russia’s domestic intelligence agency, the well as potentially damaging your reputation. data centre, and that you are forewarned of any
Federal Security Service (FSB), to covertly monitor stored is consistent with FDI or ownership changes that happen after
Data Centres - Guidance for Users | 12 13 | Data Centres - Guidance for Users
2
RISKS TO DATA CENTRES’ PHYSICAL
PERIMETER AND BUILDINGS
Securing the perimeter and site success for the attacker. Taking this approach allows » Have you discussed with the data centre the system used to control and monitor the mechanical
you to focus security measures on the asset, which in option of implementing your own detection and electrical equipment in most modern buildings –
In most data centre operating models, security of turn can also help mitigate the risk from insiders. layers to maximise your opportunities for such as ventilation, lighting, power, fire, and facilities
the perimeter, the site, and the building will be the detection, at rack, room or hall level? management functions.
responsibility of the operator. In an enterprise-owned The BAD philosophy is part of the Surreptitious Threat
facility, site security is defined by the enterprise based Mitigation Process (STaMP) which should be used by » If you require multiple racks, have you asked In a data centre, the BMS system usually controls
on its own risk assessment. those responsible for Government-classified data that your data centre provider to locate them the heating, ventilation, and air conditioning (and
is deemed to be under threat from espionage. More together to better control access – and limit humidity). Though BMS tend to be controlled by
Data centre operators should be able to demonstrate information about STaMP, the CPNI Surreptitious the number of cables running across the the data centre provider, a disruption to any one of
they have used a risk-based layered approach to Attack Protective Security Philosophy and its data centre? What level of protection is these systems could cause an outage, potentially
security. The process for implementing security at a principles is available through a CPNI adviser or via our there on cable runs? impacting your network. It is worth finding out what
data centre is no different from implementing security restricted access extranet. measures the data centre has put in place to manage
at any other sensitive or critical site. You should be provided with security details under BMS issues.
What should I be thinking about? a non-disclosure agreement at contract tendering
To counter the threat from forcible attack such as theft stage. Physically visiting a prospective provider is the
or terrorism the 3Ds philosophy should be used. The Although most data owners will not be responsible for best way to ensure the correct levels of protection With this in mind, key considerations relevant to
3Ds ask you to Deter, Detect and Delay attackers. The the external security of the perimeter, site or building, are used. your risk assessment as a customer within a shared
goal is to Deter the attacker from targeting your site there is a number of questions you should ask the data centre include:
or assets by creating a strong security appearance or operator to understand the level of security. You
messaging. Detect attacks at the earliest opportunity, should consider: » Whether you are connected to the data centre
and use security products that Delay the attacker for a provider’s BMS.
period that enables response and intervention prior to » Are there layered physical security measures to
any loss. prevent unauthorised access to critical parts of » What assurances the data centre provider can
the site? give you regarding access to these systems, so
only essential personnel have access with rights
» What types of threats have the security limited to what is needed to undertake their role
Data Centres - Guidance for Users | 14 15 | Data Centres - Guidance for Users
3
RISKS TO THE DATA HALL
Data halls: The heart of the data centre automated access control system (which may » Have you factored in anonymity considerations To agree with the DC owner:
be independent from that used by the data such as the locations of your racks, references to
At a data centre’s heart, you will find data halls. They centre to give you maximum control) or locks your organisation’s name in other areas of the data » Have you agreed the actions your data centre
contain the data servers customers rely on. with an audit function (which can provide the centre, the staff you employ and the uniforms they would take in the event of a fire, power outage
same function without the need for supporting wear? or when maintenance work is required (e.g.
Data centre customers renting entire suites and halls infrastructure). involving the building management system), as
are usually responsible for their own security – effectively well as records of any outages and notification
creating a second perimeter which must be secured. » Enhance security of the automated of planned work? Do you know if fault and
access control system by using two-factor Control of access is maintenance records are kept by the data
Whether you are using network equipment racks
within a shared hall, suite, or your own floor/hall,
authentication and anti-pass-back technology.
especially important centre?
