Introduction
In this piece we look at the exponential growth in data centers following the rapid transformation in the global digital landscape. We lift the veil on these mission critical facilities and the protective measures that help insure they remain protected from both external and internal threat actors. Finally, we look at the benefits of partnering with an expert international risk management consultancy to provide independent assurance throughout the facility lifecycle, from threat and vulnerability assessment, security concepts and equipment standards, all the way through on-site audits and staff and vendor screening.
Reshaping the Digital Landscape
Over the past five years, data centers have transformed the digital landscape, reshaping how data is processed, stored, and delivered. Driving this growth is the fact that now over half of enterprise workloads have now migrated to the cloud, up from just 20% in 2019. In tandem, the explosive use of generative AI and machine learning has significantly increased the demand for computing power.
The United States remains the dominant player, hosting over half of global data center capacity. McKinsey & Co. estimates that this capacity will increase from approximately 17 gigawatts (GW) in 2022 to an anticipated 35 GW by 2030.
Globally, the trajectory is equally strong with Goldman Sachs forecasting an 165% increase in global data center power demand by 2030 and noting the “breadth of investment opportunities” for hyper-scalers, asset managers, utilities and data center operators.
Size Matters
To be classified as hyperscale, a data center would typically house a minimum of 5,000 racks and have a floorplate exceeding 10,000 sq/ft. And that would be a small one. In the world of hyperscale data centers, 1 million sq/ft is not uncommon. The largest hyperscale data center in the world is the China Telecom-Inner Mongolia Information Park located in Hohhot, Inner Mongolia, China. It covers a staggering 10.7 million sq/ft and has a power capacity of 150 MW.
Facilities of this size tend to be the preserve of the major global internet companies such as Amazon Web Services, Tencent, Microsoft and Google. They are typically constructed from the ground-up based on the specific requirements of the company and are designed for single-occupancy. Companies that have a requirement for data processing at scale but are not ready to make the size of investment required to build or lease a facility for their proprietary use may consider the long-term leasing of space in a colocation data center – or COLO – an increasing number of which are themselves hyperscale. As the name suggests, COLO facilities are constructed and managed by third parties with floor plates leased to multiple tenant occupiers.
The Anonymous Fortress
In the U.S., the largest concentration of data centers is in Northern Virginia or NOVA. Residents commuting to work in nearby Washington DC may well drive past these facilities every day without paying them much attention at all. And that’s the point – these are not statements of architectural wonder, they are functional, anonymous and often quite isolated.
That anonymity belies levels of protective security that often rival that afforded to key government installations. And no small wonder – these facilities and the data they house are integral to digital socio-economic stability. To work effectively, protective security must be layered so that failure in one or more layers does not in itself compromise the assets being protected.
The outermost layer of defense is the physical perimeter, and facilities are often surrounded by high-security fencing, reinforced walls, or other physical barriers designed to deter intrusion. Surveillance cameras equipped with motion detection and night vision capabilities are typically installed to monitor the perimeter continuously. In addition, vehicle barriers such as retractable bollards and crash-rated gates are used to prevent unauthorized vehicular access.
Entry is tightly regulated using advanced access control systems. These systems often incorporate multiple layers of verification, including:
- Key card or badge access
- Biometric authentication (fingerprint, iris, or facial recognition)
- Mantraps or single-entry systems
Access should always be granted on a ‘least privilege’ basis with personnel only allowed into areas commensurate with their job function. Ideally this should be reinforced by the designation of security zones with physical segregation between zones to prevent unauthorized access.
CCTV systems provide continuous surveillance across all areas, including perimeter zones, entrances, server rooms, and critical infrastructure points. The latest systems incorporate AI and analytics to detect unusual behavior or movement patterns. Similarly, intrusion detection systems detect and respond to breaches in real time with alerts immediately investigated by security teams or even triggering automated lockdown procedures in certain cases.
Strength in Partnership
Working with the right risk management consultancy is crucial for international investors seeking to start or expand their global data center portfolio, or for multi-nationals seeking to demonstrate compliance with regulatory requirements for the physical security over the data they hold. These are some of the factors we think are important:
Global reach and local knowledge
The right balance of global experience and on-the-ground expertise is an important differentiator. Knowing country, regional or city threat vectors at a granular level is key to ensuring data center risk controls are proportionate to the local environment. Similarly, knowing the best local equipment integrators and security guarding companies can make a real difference to project delivery timelines and operational success. And, where there is a need for multi-country compliance audits, having a security partner with the in-country assets to deliver consistently and within compressed time-periods is often paramount.
Knowing where the risks lie
Protective security barriers, equipment and systems seldom fail on their own. Even with the increasing use of AI, these controls are still human dependent. Staff at data centers often work long-hours in isolated locations, performing monotonous tasks. Auditing or red-teaming at the nexus of technological and human controls often reveals weaknesses that might not otherwise surface until it’s too late. We’ve seen cases where third-party vendors under escort in a data-hall have inadvertently removed the wrong server causing a payment system to go down all because the assigned escort was distracted. Or an organization’s ‘white-list’ of unescorted visitors being manipulated by a data center manager who had been compromised by a hostile state actor. An in-depth knowledge of global technological standards is important, but it isn’t enough – it has to be backed up by real-world credentials and experience.
Trust but always verify
This same experience tells us that when a malicious human failure occurs, it’s almost always because of insider-threat. Threats that could often have been surfaced through comprehensive initial and periodic re-vetting. Partnering with a risk management consultancy with the global reach to conduct these checks efficiently and without jurisdictional barriers is important. Whether it be deep-dive, multi-language, public source research, or sensitive and discreet interviews with well-informed local sources, verifying the status and reputation of those trusted with the operation and management of mission critical data centers should always be top of mind.
If you would like to talk in confidence to one of our experts in data center risk management, please visit our Security Services page or reach out to us. We look forward to listening.