Protect your servers and data with these data center security best practices from 7 IT and cybersecurity experts
Imagine that you have a stack of gold bars and you’re responsible for protecting it. Would you leave it out in the open where any thief could get their hands on it, or would you keep it under lock and key?
This same analogy applies to your data center — a virtual goldmine of information — yet many companies choose to do the minimum when it comes to data center security. Your data center — the networked computer servers and devices that process, distribute and store your precious data — is a critical component of your organization’s digital infrastructure. Data center security is the combination of policies, processes, procedures, and technologies that secure it from cyber attacks and other virtual threats.
So, what are the data security standards you should know to meet and maintain compliance? We’ve consulted several IT and cybersecurity experts to pick their brains and share their data center security best practices.
Let’s hash it out.
The Importance of Data Center Security Continues to Grow
It’s no surprise that the security of your data is crucial for any business. It’s invaluable info that can make or break your business. Proprietary information such as intellectual property and trade secrets, as well as customers’ personal and financial information are all examples of the types of data that might be found within a data center.
Intentional or accidental data exposure can lead to:
- Reputational damage and loss of customer trust — If word gets out that you’re not taking the necessary steps to protect your customers’ data (or even your own intellectual property), why should they trust you?
- Noncompliance fines from industry regulations — There are several key regulations that have requirements related to data center security, including PCI DSS, HIPAA, GDPR, SAE 18 (formerly SAE 16), and ISO 27001: 2013.
- Financial damages and loss revenue — Downtime is a major concern for businesses and can result in significant revenue losses.
Shayne Sherman, CEO of TechLoris, says the importance of data center security can’t be overstated and that it should be a top priority for every business.
“Taking the time to make sure the building is secure, your employees are well-versed in cyber security prevention, and that you’re meeting compliance requirements goes a long way in protecting your assets from malicious actors.”
— Shayne Sherman, CEO of TechLoris
So, needless to say, you’ll find yourself in hot water if any of this information winds up in the wrong hands. This is why you need to know some data center security best practices that you can put into action.
Tip #1: Implement Data Center Physical Security Measures
When people think of the types of security measures that they have in place to protect their organization’s data, they don’t necessarily consider the physical security aspect. Why? They’re often too preoccupied with concerns relating to data loss risks that stem from cyber attacks and data breaches.
However, what companies may not realize is that physical security threats can be some of the most impactful. One such example would be the case of Anthony Levandowski, a former Google engineer who has plead guilty to stealing the company’s trade secrets and giving them to Uber.
According to an article in the New Yorker, Levandowski accessed Google’s servers directly to carry out the theft:
“According to Google, a month before Levandowski resigned, he had plugged his work-issued laptop into a Google server and downloaded about fourteen thousand files, including hardware schematics. He transferred the files to an external drive and then wiped his laptop clean.”
There are a few main types of data centers that an organization can have based on its needs and available resources:
- Public cloud data center — This type of data center is one that’s off premises and is hosted by public cloud providers such as IBM Cloud, Amazon Web Services (AWS), and other tech giants. There’s a lot of debate within the industry about how secure these platforms are despite growing adoption, but many of those issues are at the customer level (such as server misconfigurations) and are not at the provider level.
- Private managed hosting data center — This type of data center is one in which you are sharing servers with other companies and organizations. This is great for companies that have limited tech expertise or can’t afford a lot of capital expenditure costs up front. However, it’s not necessarily the most secure option.
- Colocation data center — This type of data center is one in which a company shares space with other companies, but own their own severs and other equipment. This offers more protection for your data than managed hosting data centers because you own your own equipment and aren’t sharing it with other organizations.
- On-site data center — This type of data center is one that you house within your own facility. Having an on-premises data center offers the greatest level of security but also has significantly higher operational costs than other data storage options.
With each being so different, it means that the security needs of each type are different. So, what should be the first data center security consideration?
Location, Location, Location
If you’re creating your own data center and aren’t relying on a cloud or colocation data center, intentionally planning out the physical space of your data center is essential. This includes deciding whether you want your data center to be in a secluded location or a more populated area.
But what else should you keep in mind when planning a data center location in terms of security? Be conscientious of weather-related dangers and low-lying areas. (We’ve found that floodwaters and technology aren’t a great mix.). Also be sure to watch out for hot geological zones that are earthquake prone.
If you’re going to build in a more populated area, you can hide your data center in plain sight by making it blend in with its surroundings.
If you’re using a service provider’s facility, check out the construction and location of their building. You can also request compliance reports to see how they measure up.
Key Data Center Physical Security Measures
But aside from the location, there are many other physical security considerations. Data center hardening can include:
- Reinforced concrete walls and structures that can protect the facility from external attacks
- Server cabinets and cages that are bolted into the ground and secured with locks
- Environmental controls that monitor and regulate temperature and humidity changes
Mark Soto, owner of the cybersecurity and IT services company Cybericus, is quick to state that although physical attacks aren’t as common as cyber attacks, they’re still very real threats to your data security.