Data Centres - Guidance for Users | 16 17 | Data Centres - Guidance for Users
» Is building services equipment situated outside » Encoded labelling designed to frustrate any mobile phones should be handed in when entering Consideration should be given to the coverage of these
the data hall to reduce the need for plant and attacker’s understanding. sensitive areas. The data centre operator may have systems and how they are managed and monitored
equipment technicians to enter it? a policy on this. If they do not, you could introduce for adversarial behaviour such as spoofing of SSID of
» Keys and code protection to stop unauthorised restrictions on devices in the area you control. network, or use of internet broadcast access points as
» Are you satisfied with post-incident investigation disclosure. an egress route for a covert implant in conventional
policies and procedures in place for unplanned This may include introducing an electronic device equipment.
outages? Will you be provided with sufficient CPNI guidance on protecting your assets contains booking management process, which keeps a register
detail to allow you to identify any suspicious guidance on technology used for access control. of authorised devices and implements controls on Avoidance of use of smart or connected systems (such
patterns to these? their entry and exit to sensitive areas. as wireless fire detection) would be advised to mitigate
CPNI also has guidance on secure destruction. the risk of an actor triggering such a system in order to
Additional measures for protection include: If health and safety is an issue, dedicated phones facilitate a secondary attack.
CPNI also has guidance on the use of CCTV. without additional functionality may help. Signage
» ‘Anonymity’: avoiding labelling racks, rooms, and phone lockers at entrances to sensitive areas can Watch out for crosstalk
uniforms and buildings. increase compliance, along with CCTV monitoring.
External devices Crosstalk is a phenomenon where data travelling
» Regular inspection for signs of damage and CPNI has further guidance on screening people and down a wire can be detected by another wire running
tampering. Any equipment brought into a data centre which can their belongings to identify prohibited items. close to it. This can allow unintentional ‘bleed’ of
store, record, and/or transmit text, images/video, or secure data into insecure networks.
» Minimal cable runs and requesting that your data audio data presents a security risk.
racks are located together if sharing a corridor Mobile phone and personal electronic devices Technical vulnerabilities As additional networks are installed for protective
with other customers. with cameras, apps and network connectivity are a security measures, such as CCTV or access control, there
particularly high risk. It is worth considering whether UK NACE is the National Technical Authority for is an increased chance of crosstalk causing a problem.
technical security. It protects organisations from
technical espionage, keeping information and How do data centre owners demonstrate they have
premises safe from technical attack. measures in place to reduce the risk of crosstalk?
Technical security is the practice of detecting the » Physically segregating secure and insecure
compromise of protective security systems, analysis cabling.
and prevention of technical attack, mitigation of
technology vulnerabilities, and the deployment of » Using shielded twist pair and fibre-optic cabling.
countermeasures.
» Segregating and filtering power between secure
The following technical vulnerabilities should be and insecure systems.
considered:
Radio transmitters are present within a broad range The UK NACE website has more information on
of technology products – from building system sense dealing with crosstalk.
and control (e.g. fire alarms, door locks), to IT network
data transfer (such as wi-fi). These technologies are
vulnerable to manipulation, interception, and denial of
service through a range of techniques, or can be used
to obfuscate technical attacks by operating within
heavily populated spectrum bands (e.g. wi-fi and
Bluetooth).
Data Centres - Guidance for Users | 18 19 | Data Centres - Guidance for Users
4
RISKS TO THE MEET-ME ROOM
» Types of rack
Data centre operators What assurances can providers give you regarding
the security of racks they use?
should strictly limit » Rack locking
access to a meet-me- How does the data centre ensure that racks are
always locked? Are the racks regularly inspected
room. by the data centre provider? Are they vulnerable to
master keys kept by your data centre?
» Anonymisation
Remember: This guidance also applies to points of Are racks sufficiently anonymised to prevent those
presence (PoP) and internet exchange points. with hostile intent from being able to identify
where data is sent?
Given the higher level of risk that MMRs introduce,
here are 8 key considerations to discuss with your » Asset destruction
data centre: Is there a secure asset destruction process?
Is it regularly audited to complement the
» Access control searches conducted on exit? Does it help to
Are CSPs, their contractors and data centre reduce numerous risks including accidental loss,
operator contractors escorted? Are passes espionage, insider attack and theft?
worn and authorised and access lists kept and
reconciled with permit-to-work logs? How is work
Consider risks related to people Certain factors may increase an organisation’s Security culture screening is the process by which you check
vulnerability to insider activity, including: whether a potential candidate is suitable for your
It’s important to mitigate any security risks related Data centre operators will often have a relatively small business.
to people. People and personnel security comprises » Ineffective leadership and governance structures number of their own staff onsite but will be joined
an integrated ecosystem of policies, procedures, to run an insider threat programme. by staff from other organisations. These may include » Staff monitoring
interventions and effects which seek to enhance staff from the data centre’s client organisations While pre-employment screening helps ensure
an organisation or site’s protective security by: employed to provide security and engineering that an organisation recruits trustworthy
» Lack of role-based risk assessment to identify support to their own infrastructure – and other third- individuals, people and their circumstances and
» Mitigating the risk of workers exploiting their specific high-risk roles. party contractors who provide services such as general attitudes change, either gradually or in response
legitimate access to an organisation’s assets for site security, cleaning, and maintenance. to events. Therefore continued staff monitoring
unauthorised purposes; this is known as ‘insider throughout the duration of their employment is
risk’. » Inadequate personnel security measures during The benefits of an effective security culture include: required.
pre-employment screening.
