The data centre landscape is changing. And it’s making security professionals nervous. Putting aside the constant and deeply thorny matter that is cyber security for a second, ensuring the physical security of data centres is an increasingly mission critical concern.
Amid the continuing COVID-19 crisis, global digital transformation efforts, the shift to cloud, and the rise of 5G - not to mention IoT, smart cities, and the edge - the data centre industry is actually shrinking. That might be a little misleading. In terms of investment, project size, capacity, revenues - you name it - the industry is booming. Experts estimate that the global data centre industry, worth $59.3 billion in 2020, will be worth $143.7 billion by the end of 2027. Colocation alone (that’s leaving out all private, hyperscale, and edge data centres) is expected to grow to $62.3 billion by the end of next year - up from $31.5 billion in 2017. The market for data centres - buoyed by growth in data traffic and demand for digital services - is only going to grow.
It’s the number of data centres that’s shrinking.
In 2015, when large enterprises had just about cottoned on to the fact that cloud and colocation as-a-service was more cost effective than owning, operating, and maintaining an in-house facility (as well as a disaster recovery backup site some distance away) the total number of data centres worldwide was roughly estimated at around 8.55 million. Over the next two years, the industry began to grow significantly, but by the time we get to 2017, the number of data centres around the world is estimated to have fallen to just 8.4 million. From 2017 to today (during which time the colocation industry alone grew by more than 14% year-on-year) that number fell again. Today, there are estimated to be just 7.2 million data centres operating around the world.
It’s not like data centres are an endangered species, but the condensation of the industry’s growing capacity into a shrinking number of facilities puts additional stress on the security teams tasked with keeping them safe.
More Eggs in Fewer Baskets
So, we have bigger and bigger amounts of increasingly critical data being stored in fewer data centres. As a number of high profile outages over the past year alone have proven, the consequences of even a single server going offline can be devastating. And, as proven by the fire at OVH Cloud’s facility in France earlier this year, or the impact of Storm Uri on the Texas data centre industry, proved pretty conclusively, the physical threats to data centres far beyond the occasional alt-right nut job with a pipe bomb - as we saw with AWS.
“Although the practice of physical security of data centres is very different to cybersecurity methods, the threats are the same,” says David Watkins, Solutions Director for VIRTUS Data Centres.
Mark Green, a physical security specialist working for UK tech and managed services firm (that also specialises in data centres) LMG, explains that “whether it’s natural disasters, terrorism or break-ins, data centres will be vulnerable to a range of risks unless they are physically secure,” and the physical risks - as well as the cost of a physical security breach - are rising. “Basic, low-level protection is not sufficient to safeguard modern data centres,” Green explains, “particularly as perimeter breaches and compromising of the access control credential are emerging as the biggest physical threats to these facilities today.” As Watkins and Green lay out, the landscape of potential threats facing data centres is as multifaceted in physical space as it is in the digital world.
Then, on top of that, the data centre’s physical location also plays a key role in determining the level of risk it faces. Watkins explains that “natural disasters like hurricanes, floods, and wildfires are on the rise - all of them impacting the ability of data centres to stay online - and are physical security risks in the same way that accidents can happen and terrorists could attack critical national infrastructure.”
Green, speaking from personal experience of the data centre site selection process, confirms that security and safety are typically the “highest priorities” when choosing a new data centre location. Operators looking to prevent breaches and outages need to consider everything from the site’s “proximity to high-risk areas, such as switch yards and chemical facilities” to the “likelihood of natural disasters, such as earthquakes and hurricanes.” Green adds that a single point of entry is a key consideration since “open perimeters require more budget to secure and protect. And perimeter protection, done properly, tends to be more expensive than securing the actual building.”
Protecting the Nest
When it comes to physically protecting a data centre, Watkins explains that “to achieve the gold standard, there should be seven layers of physical security: a physical barrier, trembler wire, surveillance cameras, 24/7 security guards, vehicle trap, full authentication & access policy control and biometrics.” The key - as with the cybersecurity side of things - is controlling who gets in and who gets out.
Another good way to minimise that threat, he adds, is not to disclose your location. While the idea of an inconspicuous data centre might seem like trying to hide an elephant in a crowd of mice, even simple steps can be effective when it comes to avoiding attention. “Most data centre operators are keen to not publicly identify their buildings with corporate logos,” says Watkins. Hyperscalers tend to take this to the extreme, treating their facilities more like government blacksites than big boxes full of IT gear - sometimes with the opposite effect than intended.
When Facebook announced back in February that it would be adding a further 900,000 square feet of floor space to its campus in Eagle Mountain, Utah, local residents came forward to complain of harassment by private security staff when driving near the Eagle Mountain campus on public roads. Local mother, Kendra Whatcott, even claimed that, “The second your car is ‘spotted’ by security there is a security vehicle who follows you, outside on the public road,” adding that she was aware of those security details pulling over citizens, something the local sheriff's department assured her was illegal (it is).
Green maintains, however, that “when it comes to data centre security, it is important to ensure that only authorised employees and vehicles have access to the surrounding area as well as the building itself,” since the “reputational damage, regulatory fines and customer churn” that can follow a breach make them extremely costly affairs.
Some data centre operators make the effort to take physical security to the next level (and then the next one after that as well), like Iron Mountain, which operates an ultra-secure data centre buried more than 200 feet under the hills of rural Pennsylvania at the bottom of a disused limestone mine, or Green Mountain, which famously operates a data centre inside a decommissioned NATO ammunition storage facility designed to ride out a nuclear apocalypse in relative comfort.
Watkins admits that “These types of locations are certainly a deterrent for potential attackers,” but cautions that “we must remember that we are in the business of providing a service for our clients. Logistically, it is far more difficult to get to and from these types of locations, making it non-viable for our customers who often work from our facilities and sometimes need to make changes to their equipment.”
Site selection, it would seem, is just one more plate for physical security teams to spin. “We choose the locations of our data centres for many reasons, such as transport infrastructure, power provision and real estate cost and availability, and physical security is always a key consideration,” says Watkins, reflecting on VIRTUS’ own portfolio. “Furthermore, many large customers operate on a zonal topology which requires a number of facilities to be within certain distance restrictions which can limit the opportunity for this type of deployment.” So, unless you’re looking to lock away your state secrets for a very long time, bringing your data centre above the surface of the earth still seems to be worth the risk.
Written by Harry Menear