4 Things to Consider When Writing a Data Center Security Policy

strongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

There are many things to consider and questions to ask yourself when setting up your data center. Should you host your data on-premise or in the cloud? If the data is cloud-hosted, who is responsible for security? Is it the company who owns the data, the cloud provider, or both?

The Data Center Security Policy outlines procedures and information security measures to prevent unauthorized physical access to your company’s data center(s) and the equipment within.

Here are four things to consider when writing this policy:

Where are you going to host your data center?

There are three types of data centers:

  • On-premise
  • Cloud-hosted
  • Co-located

A self-hosted model increases your costs and security requirements, while a cloud-hosted model shifts some of those responsibilities - but makes you dependent on someone else’s infrastructure. It is up to you to understand the consequences of each decision before deciding what is best for your business. In general, small businesses host their data in the cloud to reduce costs.

Who is responsible for security in the cloud?

In theory, you can delegate all security responsibilities to your cloud service provider. But theory is not the same as practice. You cannot assume cloud service providers will be responsible and treat their infrastructure issues with the kind of urgency you would. So if you require specific controls from your cloud service provider, you need to state it in your agreement with them up front.

Before finalizing this agreement, review the provider’s contract, documentation of SOC 2 certification, controls, and make sure they meet your security posture. Most cloud providers will provide a shared responsibility matrix to show where their responsibility ends and yours begins. Review this carefully - you might ultimately be responsible for some resource-intensive tasks like operating system management, system patching, and updates as well as managing access controls.

What do you need to consider if this is co-located or on-prem?

If hosting your data center on-prem, your organization is solely responsible for all aspects of information technology and security. This includes provisioning a system to control data center access, assigning appropriate access privileges to your staff and managing the security measures to protect the data center itself (access cards, 24/7 video surveillance and 24/7 security personnel). There should also be a periodic review of who has access to the data center and access logs. All terminal logins should be protected with two-factor authentication. Other things to consider include: routine maintenance, inspection and testing of hardware (and who the hardware is being supplied from), third-party monitoring, diesel generators, battery backups and fire suppression systems.

In a cloud-hosted model, the handling of some responsibilities shifts to a third party. You no longer have to worry about overseeing your own secure data centers, and can instead rely on the provider to monitor sensitive areas, control who can access systems, and protect your equipment from power failures. And while you can take some comfort in not having to worry about physical access anymore, the brunt of the standard information technology responsibilities - writing a data center policy, managing backups, applying patches, implementing change management - might still be all yours to manage.

What happens if there is a data center failure or a disaster?

Regardless of where your data center is hosted, you need to have a backup plan in the event of a disaster or a failure. First, you need to consider your data backups, and know not only where your backups are physically located, but whether you have documented and tested your Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO). If hosted on-prem, ensure IT/security staff have data center access, as well as appropriate access privileges.

Then you need to plan for a failure at one or more of your backup locations. Cloud service providers generally have an always-on guarantee, but even the biggest and best cloud providers can experience unplanned outages and disruptions. If their service goes down, yours can too, so consider high availability and redundancy when deciding if cloud-hosting is the right fit for your company. For co-located/on-prem data centers, you might consider having a second data center for backup, but that will double your costs and responsibilities.

Regardless of where you host your infrastructure, the data center security policy is paramount. It defines and assigns the responsibilities between your organization and any cloud services providers you use, and sets expectations for who will do what in case of a disaster. Be sure these duties are agreed upon clearly before you sign contracts with any vendors; your careful planning ahead of time will save you stress, money - and potentially your reputation - when a data center emergency arises.


About the Author

, Security Engineer / Podcaster, is the president of 7 Minute Security, an information security consultancy in the Minneapolis area. Brian spends most of his days helping companies defend their networks.

Since 2004, Brian has also run the blog/podcast called 7 Minute Security, where he shares what he has learned about information security into short, 7-minute chunks.

logo
💙 this post?
Then get all that strongDM goodness, right in your inbox.

You May Also Like

Automating access to cloud environments
Managing Access to Ephemeral Infrastructure At Scale
Managing a static fleet of strongDM servers is dead simple. You create the server in the strongDM console, place the public key file on the box, and it’s done! This scales really well for small deployments, but as your fleet grows, the burden of manual tasks grows with it.
Illustration of an technical employee who is offboarding from their employer.
All Offboard! The 2022 Tech Staff Offboarding Checklist
Offboarding technical employees can be a complex and arduous process with a lot of moving parts. The key to successful offboarding is to have a clear understanding of what needs to be done, who does it, and how to monitor for any shenanigans from former employees.
User Provisioning: How To Automate & Manage Credentials
How We Automate User Provisioning & Keep Track of Credentials
There are a number of ways to automate user provisioning but the real challenge lies in keeping track of those credentials.
SOC 2 dashboard
What Would My SOC 2 Dashboard Look Like?
As your organization pursues your SOC 2 certification, organization is critical. ‍You will be busy actively managing dozens of ongoing daily tasks, which can bury you in minutiae. But at the same time, you need to keep your high-level compliance goals in focus in order to successfully move your certification over the finish line.
SOC 2 Audit
Everything You Need to Know About SOC 2 Audits
Whether you’re looking to achieve SOC 2 compliance, or just want to learn more about it, your Googling is bound to lead you to a wealth of articles chock full of buzzwords and acronym soup. ‍In this post, we will provide a guide with definitions, links and resources to gain a solid understanding of everything you need to know about SOC 2 audits.