Data Centres North Data Centre Security is the tail wagging the dog? May

Transcription

1 Data Centres North Data Centre Security is the tail wagging the dog? May Mark Bailey - Partner charlesrussellspeechlys.com

2 Introduction Why do data centres exist? process data? protect data? Is data security actually (primarily) the customer s responsibility? Does the answer change when operators move beyond pure colocation? Are we going too far on security? Emerging issues Critical national infrastructure There is only one cure for grey hair. It was invented by a Frenchman. It is called the guillotine. Data centres as utilities (eg Insolvency (Protection of Essential Supplies) Order 2015 s233 Insolvency Act 1986) May

3 What is Data Centre security? Build the walls higher prescriptive Design around threats not prescriptive? Physical Security Location Security gates/perimeter Fences (planning NB) intelligent perimeter Access controls Video Surveillance/Video content analysis Computer rooms Facilities Disaster Recovery Business continuity Information Security Cloud standards ISO/IEC 27018:2014 (ETSI/ENISA) encryption Public vs. private vs. hybrid Risk of overlapping customer standards Government classifications Cloud security principles (Cabinet Office) Personnel Security Staff screening Staff monitoring Staff training Contractor reliability standard of conduct vs. supervised/accompanied access Visitor reliability access logs Cyber Security All of the above but new dimensions Cyber insurance? Risk of overlapping customer standards Schemes: Cyber Essentials/Cyber Essentials Plus Threats IT: malware, viruses, trojan horses, hacking, spam Physical: intruders, theft, sabotage, uncontrolled access Personnel: insider contractor, disgruntled employees, criminal spies, social engineering, password cracking May

4 Data Centre Security A few provocative questions/thoughts The supplier doesn t care what the data is, or what sector its customer is in You don t need much physical security if the data is encrypted Physical location is irrelevant Data security is the customer s responsibility It s better to outsource to a specialist data centre than host and manage internally There are data safe havens Can someone clever design something secure no law enforcement authority could crack it? Data is already compromised get over it May

5 Data Centre Security Why does the IT service provider get it in the neck? A recent example Regulator REGULATED FIRM Bank A Bank B Bank C It may not matter who is actually responsible - who gets the blame? Our experience is that the managed services provider/infrastructure provider often gets the blame (even if it is not liable) Data Centre Colocation Provider Unregulated Mobile Provider Cloud Infrastructure as a Service Data Centre Colocation Provider 5

6 Information Society Services Data Centre Security legislative complexity Market Operators Information Service Providers Ecommerce Internet payment gateways Social networks Search engines Cloud App stores DATA Control Infrastructure Banking/Stock exchange Energy Transport Health Public administrations Data Protection Directive 95/46/EC General Data Protection Regulation NIS Directive 2013/27/EC Mandatory breach rules E-privacy Directive 2002/58/EC Regulation of Investigatory Powers Act 2000 energy/ environment ISP s TELECOMMUNICATIONS Framework Directive 2009/140/EC Data Retention and Investigatory Powers Act 2014 CRITICAL INFRASTRUCTURE European Critical Infrastructure Directive 2008/114/EC May

7 Whose job is security Too many cooks? Professionals Data Centre Legal Applications Audit (Internal/external) IT Operating Systems IT Security Infosec IT hardware Compliance M&E Physical layer Quality assessors Facilities Management The board property Power The most profitable investments as evidenced by the lower cost of data breach are the appointment of a CISO with enterprise wide responsibility and the engagement of external consultants How does this impact the data centre which side of the fence is the CISO on? Source: 2011 Cost of Data Breach Study: UK (Ponemon Institute) May 2015

8 What drives security? Compliance for the sake of compliance or real compliance? Standards Government/ regulator pressure Customer Pressure (and their customers) Law Contract Supplier competitive advantage innovation May

9 Data Centre Security Data centres Where do the risks arise? Full Outsourcing SaaS Access to data PaaS Public vs Private Multitenant IaaS and sub layers Access to data? Is data encrypted Smart/remote hands Access to data? Is data encrypted Telecoms network ISP Mere conduit (ecommerce regulations) Dedicated hosting Colocation DCIM? SCADA BMS PCI DSS (principles 9 & 12) May

