Page 14


xxxxxxx Understanding Physical Attacks

Physical Security By Marcus Edwards, Owner of Server Fortress Limited


Data centre security is about minimising risk and maximising operational uptime. Of the two types of security, cyber and physical, the emphasis is usually put on cyber security, which is clearly the obvious risk. High profile events like North Korea’s attack on Sony underline the threat of this type of action. The main focus should be on providing security against such attacks, which are happening all the time. Marcus Edwards explains why physical protection should not be neglected

Physical Attacks

Typically, physical attacks on data centres are lower profile events and much less frequent, but they do still happen and they can be catastrophic. When we imagine this type of physical attack we normally think about thieves stealing physical equipment for resale. When this occurs the resultant breakdown in service or loss of key data can be an embarrassing and costly by-product as Vodafone found to their cost when their service was disturbed in 2011 after network equipment was stolen from their Basingstoke data centre. Another attack occurred in 2007 when five thieves disguised as police stole up to £1 million worth of computer equipment from a ‘state-ofthe-art’ data centre in the Kings Cross area of London. The vast majority of UK data centres have very good security measures in place to guard against this

type of theft. Security fencing supported by CCTV and lighting plus controlled vehicle and pedestrian access makes theft by your casual opportunist nearly impossible. Clearly these measures are necessary and should not be overlooked. Once in place the data centre is secure for all but professional planned attacks. These are unlikely to be carried out by your usual, home grown, criminal gang as the financial rewards of obtaining IT hardware does not justify the risks involved. So, does this mean all is right in the world of physical security for data centres? Unfortunately, gangs of professional thieves turning up to steal lorry loads of servers are not the major threat. The main threat in terms of physical security comes from within, as most of the large thefts of data are often a result of inside jobs or negligence. For example, Edward Snowden leaked thousands of classified documents, much to the embarrassment of the USA and UK governments. The disgruntled or criminally minded employee is probably the biggest physical security threat faced by small businesses. Stealing information in order to help with another employer or to set up their own business is a crime that also appears to be growing rapidly if you look at the conviction rates. High security fences and access control into the building will not protect against the authorised employee. Access control to data and the physical storage devices need to be controlled and recorded per individual. Assets and data also need to be ring-fenced and segregated to minimise any potential loss.

Defence in Depth

Remote cyber-attacks are the biggest threat to all data, but physical protection should not be neglected.

12 NETCOMMS europe Volume V Issue 2 2015

This is all fairly straightforward and in line with The HMG Security Policy Framework, Version 11.0 – October 2013 issued by The Cabinet Office, which states the following; “The ‘defence in depth’ or ‘layered’ approach to security starts with the protection of the asset itself (e.g. creation, access and storage), then proceeds progressively outwards to include the building, estate and perimeter of the establishment.” The significant point is that security should

start as close to the asset as possible. This limits any potential loss even from malicious individuals from within the organisation. The framework covers the normal commercial risks, however, there is a lot of sensitive data that could be subjected to another type of professional attack. Government backed cyber-attacks are not a thing of fantasy. Governments have teams looking at this in both terms of defence and as an offensive tool. Thanks to Edward Snowden, we know UK’s GCHQ has gained access to the network of cables that carry the world’s phone calls and Internet traffic and has started to process vast streams of information that it’s sharing with its American partner, the National Security Agency (NSA). This is what we know, so far, about our own ‘friendly’ security organisations. It would be very naïve to assume other governments are not doing the same with commercial objectives. I’m not suggesting that data centres are likely to be attacked by foreign backed intruders with guns and ski masks. Physical attack is normally much more subtle. The next question is who could be targeted? Government institutions, including the police and military, are obvious targets, but the banks, financial services, technology and research institutions are also potential targets. Once you widen the catchment to cover these areas nearly all multi-national companies, and even Universities, become potential targets.


What types of subtle physical attack are we talking about? Network eavesdropping is the main threat and that gets easier once you have access to the building where the network is situated. In private office buildings you need to keep network points in meeting rooms away from visitors. Data hosting centres create another issue. As mentioned earlier, most data centres have very good perimeter security and record whoever enters the actual data centre. Is this good enough against truly professional eavesdropping? What other companies are based in the hosting centres? Could any of

Profile for LGN Media


NETCOMMS EUROPE Magazine is the first and only Pan European journal dedicated to the network and data communications marketplace. Published...


NETCOMMS EUROPE Magazine is the first and only Pan European journal dedicated to the network and data communications marketplace. Published...

Profile for lgnmedia