Standard needed for datacentre security

How do you know your partner is really secure, asks Simon Neal

Neal: ISO 27,001 does not guarantee the security level

When organisations outsource the management of their IT systems to datacentre providers, there is a chance for the channel to offer such services themselves.

But there is a surprising lack of transparency around security, an important criterion.

It is easy enough to find out which technologies datacentres use to protect the data they hold – and if a provider is particularly keen to impress, it may even be able to itemise the processes that mitigate against physical attacks and social engineering exploits. But there is no regulated 'gold standard' for what constitutes an acceptable level of risk or security specifically within the datacentre, either in the UK or internationally.

Datacentre providers have therefore sought to demonstrate their security credentials via accreditations like ISO 27,001, an information security management system that specifies various systematic controls. They can then be formally audited and certified compliant with this standard.

However, ISO 27,001 does not guarantee that information is completely protected. While ISO 27,001 certifies that a security system is in place, it doesn’t necessarily specify the technologies used, such as antivirus systems and firewalls.

I believe this is confusing. Even more confusing is that a provider can both define and limit the scope of what the certification covers, which means it is often far from clear to an outside observer to which part of their operations it refers.

For example, the ISO 27,001 accreditation may only refer to specific sites, or parts of a site, rather than covering the entire organisation. In extreme cases, it may only cover processes such as recruitment or HR, rather than total information management.

Also, some accrediting organisations are not recognised by the UK Accreditation Service (UKAS), which is the only national body recognised by government to assess such organisations.

As such, some ISO 27,001 certificates have been awarded by non-UKAS approved bodies, so I question the ultimate value of their accreditation.

ISO 27,001 is a good indicator that the accredited company is taking security seriously – but it’s not a cast-iron guarantee that a datacentre provider is offering a truly ultra-secure service.

As the datacentre industry expands, I believe that a specific regulated standard needs to be created that addresses all aspects of security that pertain to the datacentre. This should cover the three key areas that constitute total information security: digital, physical and human.

*Digital security should encompass the technologies and processes that protect data in cyberspace and should be assessed regularly against all known vulnerabilities.

*Physical security should look at everything from the strength of the datacentre’s walls to the safety of its location.

*Human security should audit all data protection processes, from the management of visitors on site to the ongoing training of staff to recognise social engineering exploits.

This should help partners and customers make a properly informed choice when selecting a provider. For a datacentre to be truly ultra-secure, it must conform to a different set of criteria from any other business. I believe a specific datacentre standard for security is needed.

Simon Neal is chief operating officer at The Bunker