Data centres operating in the UK will be required to have tougher security and resilience measures to protect against potential disruption – including cyberattacks and extreme weather events – under new plans drawn up by the UK government.
A new set of laws to better protect the nation’s data would make minimum requirements mandatory to ensure data centre operators are taking appropriate steps to boost their security and resilience. It will also help protect businesses and services that rely on data centres against disruption, reducing the risk of significant incidents that would interrupt or compromise access to data they rely on.
A new regulatory function is also being considered, to make sure operators of data centre services report incidents and work with the sector to assure and test risk mitigation against threats and hazards. The move is intended to encourage better transparency of information and co-operation across industry and the government so risks to the UK can be appropriately identified and addressed.
As data centres play a crucial role in the UK economy, a significant security issue could impact the entire country, not just individual businesses, so these plans would make sure these businesses are operating in line with the greater national interest. As such, the government is also considering designating parts of the data centre sector as critical national infrastructure.
Data centres are facilities designed to store, manage and process large amounts of digital information such as business databases, customer records, website content and other critical information which is essential to how modern businesses and online services operate. The proposals come as more people use connected devices and engage in digital activities such as shopping online and social media, meaning the amount of data stored in the UK alone has risen by a significant margin – highlighting the growing demand for data storage and processing capabilities, as well as the need to protect it.
As data becomes more valuable, data centres are more at risk from incidents such as cyberthreats and extreme weather with extreme and prolonged weather interrupting our access to important data.
Around 28% of all UK businesses use services housed in data centres. Large companies, specifically those with at least 250 employees, are even more likely to use them, with 62% doing so. Data centre operators generated around £4.6 billion in revenue in 2021. In 2022, data played a significant role in the UK’s economy, contributing 6.9% to Gross Domestic Product (GDP), and 76% of all UK service exports were reliant on data. With data centre outages costing the industry billions a year, it is hoped these changes will protect against potential risks and in turn keep more money in the bank for companies while giving the public peace of mind.
This collaborative effort aims to ensure the security of the UK’s data infrastructure, combining regulations with industry insights for a strong and safe digital environment. The new framework is also expected to help fuel economic growth by making the UK a more attractive place to invest in these services as it shores up its data centre resilience.
The Data Protection and Digital Information Bill will build on this further, with the legislation improving data security, bolstering national security, and delivering new post-Brexit economic opportunities to the tune of at least £4 billion.
Michael Dugent, IoT Director, EMEA, Nozomi Networks
As data centre consolidation increases, and more organisations move applications to cloud providers, the data centre has become a high value target for increasingly sophisticated and targeted cyberattacks. In addition to attacking servers and applications directly, the data centre infrastructure has become a prime target to disrupt operations and increase the likelihood of widespread outages.
One of the biggest challenges facing administrators in securing complex data centre environments is understanding what is on the network and anticipating where any risks are. Today’s data centres use smart, connected devices that manage everything from temperature and power to surveillance systems. Along with housing their own environmental and safety systems for the operation and protection of the data centre itself (HVAC, power, UPS, monitoring and fire suppression systems), data centres also store both customers’ and organisations’ confidential data.
To exacerbate the issue, Internet of Things (IoT) devices often lack basic cybersecurity features, making them easy targets for malicious bad actors. Securing and bolstering the resilience of data storage and processing infrastructure stands as a cornerstone of national security. The National Cybersecurity Centre UK (NCSC) has taken proactive steps by crafting the Cyber Assessment Framework (CAF), a comprehensive set of security standards mandatory for numerous data centres across the UK.
Furthermore, to ensure robust security and resilience amid regulatory changes in the UK, data centres should adopt a strategic approach that aligns with the evolving landscape of cyberthreats and regulatory requirements. Given the critical role of data centres in the UK economy and the sector’s recognition as critical national infrastructure by the government, prioritising security measures is paramount.
Firstly, data centres must focus on enhancing visibility and asset management within their complex environments. Leveraging solutions for passive discovery of Operational Technology (OT) and Internet of Things (IoT) assets allows for comprehensive monitoring without disrupting critical processes. This enables data centre administrators to gain insights into all devices and traffic patterns, facilitating the rapid identification of anomalies and potential security incidents.
Secondly, integrating up-to-date threat intelligence solutions is essential. By staying informed about emerging zero-day attacks, indicators of compromise (IOCs) against IoT systems and industrial processes, malware, botnets and device vulnerabilities, data centres can proactively defend against evolving cyberthreats. This proactive stance is crucial in safeguarding sensitive data and infrastructure integrity. Additionally, conducting regular risk assessments is imperative. By assessing vulnerabilities in the environment, data centres can prioritise patch releases effectively, mitigating the most critical risks promptly.
Scalability must also be a key consideration. As data centres scale to meet enterprise demands, so does the number of potential attack surfaces. The scalability comes with greater risk of cyberattacks, therefore the solution needs to be able to scale to handle the large number of OT/IoT systems immediately and in the future.
Steven Jacques, Consulting Engineer, Juniper Networks
The key elements around regulatory and even legislative changes – as they relate to security and resilience – are the threat of greater punitive consequences and deeper requirements for threat incident reporting and response. There are multiple aspects to consider for compliance with these regulations.
Firstly, any security posture must mirror the corresponding resilience architecture. For example, if secondary or cloud-based backup data centres are used, access policies and threat mitigation systems must be identical at each site. This would typically mean common central orchestration and management systems, allowing security postures at each site to be synchronised. Security of both data at rest and data in transit must be considered – data moving between data centres must not be unnecessarily exposed to threat vectors.
Secondly, every connection should be thought of as carrying a potential threat. This means connections from corporate sites into the data centre, from data centre to data centre, between rooms in a single site, or even between virtual functions on the same host, are all candidates for security policy control and inspection. This concept underpins the Zero Trust model – security at the edge of the data centre alone is no longer sufficient.
Thirdly, data centre security designs must embrace innovation. Attackers already leverage cutting-edge technology such as Quantum Computing and AI – defenders should do likewise. AI will be increasingly central to both threat mitigation and response – consider AI models able to quickly detect zero-day malware, or the use of AI operations (AIOps) for threat forensics, which can already do tasks in seconds that a human operator may manage in hours (and may miss something important).
Finally, there should be increased emphasis on forensics and security operations. This is an important aspect of new regulations and while many data centres often have strong security mitigations in place, capabilities to analyse, respond and report on detected threats are often overlooked. AIOps can certainly help here, but this is perhaps the single area where automation is most important – operators may have vast quantities of network and threat data to examine, so automating associated processes can prevent exceeding regulatory timeframes for resolution and reporting.
Click below to share this article