We would like to keep you up to date with the latest news from Digitalisation World by sending you push notifications.
Digital Newsletter
Each week our editor Phil Alsop rounds up the most popular articles, videos and expert opinions. We compile this into a Digital Newsletter and send it straight to your inbox every week.
Digital Magazines
We'll let you know each time a new edition of Digitalisation World is released so that you're always kept up-to-date with the latest and greatest news and press releases.
Video Magazines
The Digitalisation World Video magazine contains the latest Zoom interviews with experts in the industry.
As the spring weather arrives, things are warming up within the DCA, hot on the heels of the massive Data Centre World & Cloud Expo event at the EXCEL, the half-way point in the PEDCA project has been reached with the submission of the “Academy Requirements” report. This report provides a summary on the current training and research landscape and identifies the gaps the industry needs to address to maintain and improve Europe’s position within the global data centre industry.
When “Europe” and “data centre” are mentioned in the same sentence you can’t help but think of the Code of Conduct for data centres. It has been interesting for me to hear the views of some of the academics and scientists who were new to the code of conduct when they embarked on the project. Their fresh viewpoints coupled to industry participants and experts has created a solid summary of state of play and a positive view of the Code going forward – many thanks to all who took part. We have written to the Commission with the details requesting a strategic discussion to develop a road-map for the Code.
On the other side of the EU Commission, DG Connect have called a workshop to discuss “Green Data Centres: Policy measures, metrics and methodologies“ it will be interesting to see what develops from this, and how far and fast policy makers will push for legislation on data centres. Whilst our industry remains fragmented and without rigorous methods for self-regulation such as for example, the DCA Certifications programme, we have strength of argument, but lack tools to hand to work with, we will of course keep you informed at the DCA.
On the subject of Governments, Huw Owen, CEO of Ark Data Centres fresh from his inspiring talk at DCW, along with Jeremy Hartley MD of Data Racks supported the UK’s Delegation to CeBIT in Hanover. Many thanks to both on behalf of DCA members for their efforts. We are also working with UK Government in ensuring the UK’s data centre industry is featured in promoting overseas trade and inward investment.
Feature Focus
As part of our feature focus throughout the year, April is dedicated to Physical Security and we have some expert contribution from DCA Members Jacksons Fencing and LDEX. Jacksons Fencing CEO, Richard Jackson, discusses why physical security should always represent the first and ultimately, most important line of defence and what measures need consideration from the risk assessment to identify and prioritise any threats to site security.
Discussing the physical layers and the policy layers of data centre security, Patrick Doyle, COO & Co-founder at LDeX Group explains how these measures are based on years of operational experience utilising a multi-tier approach to ensure the security of client data which is the ultimate end goal. And lastly but by no means least Duncan Clubb – Chair of Management & Operations for DCA Technical Council and CTO of CS Technology EMEA gives us his view on ‘The Data Centre of the Future’, hosted on day one at Data Centre World in February. He explains how presentations at data centre conferences can tend towards being highly sales and vendor led but delegates who attended the various sessions in the “The Data Centre of the Future” hall will have been very pleasantly surprised by the high quality of the speakers and the content delivered.
The editorial contributions from our members are key to making our feature focus such an informative and successful part of the DCA’s information library, so thank you to all our contributing members this month. For the May edition we focus on ‘Industry Trends and Standards’ and we are currently taking bookings for this edition. For more information on our forward features and how to book your slot, please visit Data Central’s Media Centre, Submit an article.
Site Access Control and Security Steering Group
The DCA are delighted to announce the formation of the DCA Site Access and Security Group. This newly formed group is designed to help, advise and share knowledge to assist data centre operators and users improve the deployment of security within their facilities.
Special emphasis will be given to psychical security as well as operational best practice with equal importance being given to both the internal and external data centre environments.
To achieve this, the group aims to review both existing and developing data centre security standards and guidelines as well as the existing compliance landscape in general. Steve Hone, DCA Operation Director, confirmed how valuable these activities will be as the conclusions drawn from this work will help to identify potential gaps
in research and highlight areas where additional trusted information and guidance may be needed.
The first Group meeting is planned for 26th June and will be held at the DCA Dockland offices located on the UEL Campus just opposite City Airport. The meeting will be hosted by newly appointed Group Chairman David Ayers who has served with both the Met Police/CID and has been at Telehouse since 2000. David is responsible for the tactical, physical, procedural and electronic security arrangements for Telehouse Ltd. David’s valuable experience includes overseeing investigations in cybercrime which enables David to advise customers on risk and treat assessments, Business Continuity and Disaster Recovery planning. Having accepted the role of Chairman David Commented “It is important that this new group has the weight of the DCA behind it, as previous groups of this type formed solely by the Data Centre Operators themselves, have unfortunately stalled. Data Centre Companies have common goals and from a security aspect it is most helpful to share experiences and solutions, working together towards best practice.”.
