They say that the only things that are certain in life are death and taxes. Well, we would argue that there are three certainties: Death, taxes, and the season’s annual influx of messaging about the importance of cybersecurity.
We’ve all seen the fear-mongering social posts about data leaks and the dire calls for improved firewalls or zero-trust mechanisms. This special month of the year known as Cybersecurity Awareness Month, despite its good intentions, always betrays an interesting gap when it comes to IT protection. Here’s the truth: If anyone needs a reminder to improve their security protocols and IT security operations, there’s already a problem. When you think about it, the biggest threat to data and IT security might not even be the cyber criminals themselves — it might be an organization’s tendency toward complacency.
The state of cybersecurity and digital threat is such that all organizations should already be so extensively prepared and safeguarded that October’s Cybersecurity Awareness Month shouldn’t even phase us. Especially for data center tenants, the security offered by their provider should be so robust that any calls for improved cybersecurity or fear-mongering messages can remain firmly off the radar. That fully-protected reality can only happen when cybersecurity stops being a month-long frenzy and starts being a year-round, constantly evolving strategy.
Here’s a look at how we do that at Stream.
The Synergy Between Cybersecurity and Physical Security
In a data center, there can’t be cybersecurity without physical security. Any digital weaknesses that exist are a first point of attack for bad actors, serving as a gateway to mission-critical systems within the facility. If robust physical and digital protection is not properly monitored and maintained, bad actors can render card readers, video cameras, billing systems, air handlers, power systems or HVAC units unavailable or totally unusable. It goes without saying that these elements are the bread and butter of the data center service ecosystem, and operations can’t go on without them.
So, cybersecurity and physical security measures are put in place to close any and all gaps, creating end-to-end protection across the whole facility, for every piece of equipment within it and every individual and device that touches the network. Sure, company-wide anti-phishing campaigns and informational emails about network best practices are important. So is password health and protection — but these aren’t enough to the discipline of cybersecurity (even if done perfectly), and they don’t really acknowledge how physical security factors into cybersecurity within a mission-critical environment.
It’s for these reasons that Cybersecurity Awareness Month does little to properly prepare the landscape of IT for the realities of data protection. When we look at cybersecurity, physical security must be part of the conversation in order to capture the full scope of robust protection, and that’s exactly how we create holistic security at Stream facilities.
Our Security is Going in Circles (And That’s a Good Thing)
At Stream, we have a basis of security design across all our data centers that is built off concentric rings. This means that there are a number of barriers between the outside (the uncontrolled area outside the data center grounds) and the asset at the core of the data center. That’s the customer space. These barriers are diverse and present an array of mechanisms that thwart attacks on data and mission-critical systems. Included within these rings are doors, cameras, turnstyles and more.
In between those barriers are intervention zones. This is where detection and response occur. So, if someone is able to compromise the first barrier, we have an intervention zone in place before the second barrier can be breached. This method can be personalized for customers as well. That means that if a larger customer has a developed corporate security department with additional standards that must be co-mingled with the Stream data center space, that can be accomplished successfully. This empowers our customers to remain in sync with their security and compliance, leveraging access to badgeholder activity, camera views and more on an as-needed basis.
Speaking of compliance — we work hard to incorporate every possible compliance certification to help our customers rest assured their information is safe with us. As an example, Stream has implemented and applied the ISO/IEC27001 governance standard to all its data centers. This is regarded as the gold standard of information security, defining how to implement, monitor, maintain, and continually improve the Information Security Management System (ISMS). It also prescribes a set of best practices that include documentation requirements, divisions of responsibility, availability, access control, security, auditing, and corrective and preventive measures.
Of course, this all works in tandem with our cybersecurity processes to create the most secure, impregnable space possible for our customers to depend on.
Doing Our Due Diligence
We always say that our biggest asset at Stream is our people — and that will always be true. In fact, our two security masters (Ron Chandler, Director of Information Security, and Chris Miller, Director of Corporate Security) have worked together for around two decades. You can’t get much better synergy across physical and digital protection than that. However, it’s every data center provider’s duty to acknowledge that their people can also be their biggest liability in the case of cybersecurity and physical protection.
Human error is a major cause of breaches, which means that up-to-date educational procedures and network privilege systems are a must to keep users from inadvertently becoming the network’s worst enemy. (We get it, it’s exciting to be chosen by a Nigerian prince as the heir to a massive fortune, but those discussions are best left out of the business network.) So, we implement a system of network privileges that are elevated depending on role. There are warnings and precautions in place about what can, cannot, and should never be done across the network.
Of course, as Miller notes, we also realize that every device is a peripheral device of the network. Whether it’s a card reader, a camera, a light or otherwise, each one probably has its factory firmware. That’s a detail a lot of people might overlook, but it’s a detail that calls for implementing VLANs and segregated networks so that even if someone reaches one of these peripheral devices, they won’t be able to go any further. This peripheral device challenge also extends to third-party vendors in the event they must come on-site and plug in laptops to update firmware in HVAcs or elsewhere. In the question of security, no potential vector can be ignored.
Reshaping
Of course, tight restrictions can’t be instituted for every possible human access permutation and log-in instance. Then, cybersecurity comes down to everyone’s awareness, ethics and willful intent to abide by the policies — the “squishy” part, as Chandler calls it. That’s where our pride in our people and our careful curation of our industry-leading team comes in.
At the end of the day, this is just scratching the surface of everything that a robust cybersecurity and physical security strategy should be in the data center. But if there’s one takeaway here, it’s this: Cybersecurity is not complete unless it works together with physical security. That’s what Cybersecurity Month fails to mention.
It’s this philosophy that pushes us to put together threat/risk scenarios that encompass both cyber and physical security protocols, it’s what pushes us to do more in-depth pin tests than others in our industry — and it’s what makes us praised by our security auditors. It’s also what makes our customers feel secure when faced with the annual influx of cybersecurity fear-mongering.
We’ll just say this: We’re here if you want to ditch the fear and benefit from IT protection that goes beyond a month-long awareness campaign.
To learn more, check out our other recent compliance blog.
