An increase in the workload from remote locations, organisations have become vulnerable to cyber-attacks.
But in the current scenario, along with the technological aspect, it is also important to keep in mind the physical security when it comes to data centres. But how are these aspects managed and followed? This was discussed in a panel session titled ‘Physical and Software data centre security developments to follow’. The session was moderated by Pawan Desai, Co-Founder & CEO, MitKat Global Consulting Pte Ltd, Singapore. The panelists included Manish Israni, EVP & CIO, Yotta Infrastructure, Umesh Balaji Kothandapani, Global Sales Engineer, EMA and SAP, Axis Communication, Sreejith G, Head & Vice President, Operations, STT GDC India and Anand Thirunagari, Country Head, Genetec India.
The entire paradigm of risk is changing, with an increase in the demand for data centres it is not only on-premise but now there are data centre operators and organisations are starting to work with them. “Now that the data is lying with someone else’s security, it becomes a shared responsibility,” said Pawan Desai, Co-Founder & CEO, MitKat Global Consulting Pte Ltd, Singapore.
He further added that every organisation has a different set of cybersecurity policy and adds to the complexity.
If the data of an organisation is hosted with someone else they would not have anything to do with security but it could lead to collateral damage. There are a lot of IoT and business-related aspects that are now coming in.
Security in DCs
Security is now a way of life and for data centres it is more like a sacred place, where you rely upon someone and start hosting your workloads and database.
“The way in which we have conceptualised in Yotta Infrastructure we have always talked about data centre parts. We first conceptualise that a data centre needs to be secure and it can only be secure when we have certain parameters in place where there is no risk of natural calamities, the TVRA standards are met and all the pre-assessment is done.
We have always talked about scalability, the customers should scale within our campus in multiple buildings and they all have the same security standard from the physical aspect,” said Manish Israni, EVP & CIO, Yotta Infrastructure.
When the workloads are moved and when one talks about the cloud, public cloud and OTT there is a huge amount of data coming from all sides because the consumers are accessing the platform digitally from the internet or you are feeding the analytics data from machine learning or sensors.
“So, all these things need to be in a mechanism where we can control. Days are gone where we wait for the incident to happen, today what we are trying to do to make things easier for us and our customers is that all the checkpoints are designed digitally, whether someone is entering my data centre via a firewall or someone is entering to access the application of a customer who is running a payment gateway kind of a configuration we work closely with them how many types of defence mechanisms they want in their application, how many do they already have in place and how many layers of our multiple layers of security can be combined and accordingly work with them to secure their application and to avail their application at 99.99 per cent so that their business does not suffer,” said Israni.
He further added that it is not possible to depend on a particular OEM device. Today we talk about application security but the hackers these days are very smart without even touching the IPS, firewalls and other security aspects they can include the code in the SMS or text which is being attached as an invoice.
When these things come, we need to think about inline security. The code has already been intruded internally, is present and can damage the data.
“We have boarded a next-gen security company like Virsec to provide in-line VM based security where the VM which is exposed to the internet is passing through multiple layers of security but the code itself has a targeted attack which can be worked upon. The combination of cybersecurity through our building security.
All the cameras, integrated building management system, access card, the biocentric access to the racks of the customers. It is important to integrate and analyse the data, everyone talks about AI but intelligence needs to be created, either by people, processes or tools. We are trying to do everything and analyse the pattern, where ever there are abnormalities we will take a proactive decision. The second step is to put all the security gear in the correct place and then educate people with regards to the basics of security and help them understand the same,” added Israni.
The aspect of Physical Security and compliance
“The data centre industry in India has been there for more than 20 years now and we are getting into the next phase of data centre expansion. The data centre is expanding at a CAGR of 25 per cent and has great potential.
The security aspect all this while was compliance or meeting the compliance, meeting the TVRA or any other standards or mandate put across by customers.
These were the practices being followed so far in the industry but things are changing now because data centres are becoming the centre of attraction, the data centre is delivering various mission-critical applications.
The mission-critical application starts from a common man’s day to day life to the critical application from the government authorities, defence authorities or the income tax authorities. The importance of data centres is as important as the airlines, railways or the parliament,” said Sreejith G, Head & Vice President, Operations, STT GDC India.
He further added that the security aspect plays an important role even in data centres and like the government, even the data centre operators are vigilant for critical areas. It is important to mitigate the possible threats and take adequate measures.
The enabling of technology insecurity is a combination of physical and electronic security, the surveillance system plus the access control, everything needs to be integrated and put under close monitoring.
