• No results found

Data Centres North Data Centre Security is the tail wagging the dog? May

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Data Centres North Data Centre Security is the tail wagging the dog? May"

Copied!
15
0
0

Loading.... (view fulltext now)

Download now ( 15 Page )

Full text

(1)

charlesrussellspeechlys.com

Mark Bailey - Partner

Data Centres North

Data Centre Security – is the tail

wagging the dog?

(2)

Why do data centres exist?

• process data?

• protect data?

Is data security actually (primarily)

the customer’s responsibility?

Does the answer change when operators move

beyond pure colocation?

Are we going too far on security?

Emerging issues

• Critical national infrastructure

Introduction

There is only one cure for grey hair.

It was invented by a Frenchman.

(3)

What is Data Centre security?

11 - 12 May 2015 3

Physical Security

• Location

• Security gates/perimeter • Fences (planning NB)

“intelligent perimeter” • Access controls

• Video Surveillance/Video content analysis

• Computer rooms • Facilities

• Disaster Recovery • Business continuity

Personnel Security

• Staff screening • Staff monitoring • Staff training

• Contractor reliability – standard of conduct vs. supervised/accompanied access

• Visitor reliability – access logs

Information Security

• Cloud standards ISO/IEC 27018:2014 (ETSI/ENISA) • encryption

• Public vs. private vs. hybrid • Risk of overlapping customer

standards

• Government classifications • Cloud security principles

(Cabinet Office)

Cyber Security

• All of the above but new dimensions

• Cyber insurance?

• Risk of overlapping customer standards

• Schemes: Cyber

Essentials/Cyber Essentials Plus

Threats

IT: malware, viruses,

trojan horses, hacking,

spam

Physical: intruders, theft,

sabotage, uncontrolled

access

Personnel: insider –

contractor, disgruntled

employees, criminal

spies, social engineering,

password cracking

• Build the walls higher – prescriptive

(4)

A few provocative questions/thoughts

Data Centre Security

It’s better to outsource to a specialist data centre than host and manage internally

The supplier doesn’t care what the data is, or what sector its

customer is in You don’t

need much physical security if the data is encrypted

There are data safe havens

Physical location is irrelevant

Data is already compromised – get over it Data security is the customer’s responsibility

Can someone clever design something secure no law enforcement authority could crack it?

(5)

Data Centre Security

Why does the IT service provider get it in the neck?

Bank A

Bank B

Bank C

‘Cloud’

Infrastructure as a

Service

Data Centre

Colocation Provider

A recent example

Bank A

Bank B

Bank C

Regulator

Data Centre

Colocation Provider

REGULATED

FIRM

5

Unregulated Mobile

Provider

Data Centre

Colocation Provider

It may not matter who is actually responsible - who gets the

blame?

Our experience is that the managed services provider/infrastructure provider often gets the blame (even if it is not liable)

(6)

Data Centre Security

legislative complexity

Inf o rmat ion S o cie ty S er v ice s Market Operators ISP’s

DATA

Information Service Providers Ecommerce Internet payment gateways Social networks Search engines Cloud App stores Control Infrastructure Banking/Stock exchange Energy Transport Health Public administrations Data Protection Directive 95/46/EC

General Data Protection Regulation

NIS Directive 2013/27/EC

Mandatory breach rules E-privacy Directive 2002/58/EC Framework Directive 2009/140/EC European Critical Infrastructure Directive 2008/114/EC Regulation of Investigatory Powers Act 2000 Data Retention and Investigatory Powers Act 2014

TELECOMMUNICATIONS

CRITICAL

INFRASTRUCTURE

energy/ environment

(7)

Whose job is security

Professionals

Legal Audit (Internal/external) IT Security Infosec Compliance Quality assessors

The board

Data Centre

Applications Operating Systems

IT hardware Physical layer

Facilities Management

Power

Too many cooks?

IT

property

“The most profitable investments as evidenced by the lower cost of data breach are the appointment of a CISO with enterprise – wide responsibility and the engagement of external consultants”

Source: 2011 Cost of Data Breach Study: UK (Ponemon Institute) How does this impact the data centre – which side of the fence is the CISO on?

M&E

(8)

What drives security?

Standards

Contract

Law

Compliance for the sake of compliance or real

compliance?

Government/ regulator pressure

Customer Pressure (and their customers)

Supplier competitive advantage

(9)

Data Centre Security

Data centres – Where do the risks arise?

Full Outsourcing

SaaS

PaaS

IaaS and sub layers

Smart/remote hands

Telecoms network

 ISP

 Mere conduit (ecommerce regulations)

Colocation

Access to data

Access to data? Is data encrypted Access to data? Is data encrypted

DCIM? SCADA BMS

PCI DSS (principles 9 & 12)

Multitenant Public

vs Private

11 - 12 May 2015 9

(10)

Contractual considerations

A need for transparency

11 - 12 May 2015 10

Tell the customer what you are responsible for and what you are not responsible for

Data Centre Security Contractual considerations • Good up front due diligence

• Physical visit

• Policies and procedures – compliance driven? • Evaluation vs negotiation

• Information Security Plan • Maintaining Certifications • Penetration testing

• “loss of data” liability – is supplier guaranteeing data security – what is “loss of data”? • Unlimited liability (for loss of data, breach of confidentiality, data protection fines)

• Attempts to get more than you pay for a standard “commodity” – service allocating liability • Procurement/lawyers not understanding the service

