Gianluca Riglietti, Head of Research & Intelligence at PANTA RAY
*Picture by courtesy of SUPERNAP Italia, the largest data center in Southern Europe.
An exabyte is a unit of measure equal to 1e+18 bytes. For those who don’t speak the language of computer experts, that is several tons of information. As reference, all the words ever spoken by humans in history is barely 5 exabytes. The volume of data that is now present on the face of the earth is of nearly 31,000 exabytes. This means societies have generated an incredible amount of knowledge to this day, probably more than we can utilize with current technology.
However, while we try to figure out what to do with all this data, there is a much more basic issue to address, which is where to store it and how to protect it. Currently, storage demand surpasses supply by one third, whereas by 2020 there will be an excess of 100%, meaning half the data in the world won’t have proper storage availability, let alone protection. As icing on the cake, we live at a time when regulators are finally waking up to the importance of data protection and have decided to start imposing pricier fines for non-compliance, as in the case of the EU General Data Protection Regulation. The reason for such a data-apocalypse of a premise is that, despite the challenges listed above, there are organizations that still believe they can store all of their information in-house or in data centers that are everything but impeccable.
Data has become one of the most valuable commodities nowadays, so much so that experts love to compare it to oil or gold. While they are right in considering it precious, it is also worth remembering how vulnerable data is to a variety of threats. Below, I’m going to list some of the most recurrent ones, with the goal of providing some tips for building a sound data center.
It outages & utility supply
IT outages are sometimes overlooked when scanning the threat landscape, as organizations might consider them quite ordinary and not as concerning as cyber attacks or hurricanes. However, the truth is that outages are one of the most common causes of disruption for an organization and they are often connected with other unfortunate events such as natural disasters or cyber incidents.
For instance, in recent years airlines have been struck by a series of IT outages, such as British Airways in 2017. In this case, the interruption was caused by the mishandling of an external data center by an employee. Research from the Uptime Institute shows that the majority of organizations believe they could have prevented past outages and also that they do not have clear visibility of the threats to their data centers. On the bright side, redundancy is mentioned as a good mitigation measure, with particular reference to systems such as 2N architectures.
On a similar note, utility supply should be guaranteed and protected with back-up solutions. Indeed, data centers consume vast quantities of energy, raising an issue of sustainability too. Looking at the future, organizations such as Google are developing artificial intelligence and machine learning software that can modify energy consumption based on external conditions (e.g. temperature). In its initial implementation on the ground, this new solution has led to a consumption reduction of 30%.
Tip #1: Make sure your data center has redundant systems to keep the servers operative in case of a disruption.
Tip #2: Staff are as important as technology (if not more!). Train them and make sure they develop the appropriate know-how.
Business continuity and disaster recovery are two disciplines that were originally created to counter weather incidents such as floods, thus it is mandatory to dedicate a section to adverse natural events. This does not only include weather events but also geological risks such as earthquakes. Verifying that the geographical area is fit for purpose is a crucial strategic step, which must take into account elements such as seismic activity, proximity to large water basins and hazardous facilities.
One of the main problems with picking the perfect spot is that data centers are often readapted buildings that were originally used for other purposes, which leads to less-than-perfect locations. It is surprising to see how often organizations decide to store their data near rivers or the sea, trading safety for a nice view.
Tip #3: Don’t build your data center next to your favorite beach.
Tip #4: The foundation of a safe data center consists of a careful geographical and geological assessment.
Wherever there’s gold, you can find thieves. As data has become more and more valuable, cybercriminals have started to pay attention. Today, online attacks are the fastest growing threat to data centers, with a 20% increase over six years, according to a 2016 report from the Ponemon Institute . This means that organizations need to rethink the very idea of security around data centers, which has traditionally been based on physical defenses. While that is still a legitimate concern and physical security teams should be present, they must be complemented with cyber security and business continuity teams, in order to formulate a cyber resilience response.
As if it weren’t enough, cybercriminals have come up with a new type of attack, which is tailor-made for data centers, called cryptojacking. In technical terms, cryptojacking consists in having a piece of software installed on a machine – unbeknownst to its owner – that mines cryptocurrencies to earn money. What this means is that attackers are verifying transactions in exchange for online currencies. While mining itself is not illegal, the fact they are using your device to do it is indeed against the law. This can lead to the machine becoming slower and overworked. In addition, should the attackers wish to make a few extra bucks, they can always resort to good old ransomware, given they are already inside your perimeter .
On a related note, physical and cyber teams should cooperate on possible breach points. Especially with the introduction of IoT technologies, such as smart cameras and sensors, vulnerabilities have multiplied. This is particularly concerning as IoT devices represent the connection between the physical and cyber worlds.
Tip#5: Do not forget cyber resilience. Cyber security and business continuity teams should work together to detect and mitigate online threats.
Tip#6: Your cyber resilience units should work in harmony with your physical security ones. You are missing a trick if you don’t bring down organizational silos.
The human factor
I am a millennial. I grew up in the 1990s and therefore the Toy Story saga has a special place in my heart. Not many people know, however, that the second part of the trilogy was close to being completely erased when an employee ran the wrong program and deleted most of the plot, while at the same time the back-up system failed and Woody and Buzz seemed to be gone forever. Luckily, another employee discovered that they had a back-up file at home and saved day (isn’t that a great finale??).
The lesson here is that your staff can be your best ally and worst nightmare at the same time. The key to making things work is establishing a strong resilience culture. Having a back-up is not enough if it isn’t checked regularly and there is no redundancy. Awareness initiatives, training and exercises need not be just tick-the-box practices but effective measures to put employees in front of real-life problems. Technology is not enough if the appropriate know-how isn’t developed.
Having the right processes in place will spare you from relying on luck to keep your business going, as in the case mentioned above.
Tip#7: Don’t just tick the box. Build a resilience culture through awareness, exercises and regular training.
The goal of this article was to show not only problems but solutions, providing advice on how to choose the right place where to store your data. This is an especially modern challenge, something our society hasn’t adjusted tremendously well to, but it is necessary to address it and to do it well. It is a matter of preserving your customers, your reputation and your bottom line. Data protection is unlikely to become easier; however, building the right foundations today is the key to making the job simpler tomorrow.
 BCI Horizon Scan 2019