10 Contractual considerations A need for transparency Tell the customer what you are responsible for and what you are not responsible for Data Centre Security Contractual considerations Good up front due diligence Physical visit Policies and procedures compliance driven? Evaluation vs negotiation Information Security Plan Maintaining Certifications Penetration testing loss of data liability is supplier guaranteeing data security what is loss of data? Unlimited liability (for loss of data, breach of confidentiality, data protection fines) Attempts to get more than you pay for a standard commodity service allocating liability Procurement/lawyers not understanding the service Entrusting the wrong data/wrong services to third parties May

11 Contractual Considerations A need for transparency The legal contract The key tool for governance including details on charges, terms and termination, risk and liability Service desk This will manage the ticketing, helpdesk and service incident reporting Risk register There may be other documents which record assumptions around risk Operations Manual The key operation document recalling services/functions business will perform. It records how services are performed in practice and remains a live document rather than a schedule of the legal agreement Service methodology Documentation will be supported by service methodology eg ITIL or Prince 2 for project methodology, these require their own documentation Certifications The business will almost certainly have ISO certification and possibly ISO 9000series certification for its document management Change control Used for all operational moves/adds and any changes short of legal changes to the agreement (governed by variation agreement) 14 April

12 Data Protection Where does risk begin and end in terms of responsibility for data? Encryption positions not Processor: no possession custody or control of data Processor: Data Protection Directive 95/46/EC NB encryption not mentioned in the Regulation draft text Justice & Home Affairs Committee (Council of Ministers) Luxembourg meeting Winter 2014: no duty to notify if data is unintelligible to any person not authorised to access it (?need for prior Data Protection Impact Assessment (DPIA)) Processing shall mean any operations which is performed upon personal data, whether or not by automatic means, such as: collection recording organisation [structuring] storage adaption or alteration retrieval consultation use disclosure by transmission, classification or otherwise making available alignment or combination blocking erasure or destruction personal data any information relating to a data subject May

13 Data Centre Security Key Risks IT Supply Chain What happens if a managed IT service goes wrong? Typically the service just fails and is not available/ service performance is adversely affected Failures cannot be rectified by having stocks of components or using up existing capacity Product recall does not apply as there are no goods to recall; the ability to transact the affected function or business just stops unless there are appropriate business continuity or disaster recovery plans in place which actually respond - Strong focus on business continuity arrangements Other service providers e.g. telco Typical Managed Services/IT Supply Chain Customer s users / clients Customer Service Provider Software/ managed service provider Data centre / host 13 Typical automotive supply chain Manufacturer Subassembly supplier Component manufacturer Raw materials What happens if an automotive supply chain goes wrong? Supply chain issues are covered by product warranty repair or replace product liability in certain sectors e.g. automotive are strictly controlled by industry specific quality standards and processes product recall provisions are common to control defects in issued products

14 Data Centre Security Sector specific approach a way forward? Financial services Retail Government FCA Handbook SYSC8 PCI DSS v3.0 G Cloud Staff screening in financial services Point of sale security (Essential Supplies Order) New government security levels classification (April 2014) OFFICIAL SECRET TOP SECRET ESMA guidelines Cyber Essentials/Cyber Essentials Plus Dear Chairman letters PSTN Fujitsu report Financial services at a stand still in the adoption of technologies the mobile, cloud and big data Cloud Security Principles 14 August 2014 Connecting for Health A need for transparency tell the customer what you are responsible for and what you are not responsible for May

15 charlesrussellspeechlys.com Charles Russell Speechlys LLP is a limited liability partnership registered in England and Wales, registered number OC311850, and is authorised and regulated by the Solicitors Regulation Authority. Charles Russell Speechlys LLP is also licensed by the Qatar Financial Centre Authority in respect of its branch office in Doha. Any reference to a partner in relation to Charles Russell Speechlys LLP is to a member of Charles Russell Speechlys LLP or an employee with equivalent standing and qualifications. A list of members and of non-members who are described as partners, is available for inspection at the registered office, 5 Fleet Place, London. EC4M 7RD.