As our recent customer survey showed, security of the data center is one of the top priorities for our customers when choosing a colocation partner. We took the opportunity to talk to our newly hired security manager, Christian Johansson. Here are his views on data center security and his new role in Green Mountain. With a background as an executive protection officer in the Police Security Service (PST), he knows a thing or two about securing high-value assets.
First of all, Christian, can you explain for the non-experts among us, why all this talk about data center security? Why is it so important?
Data centers are very valuable asset. They are a part of the critical digital infrastructure that our modern society rely on. The data that is stored and processed in a data center can be mission critical for companies or institutions. Consequently, they are also attractive targets for different types of external threats and attacks. And therefore, physical security becomes a priority.
As a colocation provider we focus on the physical security of the facility whereas the customer is responsible for the information- and cyber security aspect. In laymen’s terms, we make sure no one can get unauthorized access or damage the physical facility. Whereas the customer must make sure they safeguard the server content against cyber attacks etc.
I understand. And now, a few weeks into your new position, what is your impression of the security design imnplemented at Green Mountain?
The short answer: I am impressed. I expected there would be mitigating measures in place to protect against unauthorized access, but I am even more impressed by the strong safety and security culture in the organization. A strong safety and security culture are just as important as the physical barriers in place!
Can you elaborate a bit on this? What is the employee’s role in securing a data center?
In Green Mountain we consider security a part of every employee’s responsibility. From the cleaning personnel to the CEO, everyone understands its importance and are very much aware of how they can contribute. It is a crucial part of the on-boarding training of all employees. In practical terms, it means that we all
- must be alert and perceptive (security awareness)
- never take shortcuts that compromise security
- remember that if we see something, we say something
An example can be the use of access cards. If you notice a person without a visible access card, you should immediately ask him or her to place it somewhere visible. Another example is tale-gating through the main gate – a clear security breech that will not be tolerated.
Good to know that the whole organization is on board with this. But how do you, as the security manager, work to secure the facilities?
The foundation of a good data center security design is in the planning and organization. My most important tool is the security risk analysis. Such an analysis can be a comprehensive exercise but in short terms it is the framework I use to identify the values we protect, the threats and the vulnerabilities. It also entails setting security goals and exploring different risk scenarios. We perform this exercise both on an overall level for each DC facility as well as on the customer level.
Now that you mention the customers, are they all as concerned about security as Green Mountain is? Do they have specific requirements?
Green Mountain has a wide variety of customers, ranging from smaller rack-by-rack customers to giant multinational corporations. My experience so far is that they all put great emphasis on security, but there are of course differences in their level of expertise and requirements. The larger customers have more complex needs, but we work in close cooperation to customize the security plans to meet their requirements. When we achieve a common understanding of their security goals, we find the right measures to reduce the risk for the individual customer.
That is reassuring to know but let us say you are a smaller customer considering different colocation providers. What is your best advice on how they can determine whether a colocation facility is secure enough?
My best advice is to visit the site, bringing along your own security expert. Either from within the company or hire an external specialist. This person will be able to ask the right question and assess the level of security competence of the colocation provider.
OK, you have explained the importance on planning and risk assessment. How do you prepare the organization for an actual physical security breach?
A very important question! You can do all the planning in the world, but it is worthless unless you can verify that the measures actually work in a given scenario. We must therefore stress test our measures and train for different situations, even if they are unlikely to occur. It is my responsibility to ensure that the security personnel know exactly what to do in case of a real risk event.
Another important aspect is to have a close dialogue with different external authorities like the police, the defense authorities, and The Norwegian National Security Authority (NSM). This gives us an updated picture on the general threat level in Norway.
Your former job was to secure high-profile persons, like the Norwegian prime minister. Do you see any similarities in securing a data center?
It might seem quite different, but I can bring a lot of experience from my former job. It is all about continuous risk analysis and to determine the acceptable risk level. Sometimes when guarding a politician or foreign head of state, the risk in a certain situation was regarded as too high. We then had to find other ways to reduce risk but at the same time be able to complete the mission. In this sense it is quite similar to a data center. We cannot shut down completely as there are people with valid reasons to access the site. It is all about finding the right balance between the tasks that needs to be performed and the risk they pose.
As the new security manager in Green Mountain, what do you look must forward to? What will be your main focus?
As mentioned earlier, the security risk analysis is my main tool and a continuous process. It is the foundation of all the other exciting tasks at hands. I especially look forward to cooperating with customers on their specific security needs. I will also work very closely with the Emergency Preparedness & Response team on setting up exercises and making sure we are always maintaining our high security standards.
Thanks Christian! We feel very reassured that you are the right person to lead our data center security management going forward.
Read more about physical security here.