Defending datacentres

The world’s biggest financial institutions rely heavily on their datacentres, which makes securing them from physical threats more critical than ever

The Swedish suburban town of Upplands Väsby, north of Stockholm, became the epicentre of an incident that shut down seven stock exchanges for several hours and caused frustration among traders.

The incident in April 2018 took place at a Digiplex datacentre, specialising in high-​frequency trading where Nasdaq Nordic, the operator of stock exchanges across the Nordic and Baltic states, moved its operations in 2015.

The root cause seemed minor on the face of it: the accidental triggering of the building’s gas-​based fire suppression system. But it emitted a noise so loud that it destroyed Nasdaq’s disk drives and took its systems offline.

If there is any solace for Nasdaq, it’s that the outage happened on a quiet day for trading. However, it underscores just how easily even a small event at a datacentre can lead to big problems for financial institutions.

Security is so tight that many datacentres resemble high-​security military installations

During the past decade, financial institutions have increasingly turned to outsourced datacentre providers to cut complexity and reduce costs. But doing so means entrusting a third party to provide a seamless service.

Eleni Coldrey, Europe, Middle East and Africa (EMEA) lead for innovation in financial services at Equinix, says given that jitters in the financial services sector ultimately result in headline news that can cause reputational damage, companies are putting a great deal of pressure on datacentre providers to ensure continuity of service.

Similarly, Chris Huggett, senior vice president for EMEA and India at Sungard Availability Services, a datacentre operator, says financial institutions understandably have more rigorous protocols they need to follow.

“They come to us with different requirements because of the nature of the data they hold on their clients and the reputational risk they face if something goes wrong,” says Mr Huggett.

Indeed, the needs of financial institutions often exceed the already strict environment provided by a datacentre, says Darren Watkins, managing director at Virtus, a datacentre provider.

“We provide seven layers of security, which is like peeling an onion,” he says, noting that financial companies often add levels of security to their datacentres, such as caging their equipment, in response to regulations such as MiFID II, the amended European Union Markets in Financial Instruments Directive.

To say datacentres place a great deal of emphasis on securing their buildings from potential threats would be an understatement. Security is so tight that many datacentres resemble high-​security military installations.

Mr Huggett says buildings are secured from both internal and external threats on five basic levels: asset, room, building, perimeter and landscape. At an internal level, everything from the individual assets, such as a company’s servers and hard drives, to each room within the building are made as secure as possible.

External security devices include CCTV cameras, security patrols, perimeter fences and landscaped buffer zones to make them less prone to unauthorised physical entry. Some companies take things to an even higher level. For instance, in the Netherlands, a datacentre operated by Equinix is surrounded by a moat rather than barbed wire fences or other standard security measures.

Most datacentres have multiple accreditations that cover environmental, power management and information security standards, such as ISO 27001. In addition, they have strict data protection processes in place to ensure staff and visitors do not have access to any of their clients’ systems.

Perhaps because of these measures, most of the incidents that datacentres experience seem mundane in nature. “The majority of downtime is usually the result of accidental activity,” says Mr Huggett. “The biggest threats are those simple failures, which are human issues or technical issues.”

So while the risk of fire, power failures and even floods are front of mind, the real risk is people, says Dominic Phillips, managing director of Datum Datacentres.

“It’s people trying to scam their way in to the building,” says Mr Phillips. “Just like cyber-​threats and phishing, for datacentre owners the biggest threat is the guy who turns up and tries to gain access.”

For this reason, security protocols in most datacentres are strict and use biometric technology, such as retina scanners, to ensure only approved personnel can gain entry. “It’s not unusual for customers to get turned away,” says Ms Coldrey, who adds that even an employee at her company was once refused entry because they were not registered to gain access to a specific site.

While datacentres are responsible for ensuring the integrity of a building, ultimately it’s the financial institutions that bear the regulatory and legal responsibility associated with the integrity of their systems and data.

“The liability for our services begins and ends with the services we provide,” says Mr Watkins. “We provide the bricks and mortar for the financial services companies to use and to link through.”

Financial institutions must have recovery measures in place to protect against a system failure. In fact, financial institutions can face hefty fines from regulators if they don’t have recovery measures. From purely a data protection perspective, stolen or compromised data can be costly.

Just like cyber-​threats and phishing, for datacentre owners the biggest threat is the guy who turns up and tries to gain access

Dominic Phillips, Datum Datacentres

“Financial services companies are custodians of highly confidential customer information, so breaches are likely to have serious reputational consequences,” says Michael Hatchwell, partner at Child & Child, Globalaw. “Under GDPR [General Data Protection Regulation], companies can be fined any amount ranging from 2 to 4 per cent of their annual global turnover.”

Case in point, in 2017, RSA received a £150,000 fine from the UK Information Commissioner’s Office after a storage device containing data for around 60,000 Lloyd’s Banking Group customers went missing. It was believed an employee or contractor was responsible.

A possible solution to the physical vulnerabilities of individual datacentres is the cloud. “We’re working in a world where the smallest thing can have an impact, especially when you have a lot of data in one centre,” says David Smetana, managing director and co-​founder of Chalkline. “You’re looking at a pretty catastrophic event that will wipe out the cloud.”