» Optimising the use of people (both workforce » A workforce that is likely to be engaged with, » Security training for staff
and, where appropriate, the public) to be a force and take responsibility for, security issues. Dedicated, motivated and professional security
multiplier in helping to prevent, detect and » Inadequate ongoing personnel security policies staff are an essential component of any protective
deter security threats. and procedures, limiting the organisation’s security regime to mitigate against the insider and
ability to monitor and investigate insider activity. » Increased compliance with protective security external people threat.
» Detecting, deterring and disrupting external measures.
hostile actors during the reconnaissance phase
of attack planning. » Poor leadership and management practices,
which may reduce organisational trust and » Reduced risk of insider incidents.
erode employee loyalty and commitment.
Data Centres - Guidance for Users | 22 23 | Data Centres - Guidance for Users
6
RISKS TO THE SUPPLY CHAIN
Supply chains can be vulnerable to attack Data centre software and systems
Most organisations rely upon suppliers to deliver Software and software updates downloaded from
products, systems and services. But supply chains can suppliers’ websites provide opportunities for malware
be large and complex. Effectively securing the supply to be installed alongside legitimate products. The
chain can be hard because vulnerabilities are inherent, malware can include additional remote access
or introduced and exploited at any point in the supply functionality that could be used to take control of
chain. A vulnerable supply chain can cause damage systems on which it is installed.
and disruption.
Compromised software is very difficult to detect if
Attackers have both the intent and ability to exploit it has been altered at the source, since there is no
vulnerabilities in supply chain security. This trend is reason for the target company to suspect it was not
growing. Physical, personnel and cyber security risks legitimate. This places great reliance on suppliers, as
needs to be considered within any risk assessment. it is not feasible to inspect every piece of hardware or
software in the depth required to discover this type of
As part of the supply chain, data centre services you attack.
procure may be outsourced by your provider (if you
are using a managed hosting data centre option, for All software and systems supplied throughout a
example). If so, it is important to: data centre (such as servers, networking systems,
building management/automation systems, CCTV
» Understand the impact outsourcing can have on networks, enterprise IT, and so on) should be updated
your data centre requirements. throughout their lifecycle with the latest firmware
versions and security patches to minimise the risk of
» Undertake a risk assessment identifying critical cyber-attack.
assets (i.e. your servers, racks and any associated
security arrangements that you directly manage)
andarticulate what risks a supplier poses to
those assets. The NCSC’s 10 steps to Cyber Security contains
guidance on patching and vulnerability
management provides more detail.
Understand the impact The NCSC and CPNI have developed 12 principles to
outsourcing can have help you establish effective control and oversight
of your supply chain. Our guidance covers cyber,
on your data centre physical and people security.
Data centres and cyber security can also use these external networks to remotely Managing cyber security risk the security of its networks and information
manage their data centre infrastructure. Since the systems is clearly understood by all that use
Data centres’ infrastructure and systems are required management of the data centre infrastructure is often A comprehensive cyber risk management regime is them. It is important that anyone accessing data
to store, process, and transfer data at scale, and are carried out by managed service providers (who will invaluable, should be embedded throughout your centre systems understands their obligations
complex. also access these communications networks to provide organisation, and should complement the way you in protecting those systems, which can include
support services), there are implications for the supply manage other business risks. internal staff and contracted service providers.
They are a valuable target for threat actors seeking chain.
to conduct cyber-attacks. The motivation for these The section on risk management above provides links » Access management
attacks may include: External connections can provide pathways into the to CPNI and the NCSC guidance to help manage your You should verify, authenticate and authorise any
heart of data centre operations. Attackers will see these cyber risks. That guidance provides information on the access to data or systems. Unauthorised access
» To steal valuable or sensitive data. as a vector to try and exploit weak data centre cyber tools, methods, and frameworks available to help you to data, systems and services could lead to loss of
defences to target sensitive or valuable data or disrupt manage this important aspect of your business. The data or disruption of services. Good identity and
» To deny access to, disrupt, degrade, or destroy data centre operations. NCSC has also published the 10 Steps to Cyber Security access management on your networks should
data centre operations and services. guidance, which includes further information on why make it hard for attackers to pretend they are
risk management is important for organisations to legitimate.
