Choosing a secure data centre provider

Posted on in

Choosing a data centre

There’s a lot to consider when it comes to choosing a new data centre provider. Location, resilience, client reviews and so on. In this blog, we’re going to look at security, helping you to assess whether your provider is doing enough to help keep your servers and infrastructure secure and compliant.

Industry experts acknowledge that colocation and cloud providers are capable of higher levels of security than most firms would deliver in-house. However, not all data centres are created equal, and not all will stand up to the full range of security audits required by clients and regulators – even if their credentials look the part on the surface.

Accreditations

First, let’s look at accreditations. Although they’re certainly not the be-all and end-all of data centre security, checking for compliance with standards like ISO27001 is still a good first port of call when it comes to choosing a data centre.

Some points to consider include:

  • Is the data centre compliant with ISO27001 (the international standard for information security management)?
  • Is the data centre compliant with any other required standards such as PCI DSS? (The Payment Card Industry Data Security Standard which was developed to encourage and enhance payment card account data security).
  • Are high quality CCTV systems installed, with live monitoring where required?
  • Are security personnel background-checked and approved by industry bodies such as the SIA?

Physical security

When we think of data centres, the cloud and the world of virtual data access, it is cyber security that immediately springs to mind, but in fact the physical security of a data centre is critically important. It is imperative that only people who are authorised to access the data centre, should do so and there should be stringent processes and procedures in place to prevent any breaches.

Check whether or not the following are in place:

  • A wide range of access controls such as perimeter fences, infrared tripwires, swipe cards, biometric scanners and mantraps, all configured to provide multi-factor authentication.
  • Access to racks and cages controlled by electronic locks or keys with racks and cages kept anonymous. If keys are used, where are they stored? Is access controlled and monitored?
  • Access to sensitive areas in the data centre monitored via 24-hour CCTV.
  • In the event of a break-in, would security staff be compromised and become part of the incident, or would they be able to react to it?
  • Is the data centre directly linked to police control rooms?

People

As is often the case, you are only as strong as your weakest team member and all the security in the world can fail due to a simple human error. So, who are the people who will be working to protect your vital business assets? Ask questions, meet them, get to know them and don’t be afraid to ask questions, no matter how awkward it may feel.

  • Are the data centre staff required to undergo background checks where necessary?
  • Is the data centre able to offer an audit-friendly service and answer a full range of auditors’ questions and produce certifications?
  • Are data centre staff able to share general advice around data centre security and compliance?
  • Are senior security personnel based at the data centre itself rather than a remote site?
  • Are they sensitive to customer’s confidentiality requirements (not disclosing customer names as part of a sales pitch, for example)?

Need more info?

If you want to read more on the subject, you can download our free data centre security checklist here covering additional areas for consideration such as policies and procedures, the security risks associated with on-site contractors and visitors and how the flexibility offered by a facility might affect security. Or if you want to find out more, get in touch with a member of our team.