“In data centre, when I work in a security operating centre, a control centre or a BMS kind of centre we see an operator sitting and monitoring the feed, maybe a security guard sitting and monitoring the feed. This is not going to be the situation anymore because the intensity and importance of security are more, we are already thinking about how to make the data intelligently analysed to take the required actions.
The surrounding, monitoring and the team that is monitoring, even the CCTV feed is going to be very crucial, keeping this in mind it is important to deploy extremely skilled people which could require more investment. It is important to foresee these incidents, there are enough examples and make the systems more intelligent with AI coming in and even controls in the CCTV feeds are enabled with AI so that any abnormality can be intimated immediately.
When it comes to other aspects as to how it will sabotage the organisation, it can affect the cybersecurity aspect as there are a lot of things happening there. There are a lot of things which are outside the periphery of data centres, if a person with an intention of bringing down the data centre.
For example, can someone understand how a physical fibre path is coming to the data centre or which power station is feeding the data centre. If there is sabotage on the fibre path, electrical route, or an electrical substation is enough to hamper the functioning of the data centre. The security control vigilance is not only inside the data centre but it is also to the extent of the utility system supporting the data centre,” said Sreejith.
He further explained that the controls, expansion and operations will be complex in the future and hence it is important to adopt new technologies. The technologies which are being used for the past 20 years will not be enough to cater to the growth which will come in the next five to ten years.
“Most of the systems when we deploy, it looks good but when it comes to operations there are various challenges. There are two important subjects, first is how to break the silos because the security systems are no more traditional where an operator is watching a few cameras, opening and closing doors.
This used to be the situation and I see that still in some data centres this is evolving. Today, if you take physical security and security systems minimum what we see as a trend at least in hyperscale and colocation, is about eight different systems CCTV with an access control there are four different things rack management with biometrics, iris, mantrap sensors and some sophisticated kind of sensors to do some anti-tailgating solutions and then perimeters are becoming an integral part of the security systems, especially in paths, it is put in metros and perimeter intrusion is an important area. Anti-drone technology has picked up very rapidly in the last eight months, especially after the recent IFF attack which happened within the country.
There is also a strong demand of the physical security interactions with the BMS and fire that has traditionally been an independent silo system but customers are now increasingly demanding that it has to be an integral part of the physical security followed by digital key management and also interaction with IT systems like the single sign-on with active directory or open ID and interactions with HRMS systems,” said Anand Thirunagari, Country Head, Genetec India.
He further pointed out that “the physical security now is no more the traditional CCTV and access control. Now, if one puts all of the systems there are two different approaches in the data centre space, the first one being all systems being put as an independent silo system and then somehow you get them to talk to each other through an integrated approach to just get some alarms which solve only very few problems.
This was until yesterday, but are we prepared for the future, the answer is no. This is where Genetec as a platform provider and at the heart of the system we have a security centre which is the core platform. In which the approach which we look forward to is, there is nothing wrong in integration but, the point which we are trying to make is all systems have to be interactive through one platform and one single user interface. It cannot be a situation where the operator is dealing with eight different systems, user interface and seeing a few alarms and still does not know how to do situational awareness when there is a threat or imminent incident happening within the data centre.
We need to bring all of the systems in one platform and have a single user interface for the operator as it offers three main benefits, it reduces the total cost of ownership to a large extend, it streamlines operations and a standardisation drive can be taken and the third important one is skill sets, an operator cannot be trained on eight different systems and expect them to deal with a threatening situation.”
He further added that these three are the significant benefits that we have seen with a unified approach and bring the sensors under one common platform; another important aspect to keep in consideration is the openness. A whole unified approach towards security, operations and data insights brings a significant value and that’s how the future can be protected.
In cyber security, today one thing which we see is that there are a lot of requirements in the RFP but is it being evaluated in a comprehensive manner. For example the vendor itself, as a platform service provider we are UL2900 certified, these kinds of certifications are extremely important in the evaluation process as they assure away beyond the vulnerability test not only BAPT which is a very important aspect but, the entire life and the development cycle of the product, the maturity of the product, how it can handle the vulnerabilities, how can it handle threats from a cyber perspective.
These are some important standards covered in UL2900 and these kinds of certification should be inculcated in our practices right from the evaluation to the implementation.
Platform providers also face challenges in terms of protecting IoT edge devices. They are the last post of the infrastructure. For example, a perimeter camera, or perimeter intrusion sensor and sometimes the customers complain that they did not even know that there was a vulnerability in the firmware.
It is important to see if the firmware has some vulnerability and upgrade it. These things do include costs but are also not to be neglected. If there is an attack it is not only about losing money but also reputation as you are also owning someone else’s data and it is important to manage it with responsibility.