When protecting data, who trusts who?
Organisations and governments are under intense pressure to create and maintain trust around data.
In a world where data is multiplying at the rate of 2.5 quintillion bytes of data every day (1 followed by 18 zeros), or 2.5 exabytes if you prefer, consumers and businesses have a stake in the trust that underpins everything. What’s more, they don’t care who’s at fault if there’s a breach, a failure or a cyber attack. At tax time, if a government’s website is unavailable, businesses will be affected and consumers will be frustrated or angry. At sale time, if a retailer’s website is struggling to process orders, consumers will go elsewhere. In both scenarios, the consumers vote with their feet and voice their opinions on social media.
McKinsey makes the point that, with digital advertising set to top $300 billion, companies are responsible for managing the data they collect. Data centres, therefore, play an important role in the management of trust around data, as part of a much larger ‘ecosystem of trust’. Anchored on the management of physical and logical security of a data centre and its associated infrastructure, this trust is fundamentally built on a symbiotic relationship between client and data centre service provider.
Though there are lines of demarcation, this trust needs to be built and earned on a foundation of services and expertise that the data centre operator takes accountability for, and which stacks up when independently verified.
Behind that sits a complete portfolio of commitments around expertise, investment, infrastructure designed to fulfil the obligations demanded by the clients, and a focus by both sides of this client-vendor relationship on the ultimate objective of the client organisation: to provide great customer service that is secure, underpinning the vision statement of the clients.
Defining extended security.
In practice, this is like a complex machine with a multitude of moving parts. Understanding how those parts mesh, complement each other and work together to meet these commercial objectives is an important part of the ‘ecosystem of trust’.
Understanding where the data access points sit within the physical data centre, and who is responsible for them, sits within a much bigger data security conversation. There are differences between physical data centre security, cyber risk management, risk or attack mitigation, security, network access, hacking, a rogue employee or a premeditated attack.
The data centre is (depending on where the threat vector comes from) a first line of defence in any colocation or outsourced services relationship. If an organisation is only ever as weak as its weakest point, it’s obviously imperative that the physical infrastructure does not become that weak point. (Think Tom Cruise in the film Mission: Impossible.)
Next sits the management of the data centre’s operations, and that responsibility sits with the data centre owner. Everything from access monitoring to ensuring that doors aren’t left ajar and that there’s sufficient diesel for the back-up generators is monitored (with of course each device generating yet more data).
Inevitably that means that, in most practical terms, the volume of threats will be in the nature of cyber attacks more so than individuals with sledgehammers. As such, data centre operators need to demonstrate their own accountable levels of data security, and the management of the data relating to operations. A data centre’s colo customers must be certain that firewalls are patched, that backups are ready and that points of entry into the centre are secure.
That extends to personnel. Data centres of the quality and calibre of our own require mechanical and electrical engineers and computer engineers. These experts manage and understand the implications of every aspect of the operations of complex infrastructure, including anticipating challenges ahead of them actually taking place.
Today’s data centres demand smart hands and smart feet.
Where data centre sovereignty plays in the trust game.
It’s an unfortunate reality that many businesses today also need to consider risks to their operations well beyond their direct control. By this, I mean the impacts and downstream consequences of attacks on data or online infrastructure driven either by geopolitical motives or activists.
Data centre operators obviously have a huge part to play here in protecting data and infrastructure at the level of the primary threat. If government agencies are disrupted from ensuring that open and fair information is shared with its citizens, businesses can also suffer as a result of misinformation.
The ability to keep those government operations, and the data within them, secure and online is therefore essential for this flow-on effect, as well as for the direct benefit of the governments using those centres. This is where data centre sovereignty comes into play, defined as maintaining authority and control of data within jurisdictional boundaries. In practice, this means that data “at rest” or “in transit ” should not leave Australian jurisdictions without the express permission of the owner or custodian of that data. What’s more, the infrastructure needed to support sovereign data must also be sovereign. Of course, businesses sharing the same sovereign infrastructure being used by government departments will benefit directly from those very high levels of service and security, giving them access to markets that would otherwise not be addressable.
Commercial infrastructure hijacking.
There are other implications as well. Imagine a streaming service that is a major supplier to a global sporting event, and that the event organisers have sold millions of dollars worth of broadcast advertising to serve to subscribers to that service. Now imagine that a group of activists or a foreign government attempts to take down that streaming service for its own reasons. The commercial aspirations and objectives of the sponsors and advertisers have been disrupted, alongside those of the organisers. Products, services and brands can’t be seen on event broadcasts, or in ad breaks. Business revenues are affected by the operations of distant third-parties.1
The ‘data centre trust ecosystem’ is, therefore, subtle and complex. Data centres represent the most tangible aspect of what is in reality a very large, extended chain of interconnected responsibilities.
At the same time, in a distributed world with entire businesses operating in the cloud and with organisations now running hybrid workspace, devices are often the first point of access to disrupt operations or steal data. No matter how distributed, all roads lead back to data centres.
In any data centre operation, defining security and success is of course based on commercial contracts, KPIs and SLAs.
But in my view, these are built on foundations of trust, in which the data centre operator, the colo clients, and their customers, are all represented.
Threading through everything is the culture of the colo partner. It really is the DNA of the organisation, and more importantly how it delivers on the tangible aspect of data centre operations, and the intangible attributes of trust.
Having a culture that places the customer at the centre of the entire operation, so that the colo partner shares in the customer’s successes and risks, breeds operational success and builds an environment for excellence.
For customer organisations, there is only one question to consider, which is whether you can truly say that your data centre partner today is your trusted partner.