“You need to set up security measures around the data center to make sure that it’s secure. This can be either through a badge system or a pin pad to only allow certain people with access to these locations.
Be fully aware of the people that pass through the facility. As mentioned above, 30% of data breaches are due to internal users. You should be very careful as a company on who has access to the data center and what parts they have access to. This can involve anything from performing background checks on employees, and third party contractors who have access to your data center facilities.”
— Mark Soto, owner of Cybericus
Ben Hartwig, a web operations executive at InfoTracer, says that you need to consider the physical design of your facility to truly gauge your data center security.
“A main concern is the building or facility design itself when it comes to physical security. Key points of physical security include 24/7 video surveillance, metal detectors and on-site security guards, as well as layered security measures, security checkpoints, customized to reflect the sensitivity of the protected data, limited or single entry and exit points, and more.”
— Ben Hartwig, Web Operations Executive at InfoTracer
Some types of data centers also have additional physical requirements such as those outlined by the Telecommunications Industry Association (TIA) in their data standards ANSI/TIA-942/TIA-942A.
Hartwig also suggests taking traditional security measures to the next level. Some methods include using multifold access controls and enforcing specialized security methods in every area and room.
“Every individually-secured zone should demand more than one form of identification and pass control, since not all employees ought to have access to every part of a data center.
Use access cards and identification badges, or other protection which includes scales that weigh visitors upon entering and exiting the premises, continuous background checks of authorized staff and biometric locks.”
— Ben Hartwig, Web Operations Executive at InfoTracer
Tip #2: Monitor and Restrict Not Just Physical Access But Virtual Access As Well
But securing your data requires more than just installing door locks and cameras. You actually need to monitor the digital access as well. Why? Of the data breaches reported in IBM and the Ponemon Institute’s 2019 Cost of a Data Breach Report, 49% of them were identified as resulting human errors and system glitches and not cyber attacks.
Ross Thomas, IT administrator here at The SSL Store, says that one of the more obvious data center security best practices is to review the permissions that are set for any users who have access to your servers.
“Periodic permission auditing is crucial to make sure that access is only delegated to those that need it. Root users can be very dangerous as they are able to make any changes or execute any code or processes. But, root users are necessary. Assigning processes, tasks, etc., to the correct user is the absolute safest way to delegate processes. When personnel leave an organization, there should be proper evaluation of their status in all systems to determine if they have access even if it is not through the front door.”
— Ross Thomas, IT administrator at The SSL Store
And if you weren’t already concerned about phishing scams and password insecurities, you should be. Verizon’s 2020 Data Breach Investigations Report (DBIR) shows that four in five hacking-related breaches involve brute force or the use of lost or stolen credentials.
Don’t Get Phished.
Email is the most commonly exploited attack vector, costing organizations millions annually. And for SMBs, the damage can be fatal in terms of suffering data breaches & going out of business. Don’t be another statistic.
So, if you can’t automatically trust that your users are who they claim to be, what’s the solution?
Adopt a Zero Trust Approach
Sami Ullah, pre-sales manager at Kualitatem Inc., an independent software testing and information systems auditing company, says that organizations should implement a zero-trust architecture:
“The Zero Trust Model treats every transaction, movement, or iteration of data as suspicious. It’s one of the latest intrusion detection methods. The system tracks network behavior, and data flows from a command center in real time. It checks anyone extracting data from the system and alerts staff or revokes rights from accounts [if] an anomaly is detected.”
— Sami Ullah, pre-sales manager at Kualitatem Inc.
Tip #3: Use the Right Tools to Secure Your Data and Network
A strong data center security strategy is one that uses perimeter-based security tools to monitor and protect your network from internal and external threats. Part of this approach is to properly configure and secure your endpoints, networks, and firewalls (this is the heart of security).
Vladlen Shulepov, CEO at the international software development company Riseapps, highlights several of the key monitoring and detection tools that should be in your security arsenal:
“External threats are usually the worst enemy of a data center, so protective solutions are necessary. Intrusion detection systems, IP address monitoring, and firewalls are some of the most helpful tools to protect your data center from outside breaches and ensure its security.”
— Vladlen Shulepov, CEO at Riseapps
Ross Thomas, IT administrator at The SSL Store, says that using reverse proxies is also a great option. A reverse proxy acts like a front-line cache that accesses static and dynamic content rather than letting users directly access a webserver or database server for every request.
“Adding a reverse proxy to sit in front of a webserver is a good idea for security. It disassociates the public from directly accessing a webserver that contains production code or a means to get to valuable information, such as a database. It can also offload some of the processing and functionality to allow the primary server to operate at full (or near full) potential. A reverse proxy is not too different from a load balancer and can often be one in the same depending on the server structure (clustering, for example). In any event, it is a safe bet to protect valuable production code/data.”
— Ross Thomas, IT administrator at The SSL Store
If you want to further harden your data center’s cyber defenses, you can (and should):
- Conduct regular audits of your assets, security management processes and access protocols.
