[AusNOG] RISK - IT Industry - Concern Over Equipment Being Installed in Data Centre Facilities

[chrismacko80]

Halo (Polish for hello) - Weird, I received Skeeve's, Mark's and
Bevan's replies via gmail, still no show for Paul's and Colin's.

Skeeve - I agree about attempting to keep it behind closed doors, but
the reality is that behind closed doors doesn't inform customers
sufficiently of the risk existing throughout the industry, nor does it
allow us the opportunity to collaborate within the IT industry to
offer a further solution in mitigating this risk to a sufficient
degree. Most SMB clients can't afford DR, and in most cases can only
afford to host from one location. Many industry experts have agreed
with me that this risk has been a ticking alarm clock, and that we
need to wake up to it. I'm aware of some countries technical
capabilities (I've seen some interesting and very technically able
items developed by hackers/phishers/scammers that appear to be
employed by some of those countries governments that I've seen in the
past) and would believe that they are fully aware of this exposed risk
and could use it to our disadvantage. I am serious about my concerns
as an entire industry, I want to continue in development of websites
and apps, and don't want any location I host in being affected by such
a risk.

Mark, I would agree that the risk overall is low to an individual data
centre. I would however believe that it is a high risk for the
industry overall. Are you aware of any data centres in Australia that
scan for damaging equipment - I'd like my apps hosted there if I'm
able. Are you aware of any data centres anywhere in the world that
offer this type of scanning and protection for clients?

Regarding your comment "Getting access to the volume and/or types of
these materials..... is very hard", I would not agree with you on this
point. It is possible for another group or country determined to dent
our way of life and our technology to setup a company that is
legitimate within Australia and meets with all the regulations and
controls in place, still whilst posing a potential intent to damage
and provide a risk/threat to our overall industry and way of life.
It's my understanding there are countries that protect better in this
regard by only allowing nationals to be at the helm of a company
fronted from its' zones. Distribution and diversity does lower the
risk somewhat, however insufficiently in particular if there are a
group or groups of people determined to disrupt the effectiveness of
many countries and the overall technology of those countries citizens.

RE: ASX - I don't believe the ASX has 14 very large data centres, that
are spread across the 7 capital cities, and I would certainly feel
that it's absolutely necessary for our financial markets to be
protected by the scanning of equipment being installed, to safeguard
investors, in particular if they allow customers to provide their own
equipment. Does anyone know if the ASX has this type of damaging
substances scanning equipment? Does any company have any technology
that could be re-purposed for the data centre application in a cost
effective manner? I'm aware Carl Zeiss have technology in the xray
microscopy space and xray micro CT space, although I'm unsure if this
can be suited for the data centre purpose/application and whether they
can scan fully packaged boxes and racks of equipment. I've reached out
to members at Schneider Electric to see if they have any technology in
this space. I've been led to believe that our Customs (Australia) has
this type of capability, and seeing the checks at airports would mean
there are certain technologies that our Airports also use, would we be
able to re-purpose these types of technology in our data centres?

Bevan - considering your previous background in large data centres as
well as your personal investments into the public markets, I really
would feel that your response requires to be more than just "+1". :-p
 What did your data centres do to check for potentially damaging
substance/equipment? I don't believe I saw any such technology within
Pipe Networks nor NextDC, mind you I did tour two NextDC locations and
was just operating by technical specifications of Pipe Networks data
centres from other parties.

Mark, regarding your second email - Interesting video, I don't have
sound on this system, so I'll check this later on the phone. Some
interesting technologies there that I wasn't previously aware of,
thanks for sharing this.

PS - Sorry for the typos in reply to Colin's email last night, most
wouldn't know that English is my second language and I hadn't started
learning English until my first day of primary school and onwards,
still getting better at English! Thanks for your replies, it's
positive that a handful have provided their input to their thoughts on
this risk. Hopefully a few more once they've arrived at the office and
had their morning coffee.

Chris.