» To compromise data integrity. help protect themselves in cyberspace.
The NCSC has published guidance for identity
Managing cyber security risks to data centres is about The NCSC Cyber Assessment Framework provides and access management, as part of its 10 Steps to
protecting the data held there (data at rest) and some indicators of good practice which can be used Cyber Security.
the data that passes through them (data in transit). to provide operators and data centre customers a
Data centre operators (and their customers) should baseline for risk management. It is vital that remote access to data centre
assume that a successful cyber-attack will happen, resources is managed properly. This is particularly
and therefore take steps to ensure that attacks can be important where there is a requirement for users
detected, and the impact minimised. to carry out activities that require privileged access.
Protect against cyber-attack
IT infrastructure and network connectivity If an attacker can compromise a person with
There is no guaranteed way to avoid cyber-attacks. privileged access rights or a device used for
Data centres require operational technology (OT) However, the worst outcomes can be avoided if an administration activities, they can inherit privileged
networks for building management services. These organisation’s services are designed and operated accesses, which provides potential for more
services are vital to maintaining and protecting data with security as a core consideration. This requires the impactful attacks. This also means an attacker may
centre operations. This includes services such as following areas to be considered: have the potential to cover their tracks so that their
power and cooling. Physical data centre security is also attack is more difficult to detect or remediate.
dependent on network connected systems such as » Policies and processes
access control. The production and implementation of policies The NCSC has specific guidance on privileged
and procedures that are owned and approved access management.
External network systems are provided by data centre by the board is an important step in helping
operators to allow customers the means to access the you manage the cyber risk to your business. The NCSC also has advice on how to avoid
services they run from there. Data centre operators These should be developed as part of the risk repeating ineffective solutions when
management process. administering a network.
Data Centres - Guidance for Users | 26 27 | Data Centres - Guidance for Users
» Data security » Monitoring and analysis tools used to compare log and audit data against ‘indicators of compromise’
Data used by business can take a variety of forms, » Make compromise of and disruption to your (from threat intelligence sources – see below) can help identify and investigate events of interest.
and could include information that would be systems more difficult.
valuable to an attacker, including personal data » Make compromise detection easier. » Threat intelligence can come from discussion forums, trusted relationships, paid-for contracts with threat
related to customers or staff; design details of » Reduce the impact of any compromise (see intelligence companies, or even generated internally. It should be routinely collected from quality sources
networks and information systems; or intellectual below for further information on detection and and kept up to date.
property (IP). reduction of impact).
» Governance, roles, and workflows help operational monitoring teams establish roles and responsibilities
Even if there is no legal requirement to protect This guidance can be used to help you build new that cover both security and performance-related monitoring. Monitoring teams should include members
data, there is often a commercial or security reason systems but is also helpful in reviewing the cyber who:
for it to be protected from unauthorised access, security of existing systems.
modification, or deletion. Measures should be
taken to protect data in transit, at rest, and at end The NCSC’s 10 Steps to Cyber Security provides » Know the network, its hardware and software, and the types of data they process and produce.
of life – that is, effectively sanitising or destroying information on approaches to securely building » Can work with threat intelligence to identify, investigate and triage security events.
storage media after use. systems and services. » Understand the organisation’s business and assess the significance of security events in terms of their
potential to cause harm, such as disrupting operations or leaking sensitive corporate or personal data.
In many cases your data will be outside your The NCSC’s secure design principles guidance
direct control, so it is important to consider the provides further information to help you secure your
protections that you can apply, as well as the systems
assurances you may need from third parties.
With the rise in increasingly tailored ransomware Detecting cyber security events
attacks preventing organisations from accessing
their systems and data stored on them, other There is no guarantee that the protective measures
relevant security measures should include in place will mitigate an attack and organisations
measures such as maintaining up-to-date, isolated, should prepare by assuming that cyber compromises
offline backup copies of all important data. will occur. These preparations should aim to ensure
quick response times and support decision-making.
The NCSC’s 10 Steps to Cyber Security provides In addition, exposing the root cause can help manage
further information to help you protect your data. future attacks and resolve any ongoing issues.
» Architecture and configuration The following factors can aid your organisation’s
Organisations should ensure that good cyber response in the event of a cyber intrusion:
security is built into their systems and services
from the outset, and that those systems and » Audited and logged information with access
services can be maintained and updated to adapt controls and isolated from other corporate
effectively to emerging threats and risks in the trust domains can help identify suspicious user
cyber security landscape. behaviour for either an attacker or insider.
Data Centres - Guidance for Users | 28 29 | Data Centres - Guidance for Users
Security monitoring takes this further and involves Minimising impact of cyber security incidents Businesses should therefore put in place measures to In the event of a concern or potential incident,
the active analysis of logging information to look for plan for this eventuality. This should include putting good logging practices (see page 20) will allow you
signs of known attacks or unusual system behaviour, Once a cyber intrusion has been detected, good the appropriate governance in place such as an to retrospectively look at what has happened and
enabling organisations to detect events that could be incident management should help reduce the impact, information security management system (ISMS). understand the impact of the incident.
deemed a security incident. and this includes:
Ensure there are well-defined and tested incident You may consider implementing the NCSC’s guidance
Your monitoring capability should work seamlessly » Quickly responding to incidents after detection management responses in place that aim to ensure on Security Operations Centres (SOC) where the use
with your incident management (see below for more to help prevent further damage, as well as continuity of essential functions in the event of system of a security information and event management
information on incident management) and may even reducing the financial and operational impact. or service failure. Mitigation activities designed to (SIEM) tool will allow real-time analysis of security
comprise some of the same staff in order to help you contain the impact of compromise should be in place. alerts and give indication of abnormal behaviour.
respond and minimise the impact. » Managing the incident while in the media
spotlight to reduce reputational impact. The NCSC has issued guidance on cyber incident
Further advice can be found in the NCSC’s guidance management best practice.
on logging for security purposes. » Applying what you have learned in the aftermath
of an incident to make you better prepared for
There is also further guidance on making compromise any future incidents.
detection easier.
Data Centres - Guidance for Users | 30 31 | Data Centres - Guidance for Users
ALL LINKS
Introduction secure-destruction-0
» ZDNET, ‘T-Mobile hack: Everything you need to » CPNI screening people and their
know’, 28/08/2021: https://www.zdnet.com/article/ belongings: https://www.cpni.gov.uk/screening-
t-mobile-hack-everything-you-need-to-know/ people-and-their-belongings-0
» CSO Online, ‘The OPM hack explained: Bad » UK National Authority for Counter-Eavesdropping:
security practices meet China’s Captain https://www.fcdoservices.gov.uk/uk-nace/
America’, 12/02/2020: https://www.csoonline.com/ » CPNI CCTV: https://www.cpni.gov.uk/cctv
article/3318238/the-opm-hack-explained-bad-
security-practices-meet-chinas-captain-america. People risks
html » CPNI insider risks: https://www.cpni.gov.uk/insider-
risk
Risk management » CPNI security culture: https://www.cpni.gov.uk/
» CPNI operational requirements https://www.cpni. security-culture
gov.uk/operational-requirements
» CPNI protective security risk management: Risks to the supply chain
https://www.cpni.gov.uk/rmm/protective-security-
risk-management » The NCSC vulnerability management, 10 Steps
» The NCSC risk management guidance from a to Cyber Security: https://www.ncsc.gov.uk/
cyber security perspective: https://www.ncsc.gov. collection/10-steps/vulnerability-management
uk/collection/risk-management-collection » CPNI 12 principles to help establish effective
control and oversight of your supply chain: https://
Resilience www.cpni.gov.uk/system/files/documents/2e/87/
» Reuters, ‘Millions of websites offline after fire at Supply_Chain_Security_Collection_Jan2018.pdf
French cloud services firm’, 10/02/2021: https:// » CPNI infographic of the 12 principles: https://www.
www.reuters.com/article/us-france-ovh-fire- cpni.gov.uk/system/files/documents/28/b3/supply_
idUSKBN2B20NU chain_ncsc_cpni_infographic.pdf
To the fullest extent permitted by law, CPNI and the NCSC accept no liability whatsoever for any expense, liability, loss, damage, claim or proceedings
incurred or arising as a result of any error or omission in the guidance or arising from any person acting, refraining from acting, relying upon or
otherwise using the guidance. You should make your own judgment with regard to the use of this document and seek independent professional
advice on your particular circumstances.
You may use or reuse this content without prior permission but must adhere to and accept the terms of the Open Government Licence for public
sector information. You must acknowledge CPNI the source of the content and include a link to the Open Government Licence wherever possible.
Authorisation to reproduce a third party’s copyright material must be obtained from the copyright holders concerned.