If you’ve stored valuable data in a colocation facility, it’s easy to adopt an out-of-sight, out-of-mind attitude about the materials housed in a provider’s storage cages. After all, you’re paying a fee for the provider to keep your materials safe and guarded, right?
In principal, yes. However, according to Mark Seiden, a security services expert with Silicon Valley-based Securify, few colocation facilities are as secure as you would like to think. In this article, Seiden discusses some security threats and shares some tips that a firm can take to better ensure the safety of its materials stored off-site under a third party’s roof.
So how vulnerable are many colocation facilities? In Mark Seiden’s 15 years of experience in the security consulting field, he has yet to encounter a facility that he couldn’t break into. Granted, as a professional, Seiden has certain insight and skills that may give him an edge in slipping into some facilities. However, there are many more people out there with similar know-how that may be in line to take advantage of a provider’s weak security.
Just recently, Seiden checked up on a client’s colocation provider and discovered that the lock to his client’s vault was inoperable.
“I walk up to the vault, the door’s open, there are people working inside, and I can see that the lock is visibly broken…. Nobody at the facility did regular tests on the lock.”
Interestingly, in this case, the colocation provider maintains a 100 percent liability warranty. If a customer incurs a loss because of fraud, theft, or tampering with the database, the provider agrees to pay everything back to the customer.
“If somebody had gotten in their vault using this vulnerability and had stolen their back-up tapes, [the colocation provider] would be out of business.”
Of course, that’s bad news for the provider, but if valuable data got into the wrong hands, the firm storing the data is often still liable for any damage that could result from the loss or exposure of data.
For example, according to the Health Insurance Privacy Act (HIPA), a firm cannot shift liability onto a third-party, outsourcing provider. If health records happen to be housed in a vulnerable colocation cage and are stolen or copied and replaced, the potential for disaster is immense.
“Consider this,” says Sieden. “The back-up tapes have the health records of some celebrity and subsequently end up in a newspaper. The colocation customer is liable here.”
Don’t rely on trust alone
Depending on the nature of the information you’re storing, liability may or may not be an issue for your firm. According to Seiden, the information that most companies house in colocation facilities “isn’t that important or secret.” However, even if the information is noncritical database material, it’s still a problem when curious people gain access to your records in a supposedly secure facility.
“The thing about these facilities is that almost inevitably, you’ll have to trust their employees,” says Seiden. What’s more, you have to trust the facility’s vendors andother tenants who are all wandering around the facility at various times for various reasons. Based on his experience, however, Seiden believes that simply putting trust in a facility is an inadequate measure.
“You don’t have to trust them. What you can do is put your own intrusion detection in; you can put your own video in your cage…. At this point, a USB camera costs $29.”
In addition to a USB camera, Seiden claims that free motion-detection software exists on Linux that will trigger the camera to start snapping pictures and record them onto a disc.
Double-up on cabinetry
Although many colocation facilities lease cages or vaults with built-in cabinetry for machines, there’s no reason why a firm should limit itself to what’s provided. By including your own customized cabinetry, you can create an extra security layer that you will be responsible for maintaining.
“You can control who has logical access to your machine and make access to those machines as ‘paranoid’ as you need. Maybe double custody in the case of really important secrets.”
If budget constraints keep you from purchasing additional secure cabinetry, it may be necessary to single out some of the more critical storage material to house in an extra cabinet.
“You have to figure out where to spend the money, and there’s no point in spending money protecting something that is not an asset,” says Seiden. “Companies are really bad at figuring out what their secrets are. If everyone knows that a firm’s customers are the Fortune 500—that customer list needn’t be sealed away under multiple cabinet layers.”
However, if you’re storing the hardware security modules to your encryption keys, it might be worth investing in some extra precautionary measures.
Do you have colocation advice to share?
Is your colocation facility satisfactorily secure? Do you have any tips to boost the safety of your stored materials? Start a discussion and share your thoughts.