Enterprises may want to move to the cloud, but they still hold plenty of IT resources. To make this easier to handle, they are often moving them to colocation spaces. A 2017 survey by Vertiv found that 57 percent of businesses were planning to increase their data center outsourcing, while research from Technavio predicts that the colocation market will grow at around nine percent through to 2022.
Meanwhile, much of the cloud is actually held in colocation space, where giants like AWS use sizable chunks of shared facilities to fill gaps in their coverage.
For both these customers, the sector offers a reduction in capital costs, the ability to scale, and a useful geographical spread. But there’s a downside: You have to trust the provider that is looking after your hardware and your data. You have to know it is kept safe from potential attackers.
“Data center users really value security,” says Russell Poole, managing director of Equinix UK and the Nordics. “It’s the top requirement of all our customers when they are looking to deploy with us.”
This feature appeared in our special colo design supplement. Subscribe for free today.
A high priority for colo providers
A security incident at a colo site is just as harmful to the customer as if it happened on a site they owned and operated. But security failures can be even more embarrassing for the affected colo provider - as they represent a failure in its core business.
A Chicago-based colo site hosted by C I Host was broken into four times in a two-year period between 2005-2007, with thieves making off with tens of thousands of dollars’ worth of servers. In December 2018, Australian telecommunications provider Vocus came under fire when a customer complained that a door to the facility had been left wide open and unlocked for months. As well as theft of the physical infrastructure, unauthorized access to servers could allow intruders to steal data or make changes to the data and processes running on that hardware.
While both of the above firms are still in business, failing to keep a location secure could potentially be ruinous. Even if your terms of service are watertight when it comes to liability for security incidents, the loss of trust could easily lead to an exodus of customers, especially in a highly competitive landscape with so many alternative providers.
“In a world where data breaches can see a global business go under overnight, data centers have a critical role to play in protecting against this,” says Poole. “The implications of a security breach are catastrophic for the reputation of not just the data center company, but any company that hosts its data within the premises.”
Colocation sites have all the security concerns of in-house facilities which are owned and operated by one organization. But they have another big set of challenges because they have multiple users, and potentially a revolving door of tenants coming and going to the site at all times.
Externally, minimal signage and promotion around the location of a site can reduce the chance of unexpected - or unwanted - visitors. Perimeter fences, generic warning signs, and minimal external entry/exit points will help deter opportunistic attempts at entry. Guards, barriers, monitoring such as CCTV and potentially access controls such as key cards will reduce the number of people that even make it to the front doors of the facility.
However, while securing the external perimeter matters, internally is where much of the focus should be. The extra footfall compared to an owned and operated data center means that staff should remain extra vigilant and more stringent controls should be in place; employees may become used to seeing unfamiliar faces in various parts of the facility performing seemingly innocent work, but in reality could be an attacker targeting a customer.
When asked about examples of potential attack methods on customers renting space within colocation sites, Holly Grace Williams, technical director at penetration testing firm Secarma says one way is to simply rent space within the same facility.
“If you're targeting a business that hosts at a colo, you can take some space there and gain access to the premises. Then you can try and target other people within that space; if there are exposed ports in cages and you have a window of time you can probably insert cables into those ports.”
Because of this, she says, proper segmentation between customer areas, along with proper monitoring and trained staff is key.
“Colocation providers should have man traps, which only allow one person through at a time, and in the hosting space they should have rack segmentation, room segmentation and solid cages with narrow mesh.”
“You should have anti-tamper mechanisms so you can detect when a customer's rack has been opened and integrate it with a system that tells you instantly whether that customer's staff are present. Lock picking and the forcing open of cages can happen.
“The colo provider's team needs to keep an eye on anyone working in rooms to ensure they’re only accessing their own kit and be there to take action if a rack has been opened when staff from the tenant company are not in the building.”
Within the building itself guests should only be accepted if scheduled and confirmed with the company, with relevant documentation and ID in hand. Access controls such biometrics and key cards should be in use across the facility, with logs to keep a history of who went where and when. Internal monitoring such as CCTV should also be deployed across the facility, and manned 24/7.
“When prospective tenants visit a data center to review its suitability,” advises Equinix’s Poole, “they should ask themselves ‘how difficult would it be for me to get in here if I had forgotten my fob or pass?’ The answer to that should be, ‘impossible’.”
At Equinix sites, he explains, access is by appointment only and entry is gained via a series of fob and biometric, hand geometry readers that recognize handprints and authority from an encrypted database.
“Once inside, a sign-in procedure and visual confirmation by trained security guards ensures that entry is only given to authorized visitors. Hundreds of security cameras and hand readers are stationed throughout the International Business Exchanges to provide detailed surveillance and archiving of critical infrastructure areas and all customer cages.”
All on-site guards and staff should be well-trained and aware of potential social engineering attempts are important. All the controls and defenses in the world will fail if on-site are willing to hold doors open or flout regular processes for a smart and determined attacker. Ensuring that staff are confident enough to stick to protocol even in the face of pressure, are unafraid to ask questions or double-check anything they are unsure of, and be wary of attempts of manipulation is key to ensuring attempts at social engineering are less likely to succeed.
Regular penetration testing conducted by both the colo provider and the tenants in order to not only ensure that security controls are being enacted properly but are also effective, as well as finding potential gaps or shortfalls and make improvements. Likewise, customers should be encouraged to make their own inspections and ensure the site is up the standards they expect or require.
“There is a difference between a secure colo and a very secure colo,” explains Secarma's Williams, “but most people wouldn't make that distinction on gut feeling, they'd make it based on some compliance or regulatory requirement.”