- Use network-level encryption to secure your data as it travels between endpoints and server-level encryption to protect the data when it’s at rest.
- Integrate automation and security information and event management (SIEM) tools (or use a third-party service) to continually monitor logs and report on security events and threats.
Tip #4: Keep Your Servers and Systems Current
No one likes taking the time out of their day to run boring updates and to apply patching to their systems. After all, you have way more important things to do, right?
We’re pretty sure that the owners of the 230,000 computers that were affected by the WannaCry ransomware attacks a few years ago would disagree. In those attacks, a hacker group used the NSA’s EternalBlue exploit — which Microsoft had patched but WannaCry victims hadn’t applied to their machines — to their advantage to take over computers at organizations and businesses around the world, including the U.K.’s National Health System (NHS).
When manufacturers release patches, it’s their way of filling in any security gaps that they’ve discovered in their products. It’s like patching a hole in your roof to prevent rain from pouring or leaking through. It’s their way of fixing the vulnerability before a bad guy can exploit it and cause issues.
Simply put, patching and updating your systems can save you a lot of headaches in the long run:
“Make sure your servers remain patched and on the latest software releases. This is the easiest way to protect yourself from known vulnerabilities. Don’t get breached because of something that’s already had a fix.”
— Jayant Shukla, CTO and Co-Founder, K2 Cyber Security
Tip #5: Have Redundant Data Backups and Infrastructure in Place
No matter how many times we talk about data backups, it never seems to be enough. You read in the headlines about how major city governments, hospitals and businesses are left paralyzed by ransomware attacks and other cyber attacks. Yet, for some reason, businesses choose to not take the appropriate precautions for creating redundant data backups.
Is it laziness? Maybe it’s the “it won’t happen to me” mindset. Regardless of the excuses why they shouldn’t, the truth of the matter is that having redundant backups — both in terms of data and secondary infrastructure — in place can save you a lot of time, money, and headaches. When crap hits the fan — and, inevitably, it will — you’ll wish that you’d taken the time to prepare.
I think Hartwig summarizes this next point best:
“Data security and data center security are inseparable. To store and protect data effectively, all data has to be strongly encoded during transfer and always monitored and regularly backed up.”
— Ben Hartwig, Web Operations Executive at InfoTracer
Of course, there are other things that he says are essential in terms of protecting and keeping your infrastructure operational (as well as maintaining uptime):
- Keep your equipment cool. Your data center runs on a variety of hardware — all of which generate a vast amount of heat. High temperatures that are left unchecked can literally cause machines to breakdown and melt or result in fires, so it’s essential for every data center to use strong climate controls. Part of this includes having secondary cooling systems in place that can kick in should the primary system fail.
- Protect your power supply. Outages can happen for a variety of reasons — everything from human error to issues relating to the weather. They can also result from power losses or short power surges. Regardless of the cause, it means that you need to have backup power systems in place that can kick into gear when things go wrong to keep your equipment and servers functioning.
A last important point worth mentioning is to keep water lines separate from other key systems. Few things can ruin your day like a busted water main. So, be sure to have two lines coming into your facility in different locations, but keep them away from your power sources and other critical infrastructure.
Tip #6: Use Data Center Network Segmentation
Network segmentation is a process that, basically, helps you divide your data network into separate components based on endpoint identity. By dividing the network and isolating each segment independently, it creates additional barriers for hackers to have to get through and prevents hackers from freely roaming around your network.
Mark Soto, whose cybersecurity and IT services company helps businesses whose data centers have been hacked, offers some key insights on what you can do to prevent being attacked and to limit the damage in the event that an attack is successful:
“By using network segmentation, it can help prevent your entire system from getting compromised if hackers are able to access one of your networks. It also gives you time to react in the worst-case scenario where the other networks are also in danger of being hacked.
With network segmentation, you can also specify which network resources your users have access to. In a world where malicious internal users make up at least 30% of data breaches, this might be the biggest benefit of network segmentation.”
— Mark Soto, owner of Cybericus
Final Thoughts on Data Center Security
Businesses run on data, and your ability to keep that data safe can make or break your organization.
Your data center is the place where your network computers, servers and other essential components are stored. It’s your data’s safe haven in the midst of a disaster.
Keep your servers, network, and other related equipment as safe as humanly possible by implementing the following data center security best practices:
- Put physical security measures in place that prevent bad guys from physically gaining access to your network and data storage equipment.
- Implement and enforce access restrictions that ensure only those who need access (both physical and virtual) have it.
- Use the right security tools to report on and protect against many digital security threats.
- Keep everything up to date and patched to eliminate known vulnerabilities.
- Have secondary systems and data backups in place that you can rely on when things go south.
If you’re exploring the idea of using a cloud or managed hosting service provider, you have less control over the physical security measures that are in place than you would with an in-house data center. However, you can ask the service provider to provide you with compliance reports, which can help you feel more confident in their security capabilities.
We’re sure that you have additional suggestions for data center security, and we’d love to hear ‘em. Be sure to share your insights and suggestions in the comments below.