[AusNOG] RISK - IT Industry - Concern Over Equipment Being Installed in Data Centre Facilities

Sun Sep 25 20:48:24 EST 2016

Dear Industry Colleagues,

In the last week, in reflection of previous data centre tours I have
undertaken across the country and the risks that face us all within
the IT industry, a concern came to mind in our physical security layer
in relation to data centre facilities. It is my understanding
currently in Australia (and for other countries as per discussions
with colleagues), colocated computer equipment provided by customers
is not inspected nor scanned for any potentially damaging substances
before being installed within data centres, by organisations providing
these services. At times, singular servers may be extremely bulky, and
there may also be occasions when customers provide multiple racks
fully equipped that is positioned within the data centre without any
closer inspection apart from basic identification checks, as per
understanding of information provided from some of our largest data
centres. Considering this, I feel it's a risk that we don't scan
equipment as it is being delivered/installed, similar to airports, in
particular when it has been delivered locally.

It's my understanding as an industry we spend billions each year
securing our data security layer within data centres, however it
appears that even with the strictest data centre audits (including by
government risk assessors), these have not scrutinised this risk to
any degree. I'm not aware if the Attorney General's department nor our
federal or state governments perform any such checks when equipment is
being installed into their own data centre facilities. I also don't
believe I ever saw any such risk considered under any data centre
rating specification. As a point, what good is bullet-proof glass
within the foyer of a data centre and specific outline of the
construction of a goods lift, when there is a greater threat for
potentially damaging substances to be wheeled into a data centre
within equipment without scrutiny.

I would also ask the question whether our financial market is exposed
in any way to this risk, and whether the Australian Stock Exchange
sufficiently scans computer equipment delivered for installation into
its' data centre facilities in particular by third party customers. I
don't know the answer. I hope they do, if not, the question really
needs to be asked, why not?

Quoting from ASX document
(http://www.asx.com.au/documents/professionals/alc-connectivity-guide.pdf)
which is available on their website currently;

"The Australian Liquidity Centre (ALC) is a state-of-the-art data
centre and financial markets community located just outside Sydney’s
CBD. It enables ASX customers to connect with each other and the
Australian and global financial markets like never before.

Offering one central location for fast, simple connection to the
financial markets community, the ALC provides low latency connectivity
options to domestic and global liquidity sources, ASX market data and
all ASX markets.

The ALC is designed to maximise the potential of its community. It
houses all of ASX’s primary trading, clearing and settlement systems
as well as providing hosting facilities for its customers which
include buy and sell-side firms, market infrastructure and liquidity
venues, information and technology vendors, and infrastructure and
network service providers."

I've reached out to several colleagues within the industry, who also
agree the lack of scanning of potentially damaging substances is a
serious concern, I'd ask that you consider your thoughts on this risk
in regards to safeguarding our technology and investments made by all
involved, and what you believe should be done to address this risk
moving forward.

Kind regards,

Chris Macko