Peter Jackson was appointed as Group Vice Chairman at the same time. Peter also brings a wealth of experience having spent 20 years working in the physical security sector and is currently Sales Director at Jackson Fencing. As an active DCA member Mr Jackson added “I look forward to working with David to drive a programme designed to create a heightened awareness of the importance of effective physical security strategies for the data centre industry. Any data centre has an innate responsibility to guard and preserve highly sensitive information”.
Steve Hone concluded by again emphasising the importance this group will play “It is vitally important to ensure that the group has the right depth and breadth of experience needed which encompass experts from right across the data centre sector including operators, suppliers and security consultants”.
The first group meeting is set for the 26th June and we are looking forward to what I am sure will be a well-supported and very productive session, which will help to flesh out the objectives and goals of the group going forward.
If you are already a DCA member and would like to join this group or/ and if you would like to register to attend the Group meeting and workshop on the 26th June then please speak to our Membership Executive, Kelly Edmond either by calling 08458 734 587 or via email to info@datacentrealliance.org
The data centre of the future:
Day One Data Centre World
Duncan Clubb - Chair, Management & Operations, DCA Technical Council and CTO of CS Technology EMEA.
Presentations at data centre conferences can tend towards being highly salesy and vendor-led but delegates who attended the various sessions in the “The Data Centre of the Future” hall will have been very pleasantly surprised by the high quality of the speakers and the content of the presentations.
The future of the data centre is a topic that interests most of us (I am guessing that most of us will be spending a long career in and around data centres!) and there is a huge amount of thought pouring into the topic, but it was great to see some clear trends and themes emerging.
One of the key themes was about how modular data centre technology is going to play a critical role in DC deployment. Modular or prefabricated data centres are no longer a new concept, and there are a number of working examples in the UK and the rest of the world, providing real performance metrics that demonstrate their efficiency, both in terms of energy and financials. Several of the speakers, including Tony Day of Schneider Electric, Chris Scott of IBM UK, and Huw Owen of ARK, talked about how a modular approach to data centre design is a better way of delivering what modern businesses are demanding.
Flexibility, scalability, time to market, efficiency and financial performance are now more important to corporate data centre occupiers than ever before, and modular technology offers advantages in many of these areas. Whilst most were evangelical about this, it was also refreshing to hear balanced viewpoints, as modular and pre-fabricated data centres are not always the answer. However, all agreed that energy efficiency is always part of the answer.
Energy supply and cost issues are not going away, and although Peter Stevenson of Yuasa Battery Europe showed that there are alternatives to utility supply emerging from technologies like Lithium-Ion battery systems. Mark Collins of Excool talked about indirect air-cooling systems and how they offer advantages over direct fresh-air systems, whilst maintaining high efficiency performance levels. Again, it’s not always the solution, but it is clear that the data centre industry now has a whole range of highly efficient cooling technologies to choose from, each of which will offer superior performance under different conditions.
Finally, many of the speakers focused on the importance of operational excellence for running the data centre of the future. Several issues were discussed and speakers such as Willie O’Connell of Commscope, Robert Potts and Grant Kennedy of Mitie covered some of the most recent developments in software systems such as DCIM, AIM and CAFM are becoming more integrated into the data centre management process and more important as data centre managers and customers require a more sophisticated approach to management of their assets.
There is not enough space to cover all the presentations but wildcard of the day goes to Adam Smith of Paragon Internet, who gave a fascinating insight into how a small company with a huge customer base (if their data centre goes down, 70,000 tweets hit
the Internet complaining about Paragon!)
has had to develop their own requirements and designs because traditional design teams did not understand that a traditional design approach would not cut it – a true view of how new business paradigms translate into new requirements and new designs.
As people who are at the forefront of data centre technologies, we must all not forget that we need to adapt to changing requirements coming from innovative new companies, as they are dictating the future of the data centre as much as the new underlying technologies.
Let’s get physical
By Richard Jackson, CEO, Jacksons Fencing.
Robust security is a prerequisite for any data centre facility. But all too often the focus is on the protection of intellectual data and the roll out of defence strategies to combat the potential damage caused by cyber attacks. The reality is that physical security should always represent the first and ultimately, most important line of defence. If a forced entry is successful, the retrieval of critical data is an absolute given, in addition to the possible theft / destruction of further valuable assets.
