A few years ago, I was involved in the construction of a brand new data centre. This is quite a luxury for a data centre manager as I was able to furnish the building entirely in accordance with the latest technologies. At the same time it was also a challenge as the blueprint for a perfect data centre just does not exist. I would like to share with you my decisions and considerations. After talking about a blueprint for cooling, I will now turn my attention to data centre security.
Data centres are an attractive target for various types of criminals. First and foremost, you have those wanting to steal copper and aluminium. These thieves are mainly looking for unguarded buildings on industrial estates where they can go about their business undisturbed. Secondly, data centres also attract the interest of cyber criminals. Some of these criminals want to paralyse a company's website or internal systems in order to thwart the competition. Others want to gain access to the business data itself in order to use it for malicious intentions. And others still are under the age of sixteen and see breaking into the systems as a real laugh.
All these different types of criminals call for different types of security measures to be put in place. First of all, physical measures are needed to keep unauthorised users at bay. There are a wide range of measures that can be taken – from infra-red cameras and steel fencing to the more drastic solution of canals. None of these come cheap, of course, and you would therefore need to draw up a risk analysis. As far as I am concerned, there are two aspects that play a crucial role here – the location of the data centre and the building's construction. As you can imagine, right at the heart of the city wouldn't be the most practical location for the data centre as it would be much harder to spot people acting suspiciously.
In addition, it is important for the building to be well constructed. Many data centres that have developed over the course of time are located in buildings that are not entirely suitable for this purpose. And this entails certain risks. If, for example, the walls are thin, it probably wouldn't be that difficult to drive a car straight through them. Data centres may also be attached to other buildings, making it easier for criminals to enter without being noticed. The ideal data centre building is actually a box-in-a-box, which you cannot simply access by walking through a door from outside. You need to realise that with all break-ins, if someone desperately wants to get inside and carry out a hit-and-run job, they'll succeed in doing so. The measures you take must therefore focus on sending out an alarm immediately and hampering the efforts of criminals as much as possible.
Data centres in the Netherlands are relatively well-protected in terms of physical security. It is much more complicated to defend them from cyber criminals. Protection from cyber criminals is also particularly difficult because it involves an element of shared responsibility. The customers using the data centre are also responsible for implementing measures. To a certain extent, your role as data centre is limited to providing services that protect against attacks. For example, our customers can purchase a service that protects their data from DDoS attacks. They can also hire a firewall. However, if these services are not purchased and customers do not implement these measures themselves, preventing break-ins is an impossible task.
The most common form of hacking we experience at Previder is social engineering. Someone pretends to be a customer and wants to reboot a server, for example, or requests login details. We have tackled this problem by introducing a strict protocol that sets out what data must not be disclosed to others under any circumstances. We also operate in accordance with a secure access list: a list of people who are authorised to perform specific actions. If a request is made to reboot a server, for example, then we phone the person on the list to check it with them. This is how we confirm their identity.
A case apart is the defence against DDoS attacks, a popular method used by cyber criminals to shut down a company's website. In principle, there are two types of DDoS attacks: the volume-based attack and the application-based attack. Volume-based attacks target the available bandwidth in a network. A huge amount of generic messages is sent across the network and the bandwidth is eventually unable to cope. However, as there is such a rapid increase in the volume of traffic sent, a volume-based attack is noticeable and easy for a provider to detect. The suspicious traffic is then filtered and only the 'cleaned' internet traffic is delivered.
Application-based attacks are different. These attacks focus on the underlying systems of a site or service. For example, they may request a particular web form an incredibly large number of times and then return it half completed to the underlying system for processing. This continues for as long as it takes for the system to eventually crash. The success of an application-based attack strongly depends on how the site has been designed. If a particular processing operation is structured 'logically', this involves less processing and the underlying system can handle a greater number of requests. Quite apart from this personal responsibility, it is much more difficult for a data centre provider to detect this type of DDoS attack. There is no peak in volume and it is difficult to determine what 'normal' traffic is for a particular customer.
This contribution follows on from the article entitled Blueprint for the perfect data centre (1): cooling system.