Traditionally, datacentres have competed on two main customer offerings – cost and reliability. However, in the era of cloud-based solutions and big data, an increasing topic of concern is the security of data, and more specifically, whether a datacentre operator should hold ultimate responsibility for the security of its customer’s data.
Undoubtedly, datacentres have a duty of care to their customers, and security now represents a new third pillar of differentiation for providers to compete on. For example, many seek to provide wrap-around security measures, or choices for different levels of security customers are able to opt in and out of using. Nevertheless, organisations taking advantage of a datacentre’s services shouldn’t rest on their laurels and pass responsibility of ensuring the security of sensitive internal and customer data onto the providers. Several high-profile incidents of datacentre breaches in the past year alone show that when customer data is compromised, damaged, stolen or threatened, it is the organisation buying the services, and which owns the data, that ultimately suffers. This can take the form of severe reputational damage with a knock-on effect of customer and capital loss. In essence, organisations seeking to take advantage of datacentre solutions need to take final responsibility and ownership for the protection of their data and start turning an eye to this blind spot in security.
Security is always a must, but the nature of an organisation’s business will determine the level of security required in order to protect its data. In order to feel at ease, organisations need to practice due diligence and look to create a clearly defined cyber security strategy, not only for their own network but also for any data or application that is held outside of the business. Also, IT departments should have the competency to consider their own security needs and demand these from the datacentre provider, rather than simply accepting what is offered. Datacentres are rarely gurus in security, their main focus areas are normally “reliability” and “cost”, and as such, it is down to the customer to ask the right questions that will provide them with peace of mind. An easy way to do this is to assume that a datacentre has no security measures in place at all and work backwards from there in line with your organisation’s needs.
Furthermore, datacentres are very likely to host data from multiple organisations, so businesses need to consider how secure their data is on a shared platform. For example, is the security solution, such as a virtual or physical firewall, offered by the datacentre appropriate or is a more individualised security solution required?
Organisations should also consider if they are comfortable with the datacentre providing this, or whether it would be more appropriate for it to be managed and run in-house - especially in situations where data is extremely sensitive. In such circumstances, it would be wise to keep this data on-site and not entrust to a third party datacentre. A fundamental part of any organisation’s cyber strategy should be deciding which data qualifies to be sensitive enough to keep strictly on-site.
Moreover, businesses need to ensure they select a provider with the right type of Service Level Agreements (SLAs) in place. An example of an SLA to consider is the condition that in the event of a data breach, the customer is contacted by the datacentre in a timely and efficient manner. Necessary controls and processes, to limit any damage to the organisation’s data, should also be agreed upon. In comparison, this method has worked well for the outsourcing industry, whereby each party is aware of who is responsible for what element, thus encouraging the correct and efficient delivery of services.
Additionally, security and connectivity are fast becoming interlinked terms. Hosting data in the cloud is quickly becoming a common choice for businesses of all sizes and mobile access to data is increasingly expected as standard by employees.
However, how to access this data securely is still a major concern. When organisations seek to put data into cloud-based services they need to make sure they have secure connectivity. Following the establishment of a set of protocols with the datacentre provider, organisations should be questioning how they can access their data as securely as possible.
Elements they should consider implementing include site-to-site encrypted VPNs, two-factor authentication, SSL encryption in communication, authorisation of access to data - ensuring they know which employees, partners and customers are allowed access to the data in the datacentre and whether they have the right information required to confirm who they are – as well as ensuring machines connecting to the datacentre are “clean” from malicious software and threats.
One thing to consider is that, whilst an organisation may allow a third party datacentre to host their data, they may wish to run the security element from their own site – this would involve running SSL encryptions and VPN solutions themselves. This will then allow the organisation to control access and security to the data without having to rely on others.
From a governance perspective, organisations need to feel comfortable about where their data is being stored. This includes taking into consideration the myriad of laws governing the security, storage of and access to data within geopolitical boundaries, for example, the European Union’s Data Protection Directive.
There is no doubt that the datacentre has a duty of care to its users. This new, third pillar of security is an essential part of their offering in attracting customers and adding to customer confidence.
However, organisations need to take it upon themselves to examine how their most important asset - data - is being protected. With an obligation to keep their customer’s information safe, organisations need to put best-practice measures in place when selecting a datacentre provider.
Once set-up, businesses need to maintain an ongoing working relationship with the provider to continuously develop not only defensive capabilities against cyber threats but also offensive readiness against breaches and attacks in the future.