Planning protocol
The installation of any physical security measures should always be preceded by a comprehensive risk assessment to identify and prioritise any threats to site security. At its most effective, physical security initiatives will have been planned into the overall security architecture of the entire site and will complement other protection devices for example CCTV.
When reviewing site security, the focus should be on identifying possible vulnerable hot spots and looking at the target from the intruder’s perspective, ie from the outside in. Once these susceptible points have been identified, the priority must be to apply layers of protection (known as the ‘Onion Principle’) to afford the maximum degree of protection capable of withstanding a security breach.
Three Ds
A blend of physical security measures should be considered which will collectively deter, detect and delay any unwanted intruders. These initiatives can be broadly categorized into two camps: perimeter security and access control solutions. A basic check list of measures to consider is listed below:
Perimeter security
High security fencing: High security fencing can be supplied in a variety of guises but thought should be given to the aesthetics of the site and the need to blend the data centre into the natural landscape to avoid drawing attention to its existence. A timber and steel mesh barrier system such as Trident Jakoustic Xtreme 3 which is accredited by the prestigious Secured by Design initiative, provides an outwardly attractive natural timber façade which belies a tough and highly robust steel meshing that is highly resistant to powered tools. The closely fitting panels not only possess efficient acoustic qualities, they also provide a dense barrier which results in zero viewing opportunities for any interested parties. Trident Jakoustic Xtreme 3 is the only government tested fence product on the market to offer this unique benefit.
Robust security toppings: A security topping provides a further layer of protection by deterring any attempts to scale the fence and can also be used to extend the height of the fence. In addition to the standard fence spikes (in some cases these might require planning permission or Building Regulation approval), it is also possible to incorporate an electric fencing topping for fences and gates. This is designed to delver a non-lethal electric shock to anyone attempting to penetrate the fence line and also sends an alert following any attempted intrusion.
Perimeter Intruder Detection Systems: These can be installed on the fence perimeter to monitor and display intrusion attempts on a computer monitor in the Control Centre.
Vehicle Security barriers: These can include a bund, ditch, PAS 68 crash rated gate or PAS 68 crash rated bollards (possibly concealed as street furniture). All of these devices will provide an added ring of security to enhance the protection around the data centre.
Access control measures
Automated gates: Provide an established method of only allowing authorized vehicles access into the data centre site. Automated gates should always offer a separate access point for pedestrians and must comply with current safety guidelines as recommended by Gate Safe (www.gate-safe.org), the national charity promoting enhanced safety standards for automated gates.
Retractable bollards: Can be used to great effect to control vehicular entry into and egress out of the data centre. These are traditionally manned by a nominated access control centre.
Traffic calming & traffic management systems: Incorporates road humps / central islands / road narrowing etc and deliver added protection against potential ram-raiding tactics.
Turnstiles: Are advisable at the entry point of the building to provide controlled access into the main reception and discourage tailgating or piggyback activity.
Man traps: Provide alternate access for equipment and for persons with disabilities. Comprises two separate doors with an airlock in between. Only one door can be opened at a time, and authentication is needed for both doors. A common airlock configuration used in modern data centres takes the form of a small lobby with two sets of doors such that the first set of doors must close before the second set opens.
Maintenance matters
Regardless of the physical security measures that are put in place, if routine maintenance is not carried out to maintain their efficacy, the site will be compromised. Products, which don’t deliver a long lifetime service, must be deemed to limit the overall return on investment – but ultimately, may be responsible for a serious security failure.
Physical Security layers of data centre security
LDeX has recently joined the DCA as a full partner member to support the DCA’s objectives of promoting best-practice, increasing standards and raising the profile of the Data Centre Industry amongst the Business, Public Sector and Academic communities. LDeX is committed to providing a career path in the Data Centre sector for the best technical talent and the DCA’s work in skills training and development is a particular area of collaboration that LDeX is keen to support. By Patrick Doyle, COO & Co-founder at LDeX Group.
Site location
Generally most modern new build data centres are the sole occupants of the premises and tenants do not typically use a shared office building or a building with office space not owned by the tenant. This makes the dynamics of securing the building and siting plant and machinery much simpler and more secureData Centres also need to be sited away from areas subject to natural disasters and avoid areas susceptible to floods, fire, earthquakes etc.
Perimeter control
Most modern data centres have a perimeter fence surrounding the facility that is usually between 2.5 to 4 metres high to provide an effective barrier and to also create a controlled access point to the building. Normally this means one entry point for visiting foot and car traffic and a loading bay for deliveries, plant and machinery. Once a visitor gets to the perimeter, normally intercom access is provided that links into a security post. In some of the larger data centres, security guards are present on the perimeter and provide the first point of contact for the client.
