Why is the cloud more physically secure than on-premise computing?
The thing about data security…
Uncertainty about the security of the cloud has often been the deciding factor that has made some businesses retain an on-premise approach to provisioning technology to support operations.
High profile, security breaches involving large volumes of data, typically hackers stealing account and password and other personal information from online businesses, have created much doubt and distrust about the cloud, not to mention anxiety for those that have had their information stolen.
- In the largest ever cyber-attack of its type on a UK bank, Tesco Bank was hit in a spectacular attack which resulted in 9000 customers being collectively relieved of £2.5 million, in November 2016.
- In the TalkTalk data breach of October 2015, the personal and banking details of up to four million customers is believed to have been stolen, with some TalkTalk customers being targeted and defrauded by cyber criminals.
- The Ashley Madison attack in July 2015 must rank as one of the most serious, with almost 40 million accounts compromised, including the theft of some very personal details and private communications with other website users.
However, such leaks ignore the other side of the IT security coin, that of physical security. All the firewalls and complex passwords that guard network access are useless if someone is able to copy server data onto a device in a data centre and walk off with it.
Data centres are more secure by design
If we consider the design of the physical security of a data centre, there are industry standards and legal requirements for companies in the data centre market relating to hosting and safeguarding sensitive or confidential data.
Correctly implemented and maintained in compliance with BSI ISO 27001, or international equivalents such as SSAE16 in the US, means data centre computing is far more secure than on-premise computing`.
To implement the regulatory requirements and guidelines effectively, the principle of layered security is used.
The role of the first layer is all about the three Ds: deter, detect and delay an attempt at unauthorised entry to the data centre site.
The objective of the second layer of protection is to restrict access if a breach has occurred at the perimeter. Preventing access to buildings and indoor CCTV surveillance for identification and monitoring, as well as multiple access control measures are essential.
Computer Room Controls
The role of the third layer of physical security is to restrict access by using multiple forms of verification and access control measures. Turnstiles, biometric and video analytics may all be deployed the boundary to this layer because access is generally restricted to a small team.
The fourth layer restricts access to the racks and cabinets which physically house the data centre servers and storage. Locked cabinets and audited access is designed to prevent authorised persons that have access to the physical layer from accessing servers and equipment for which they may not be authorised. This helps defend against the insider threat of authorised persons wilfully breaching security.
Secure cloud computing with HTL Support
The vast majority of business sites and offices where on-premise computing is conducted are unable to meet the physical security criteria set out above.
HTL Support data centre facilities conform to Tier 3, one below the fourth tier which is used by organisations for whom IT is deemed mission critical, such as NASA. These are quite complex specifications, but essentially it means Tier 3 data centres are able to provide availability for 99.982% of the time or near continuous operation.
Indeed, when considering migration to the cloud, it should be worth noting that the three attacks above and the vast majority of similar ones are more likely to result from poor digital IT security practice by the company itself, rather than a data centre service provider.