(11)

Contractual Considerations

A need for transparency

The legal contract

The key tool for governance including details on charges, terms and termination, risk and liability

Change control

Used for all operational moves/adds and any changes short of legal changes to the agreement (governed by variation agreement)

Certifications

The business will almost certainly have ISO 27001 certification and possibly ISO 9000series certification for its document management

Operations Manual

The key operation document recalling services/functions business will perform. It records how services are performed in practice and remains a “live” document rather than a schedule of the

legal agreement Service desk

This will manage the ticketing, helpdesk and service incident reporting

Risk register

There may be other documents which record assumptions around risk

Service methodology

Documentation will be supported by service methodology eg ITIL or Prince 2 for project methodology, these require their own documentation

(12)

Encryption positions

not Processor: “no possession custody or

control of data”

Processor: Data Protection Directive

95/46/EC

NB encryption not mentioned in the

Regulation draft text

Justice & Home Affairs Committee

(Council of Ministers) Luxembourg

meeting Winter 2014: no duty to notify if

data is unintelligible to any person not

authorised to access it (?need for prior

Data Protection Impact Assessment

(DPIA))

Where does risk begin and end in terms of responsibility for

data?

“Processing” shall mean any operations which is performed upon personal data, whether or not by automatic means, such as:

• collection • recording • organisation • [structuring] • storage

• adaption or alteration • retrieval

• consultation • use

• disclosure by transmission, classification or otherwise making available

• alignment or combination • blocking

• erasure or • destruction

• personal data – any information relating to a data subject

(13)

Data Centre Security – Key Risks

IT Supply Chain

Typical Managed Services/IT Supply Chain

13 Customer’s users / clients Customer Service Provider Software/ managed service provider

Data centre / host Other service

providers e.g. telco

Manufacturer

Subassembly

supplier

Component

manufacturer

Raw materials

Typical automotive supply chain

What happens if an automotive supply chain goes wrong?

Supply chain issues are covered by product

warranty repair or replace

product liability in certain sectors e.g. automotive are strictly controlled by industry specific quality standards and processes product recall provisions are common to control defects in issued products

What happens if a managed IT service goes wrong?

• Typically the service just fails and is not available/ service performance is adversely affected

• Failures cannot be rectified by having stocks of components or using up existing capacity

• Product recall does not apply as there are no goods to recall; the ability to transact the affected function or business just stops unless there are appropriate business continuity or disaster recovery plans in place which actually respond - Strong focus on business continuity arrangements

(14)

Data Centre Security

Sector specific approach – a way forward?

Financial services Retail Government

FCA Handbook SYSC8 PCI DSS v3.0 • G Cloud

Staff screening in financial services

Point of sale security (Essential Supplies Order)

• New government security levels classification (April 2014) OFFICIAL SECRET TOP SECRET

ESMA guidelines • Cyber Essentials/Cyber

Essentials Plus

“Dear Chairman” letters • PSTN

Fujitsu report Financial services “at a stand still in the adoption of technologies the mobile, cloud and big data”

• Cloud Security Principles 14 August 2014

• Connecting for Health

A need for transparency – tell the customer what you are

responsible for and what you are not responsible for

(15)

charlesrussellspeechlys.com

Charles Russell Speechlys LLP is a limited liability partnership registered in England and Wales, registered number OC311850, and is authorised and regulated by the Solicitors Regulation Authority. Charles Russell Speechlys LLP is also licensed by the Qatar Financial Centre Authority in respect of its branch office in Doha. Any reference to a partner in relation to Charles Russell Speechlys LLP is to a member of Charles Russell Speechlys LLP or an employee with equivalent standing and qualifications. A list of members and of non-members who are described as partners, is available for inspection at the registered office, 5 Fleet Place, London. EC4M 7RD.

References

Download now ( PDF - 15 Page - 532.00 KB )

Related documents

The Economic and Financial Implications of Supplying a Bioenergy Conversion Facility with Cellulosic Biomass Feedstocks

environmentally and economically sustainable within the conversion facility’s operating region and the crop density (i.e., acres planted per square mile) and energy yield per

A pore network study of evaporation from the surface of a drying non-hygroscopic porous medium

This progressive splitting of the liquid phase into various clusters is also illustrated in Figure 7 showing the variation of the total number of wet patches at the surface as

Study on Melanoma - New Research for Cancer Patients

This study intends to analyze the expression of specific sets of markers in tumor samples and in serum from patients with Non-Small Cell lung Cancer (NSCLC) or Stage III or IV

Behaviour of reinforced concrete beams with opening added with kenaf fiber

Previously, Manoharan and Tripathi (2017) has studied the analysis of circular opening and it is concluded that as the depth of opening increases, stress

LACCD Building Information Modeling Standards For Design-Bid Build Projects

For Spatial Coordination, BIM Facilitator will integrate the design discipline and trade specific models into a consolidated 3D-model using coordination software (i.e.

The global decline of cheetah Acinonyx jubatus and what it means for conservation

However, much of the information used for assessment comes from relatively well-monitored populations, usually within protected areas (PAs) (3), although across a species

Cook County Bureau of Technology

[r]

A PRACTICAL GUIDE TO INSPECTING STRUCTURE. By Roy Newcomer DLS-1 03/07

From the attic, the home inspector will report on the condition of the roof structures, including rafters, collar ties, knee walls, and the ceiling joists?. Rafters: Rafters