The intercom system allows the security personnel to check who is at the gate and they can then either meet them on foot or allow them access through the perimeter into the facility grounds.Access for pedestrians can be controlled by providing a turn style type gate or a man trap with two gates allowing the on-site team to determine if the visitors have a valid access request.
CCTV
The data centre building should have CCTV cameras on all corners of the building, giving a clear view along each of the perimeter fence lines and also facing the main entry points of the building. The cameras are usually hardwired back to a common security point where footage is on display at all times and also recorded for a minimum of 90 days. It’s important that the cameras have weather proof enclosures, heaters in areas where frost is an issue and PTZ control to allow the security team to track people or have software controls in place to automatically point cameras to a source of movement.
Virtual trip wire
A virtual trip wire is a software system that works in conjunction with sophisticated CCTV cameras that monitors the perimeter of the building or any specific areas using video analytics to track any breach of the trip wire. If the trip wire is breached or any suspect activity is detected, an alarm is raised within a remote control centre which triggers various events that end in the emergency services being called. Within the Data Centre, this system provides lone worker protection and also prevents the risk of a security guard being compromised.
Two factor access Control System
To enhance security and provide multi- level access control, a two factor access control system should be deployed. This would be used by having the first system to provide access into the building and the common areas. Upon entering the facility, the client would be supplied with a proximity card.
The second layer of access would normally be at the biometric level and could include a facial or finger print biometric recognition system which involves an enrolment procedure by the security team. This would be able to be extended to the cage or rack level if the client warranted or required a further level of security.
Man trap portal
Man trap portals are common in most data centres now and their main purpose is to prevent tailgating into the data centre. Most man trap portals have pressured pads in them which can sense if more than one person is in the portal at the same time or if the person in the portal is carrying heavy equipment.
The net result of too much weight in the portal means that the door into the secured area will not open and the only way out of the portal is back through the entrance. Most modern portals have an override feature which enables them to be manually opened by the security team to allow people to carry equipment through.
Plant and machinery security
Mechanical and electrical plant areas should have restricted access and any contractors working on site should be escorted at all times. Generators need to be sited in dedicated canopies or buildings and transformers and HV equipment should be stored in a secured substation/out buildings.
Infrastructure best practice security
Data Centre equipment that is connected to
the public internet and accessible via an IP address needs to have the relevant access control policies applied to it. These include the implementation of methods such as the following:
£ Network access lists on the connecting
routers
£ DDoS protection,
£ Resilient firewall protection
£ Physical protection if the device is a rack
mountable
£ Strict user name and password security
£ IPSEC VPN’s should be in place for
any remote access or monitoring of such
equipment
Policy layers of data centre security
Access Procedures
Every data centre will have stringent access and support procedures in place which protects the client from unauthorised access to their equipment and support requests. This is usually achieved by presenting the client with an access list form or a portal tailored to this and it subsequently becomes the client’s duty to keep this list up to date.
This information is then incorporated into the data centre procedure framework and every time a client logs a support or access request, the sender’s details are checked against the authorised access list. If the sender is not on the access list then they
are told to refer to the authorised contact to log the request and thus their request is denied.
PCI compliance
Data Centres need to provide certain guarantees if they have financial clients that are required to be PCI compliant due to the nature of their business. Most of the requirements are around access to the site and other procedures as discussed previously.
However, a data centre provider must also make sure they collect 90 days of CCTV footage and 90 days of visitor access logs including written logs as well as those from an access control system.
It will be a requirement of the Data Centre provider to demonstrate this during any audits against the PCI compliant client so be prepared!
People
All staff and contractors that work within a data centre and work in the critical environment need to be vetted to make sure they have the required qualifications, certifications, method statements and risk assessments required to carry out their specific field of work.
During the employment process, all staff members are required to have a certain number of references behind them and also a CBR check should be undertaken to ascertain if the person has a criminal record or not.
ISO27001
ISO27001 is a framework detailing how an organisation approaches information security management. The purpose is to create a fully traceable system that details to staff the internal security procedures and risks within the data centre such as who is responsible for what and how to report and deal with breaches of the security policies.
The standard is internationally recognised and is a measure of how a data centre is run and forms an essential ingredient to a client when choosing a data centre facility.
Security is a vital concern for any data centre operator and clients looking to avail services must take the time to evaluate the measures discussed. At LDeX, we have adopted stringent approaches to protecting client data with high levels of physical and
network security as well a multi-tiered approach that gives staff and clients the assurance that the building is protected 24x7x365.
