[AusNOG] RISK - IT Industry - Concern Over Equipment Being Installed in Data Centre Facilities

Mark Smith markzzzsmith at gmail.com
Mon Sep 26 01:10:11 EST 2016


The risk is low. Getting access to the volume and/or types of these
materials needed to destroy a DC in the manner you're suggesting is very
hard, as access to them is very regulated and controlled.

At a whole of industry level these risks are mitigated by distribution and
diversity - by spreading resources across many DCs. Less DCs means a
smaller number of much more critical targets and much larger consequence of
a DC being destroyed.

For example, consider the risk of having resources spread across 14 very
large DCs that everybody has to use in 7 capital cities of Australia
compared to having the same resources spread accross 121 DCs.

On 25 Sep 2016 20:48, "chrismacko80" <chrismacko80 at gmail.com> wrote:
>
> Dear Industry Colleagues,
>
> In the last week, in reflection of previous data centre tours I have
> undertaken across the country and the risks that face us all within
> the IT industry, a concern came to mind in our physical security layer
> in relation to data centre facilities. It is my understanding
> currently in Australia (and for other countries as per discussions
> with colleagues), colocated computer equipment provided by customers
> is not inspected nor scanned for any potentially damaging substances
> before being installed within data centres, by organisations providing
> these services. At times, singular servers may be extremely bulky, and
> there may also be occasions when customers provide multiple racks
> fully equipped that is positioned within the data centre without any
> closer inspection apart from basic identification checks, as per
> understanding of information provided from some of our largest data
> centres. Considering this, I feel it's a risk that we don't scan
> equipment as it is being delivered/installed, similar to airports, in
> particular when it has been delivered locally.
>
> It's my understanding as an industry we spend billions each year
> securing our data security layer within data centres, however it
> appears that even with the strictest data centre audits (including by
> government risk assessors), these have not scrutinised this risk to
> any degree. I'm not aware if the Attorney General's department nor our
> federal or state governments perform any such checks when equipment is
> being installed into their own data centre facilities. I also don't
> believe I ever saw any such risk considered under any data centre
> rating specification. As a point, what good is bullet-proof glass
> within the foyer of a data centre and specific outline of the
> construction of a goods lift, when there is a greater threat for
> potentially damaging substances to be wheeled into a data centre
> within equipment without scrutiny.
>
> I would also ask the question whether our financial market is exposed
> in any way to this risk, and whether the Australian Stock Exchange
> sufficiently scans computer equipment delivered for installation into
> its' data centre facilities in particular by third party customers. I
> don't know the answer. I hope they do, if not, the question really
> needs to be asked, why not?
>
> Quoting from ASX document
> (http://www.asx.com.au/documents/professionals/alc-connectivity-guide.pdf)
> which is available on their website currently;
>
> "The Australian Liquidity Centre (ALC) is a state-of-the-art data
> centre and financial markets community located just outside Sydney’s
> CBD. It enables ASX customers to connect with each other and the
> Australian and global financial markets like never before.
>
> Offering one central location for fast, simple connection to the
> financial markets community, the ALC provides low latency connectivity
> options to domestic and global liquidity sources, ASX market data and
> all ASX markets.
>
> The ALC is designed to maximise the potential of its community. It
> houses all of ASX’s primary trading, clearing and settlement systems
> as well as providing hosting facilities for its customers which
> include buy and sell-side firms, market infrastructure and liquidity
> venues, information and technology vendors, and infrastructure and
> network service providers."
>
> I've reached out to several colleagues within the industry, who also
> agree the lack of scanning of potentially damaging substances is a
> serious concern, I'd ask that you consider your thoughts on this risk
> in regards to safeguarding our technology and investments made by all
> involved, and what you believe should be done to address this risk
> moving forward.
>
> Kind regards,
>
> Chris Macko
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160926/1cfab3f1/attachment.html>


More information about the AusNOG mailing list