Interview with DCSA Lead Auditor Gerd Simon
Given the strategic value of data centers to digital transformation, it is important for data center operators to have a very clear view of the risks they face – ranging from DDoS to the GDPR – according to Gerd Simon, Independent Consultant and Lead Auditor for the eco Datacenter Star Audit.
The changing face of data center risk assessment
The understanding of data center risks has changed massively over the past few years, moving towards looking more into operational issues rather than construction issues. This is the case throughout Europe. Data centers are becoming an essential part of an integrated digital infrastructure. This development is not simply a result of 5G, IoT, or Industry 4.0: Data centers have become the point where the real world connects with the digital world. Given the strategic value of data centers to digital transformation, it is important for data center operators to have a very clear view of the risks they face – be they physical, digital, financial, or regulatory; accidental, coincidental, or malicious.
Of course, there are differences in the risk assessment for different data center business models. If you are a colocation provider, your risk profile will be different from a hosting provider. Whether you're a mass hosting provider, a managed hosting provider, or a cloud provider, you tend to work much more on operational risks, and it is essential to also watch out for your ICT administrative and process-related ones.
It is all about processes: even simple administrative errors, for example, can have a strong impact on availability in a data center, not to mention processes for ensuring consistent supervision and maintenance of technical equipment. Added to this, there are the overall financial risks that impact your capex and opex.
Certainly, data center operators can do many things themselves to mitigate risks to their business continuity.
Apart from ensuring redundancy in supply and connectivity, this also includes excellence in management, and ensuring that your teams are well-trained in all aspects of operation and emergency management, for example.
Processes as a critical resource in data center operation
But the data center environment is an ecosystem where other actors can also pose a risk to you. If you build a data center, you may consider that it will simply run like a well-oiled machine. However, a data center is more than that. It’s a living, vibrant ecosystem, and this means that the processes and the individuals involved in operating the data center are an absolutely critical resource. No matter whether we’re talking about a supplier or a customer; all parties play a role in the health and well-being of a data center, in the mitigation or escalation of risk. It's all about processes, and these need to be harmonized with your suppliers and your customers. It's about the training of the employees, and it's about how you get into the data center – not only physically, but also via the connectivity.
Data center risks – from cyber crime to reputation
Actually, the risks have changed in the past years. These days you can see many more risks coming from DDoS and social engineering attacks, rather than from someone breaking and entering into a data center through a wall or a door. And of course, when it comes to risks like DDoS attacks, data center operators generally cannot do everything themselves. Most probably, you will need to have partners that operate software solutions. You need partners that have the ability to push your data stream somewhere else – like blackholing. But also you need cloud connectivity and cloud infrastructures to perform a digital sleight of hand, giving the attacker the impression that they are still in the real network that they broke into. You also need to have software tools like cyber traps, and methods for ascertaining where the attacker is coming from.
The GDPR for data centers: DC operators have to take care of the personal data they store for their employees, their suppliers, & their customers, and all the applications that use this personal data.
And we shouldn’t forget the often underestimated communication risks. In case of a major failure, the DC operator should have ready-made plans to use, covering all aspects of how to handle various likely or less likely failures – not only on the technical level but, even more importantly, on how to explain and communicate the incident to all stakeholders – your customers, and, of course, the media. Most of the damage produced by a major DC outage is not of a technical nature. Usually, this can be healed within hours, days, or at the worst, some weeks. The damage to the image of reliability of a provider, however, can last for years and cost millions in marketing investment to help people to forget what was caused by a bad communication of an incident.
The eco Datacenter Star Audit (DCSA): risk assessment for data center operations
Risk assessment is set to become a major focus in the new version of the eco Datacenter Star Audit (DCSA), which will be introduced later in 2018. The eco DCSA certification program, which last year was the subject of a dotmagazine interview with eco's Roland Broch, certifies data centers on a range of aspects that are essential to ensure reliability and availability. With this in mind, the eco DCSA looks at the influence of processes and personnel – the organizational aspects – much more than the influence of design. Certainly, design is important, but for mitigating risks, organization, processes, and the people working and living in data centers are much more important – and connectivity is vastly more important.
To do justice to the changing needs for connectivity in data centers, the new version of the DCSA will also enable the certification of data center clusters. We recognize and value the fact that many operators have small modules, of less than a megawatt, but have several of them distributed over a metropolitan area. It is similar in concept to a campus, but the modules are spatially separated. The set operates as a cluster in which the data centers are populated by using the different locations.
The DCSA assesses the availability of organizational responsiveness, of reaction time and professionalism in dealing with issues, of training, and of the way companies live their processes. The audit and assessment is in accordance with best practices and references, and is one way for data center operators to really get to grips with the risks they face in their ecosystems.
Security measures need to be worked on at all levels
When it comes down to it, what we’re really talking about with data center risk assessment is having a safety belt. This is where the GDPR kicks in, for example, and it is why harmonization is important. Data center operators need to integrate their customers and suppliers into their daily processes. They need to understand and live those processes, and train their staff effectively. And then they have to protect everyone against attacks. This will be a very important factor for the future – security measures need to be worked on at all levels, not just on the physical one. Because the simple truth is that the data stored and analyzed in data centers is becoming an increasingly critical component of our society and our economy – and we need to ensure its protection by preparing effectively to face whatever comes.