Assessing the threat and vulnerability risk for data centres

Setting up a new data centre, or in the midst of selecting a suitable hosting provider in Singapore? One term that you are likely to come across would be the Technology Risk Management Guidelines (pdf) published by the Monetary Authority of Singapore (MAS). Already the de facto standard for financial institutions (FI) here, the guidelines make ample sense even for non-FIs and enterprises when one considers the vital importance of business continuity and the fluid security situation in our world today.

Specifically, the guidelines are comprehensive and cover areas such as system availability and recoverability, security and even the robustness of physical data centre infrastructure. The latter is addressed in a section on data centre protection and control, and suggests the use of a threat and vulnerability risk assessment (TVRA) to identify potential security threats and operational weaknesses in a data centre.

It is hence no wonder that an increasing number of data centres in Singapore now claim that they satisfy “TVRA” requirements. But what does it really mean? We take a closer look at the TVRA specifications, and highlight why some data centres may not actually be fully compliant due to existing limitations that are not easily rectifiable.

“The purpose of a threat and vulnerability risk assessment is to identify security threats to and operational weaknesses in a [data centre] in order to determine the level and type of protection that should be established to safeguard it,” says MAS in the Technology Risk Management Guidelines document.

Obviously, an assessment of the vulnerabilities will vary based on a number of factors including the criticality of the data centre, geographical location, whether the data centre is multi-tenanted – and the type of tenants occupying the facility if the answer is yes.

On its part, examples of threats here could range from theft, explosives, arson to unauthorised entry, external attacks and insider sabotage. As recommended by MAS, any attempt to improve the threat and vulnerability posture of a data centre as outlined above, would necessarily include a review of the data centre building, its internal facilities, perimeter and the surrounding environment, among others.

While the inclusion of these factors may seem surprising, recent experiences with terrorism have taught us that the ability to protect against bomb blasts and other physical threats are no longer hypothetical scenarios for data centre planners. If anything, the ability to resist attempts at deliberate destruction and mayhem should arguably be high up on the list of “must-have” capabilities.

Unfortunately, operators of older data centres may find it a challenge to protect their facilities against vehicular ramming attacks and bomb threats. This may be due to the fact that they are often located within industrial complexes that were designed and built at a time when such attacks were not serious considerations, or may be located within a building with an internal car park.

These scenarios preclude them from installing strong anti-ram fencing and barriers designed to stop even large vehicles in their tracks, or creates an inherent weakness that makes it next to impossible to remove the risk of vehicular bombs being detonated from within the innards of the building.

And unknown to many, the challenge of acquiring land in Singapore means that a substantial number of data centre operators here also operate within compounds that are managed by industry park operators. As independent entities, they typically have rules against the building of separate perimeter fencing, or limit them to low ones that may not be able to keep out determined intruders.

The situation is changing, of course, and all new data centre developments are now designed and built with these threats firmly in mind, including Singtel’s own KC1 and KC2 data centres. Still, you may want to verify with your data centre operator about the extent of their compliance with MAS’s TVRA guidelines.

Finally, the continued emphasis on security means that threat detection and prevention on the network in the near future will likely become a necessity, not a luxury. Is your hybrid network set up to do this, however?