On Mon, Sep 26, 2016 at 12:40 AM, Mark Smith <markzzzsmith at gmail.com> wrote:
> The risk is low. Getting access to the volume and/or types of these
> materials needed to destroy a DC in the manner you're suggesting is very
> hard, as access to them is very regulated and controlled.
>
> At a whole of industry level these risks are mitigated by distribution and
> diversity - by spreading resources across many DCs. Less DCs means a smaller
> number of much more critical targets and much larger consequence of a DC
> being destroyed.
>
> For example, consider the risk of having resources spread across 14 very
> large DCs that everybody has to use in 7 capital cities of Australia
> compared to having the same resources spread accross 121 DCs.
>
> On 25 Sep 2016 20:48, "chrismacko80" <chrismacko80 at gmail.com> wrote:
>>
>
>> Dear Industry Colleagues,
>>
>> In the last week, in reflection of previous data centre tours I have
>> undertaken across the country and the risks that face us all within
>> the IT industry, a concern came to mind in our physical security layer
>> in relation to data centre facilities. It is my understanding
>> currently in Australia (and for other countries as per discussions
>> with colleagues), colocated computer equipment provided by customers
>> is not inspected nor scanned for any potentially damaging substances
>> before being installed within data centres, by organisations providing
>> these services. At times, singular servers may be extremely bulky, and
>> there may also be occasions when customers provide multiple racks
>> fully equipped that is positioned within the data centre without any
>> closer inspection apart from basic identification checks, as per
>> understanding of information provided from some of our largest data
>> centres. Considering this, I feel it's a risk that we don't scan
>> equipment as it is being delivered/installed, similar to airports, in
>> particular when it has been delivered locally.
>>
>> It's my understanding as an industry we spend billions each year
>> securing our data security layer within data centres, however it
>> appears that even with the strictest data centre audits (including by
>> government risk assessors), these have not scrutinised this risk to
>> any degree. I'm not aware if the Attorney General's department nor our
>> federal or state governments perform any such checks when equipment is
>> being installed into their own data centre facilities. I also don't
>> believe I ever saw any such risk considered under any data centre
>> rating specification. As a point, what good is bullet-proof glass
>> within the foyer of a data centre and specific outline of the
>> construction of a goods lift, when there is a greater threat for
>> potentially damaging substances to be wheeled into a data centre
>> within equipment without scrutiny.
>>
>> I would also ask the question whether our financial market is exposed
>> in any way to this risk, and whether the Australian Stock Exchange
>> sufficiently scans computer equipment delivered for installation into
>> its' data centre facilities in particular by third party customers. I
>> don't know the answer. I hope they do, if not, the question really
>> needs to be asked, why not?
>>
>> Quoting from ASX document
>> (http://www.asx.com.au/documents/professionals/alc-connectivity-guide.pdf)
>> which is available on their website currently;
>>
>> "The Australian Liquidity Centre (ALC) is a state-of-the-art data
>> centre and financial markets community located just outside Sydney’s
>> CBD. It enables ASX customers to connect with each other and the
>> Australian and global financial markets like never before.
>>
>> Offering one central location for fast, simple connection to the
>> financial markets community, the ALC provides low latency connectivity
>> options to domestic and global liquidity sources, ASX market data and
>> all ASX markets.
>>
>> The ALC is designed to maximise the potential of its community. It
>> houses all of ASX’s primary trading, clearing and settlement systems
>> as well as providing hosting facilities for its customers which
>> include buy and sell-side firms, market infrastructure and liquidity
>> venues, information and technology vendors, and infrastructure and
>> network service providers."
>>
>> I've reached out to several colleagues within the industry, who also
>> agree the lack of scanning of potentially damaging substances is a
>> serious concern, I'd ask that you consider your thoughts on this risk
>> in regards to safeguarding our technology and investments made by all
>> involved, and what you believe should be done to address this risk
>> moving forward.
>>
>> Kind regards,
>>
>> Chris Macko
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog