Data centre directors must dread the arrival of Keith Appleyard, director of technology for American Express. Appleyard and his team are responsible for inspecting sites to ensure the physical and virtual security of the credit card company’s data, and to satisfy themselves that the centre “is not detrimental to Amex’s customers or the brand”.
It’s a job that produces “numerous horror stories”, most of which Appleyard bluntly attributes to “the stupidity of people; we see history repeat itself time and time again”.
For Appleyard, the core of the problem for any organisation that stores sensitive customer information is the obligation to protect that data. “While we’ve outsourced a lot of business processes so they are performed more efficiently, we haven’t absolved ourselves of the responsibility for data protection.”
His advice: believe nothing suppliers tell you about the high standards of their security and business continuity. Often, they are not even aware of their own shortcomings.
Many businesses, he says, talk a good security game but “don’t verify it”. That means Appleyard fails 50% of data centres before he even gets to the reception desk.
“One of the first things we look at is whether employees have photo ID on display,” he says, describing one company with 450 to 600 employees which said, “We don’t need ID – we all know each other.”
Physical security at data centres can be equally lax, he says, describing a data centre belonging to a large Japanese company he inspected that keeps a key “buried in the soil of a cheeseplant in the foyer”.
And even though they knew he was coming, a famous London retail store with its own data centre had no reception or even a visitor’s book for him to sign in and out. “My instructions were to go through a ‘no entry, staff only’ door, and go through two PIN-protected doors that had been propped open with bits of wood.”
Even high-tech security is worthless when applied in the wrong way – and is no substitute for good policies and processes.
“One French company has a three-kilometre-long infrared beam. But if you stepped over the beam the CCTV was so dark and burned out that it was impossible to see whether a person had two arms and legs,” Appleyard says. A data centre of a major US bank boasted 19 CCTV cameras – 12 of which were out of order. “In one place I asked to see the CCTV control, but they said it was locked in the managing director’s office and he was away. He was using it for monitoring staff.”
At a Bangalore data centre belonging to “one of the top five Indian IT companies”, a high-tech electronic lock on the server room was fitted on the wrong side of the door: “You could get in with a Philips screwdriver.”
Appleyard says Indian companies also struggle with the cultural issue of access control being given on the basis of role rather than rank. “Senior managers cannot cope with the idea that lower-ranked members of staff have access to something they don’t,” he says.
Despite the high-tech environments Appleyard monitors, he says even basic workplace safety practices are often ignored: “I’m amazed at how many organisations break basic fire-safety regulations. A UK service provider in south London had no fire alarm, no smoke detectors and no extinguishers, which showed a disgraceful lack of respect for its 39 employees.”
Not on the runway
Disaster recovery and business continuity is another area that many data centres fail to research properly, Appleyard relates. He describes a UK data centre 10 miles from a major oil refinery that keeps its backup site less than five miles from the refinery, and a major transatlantic airline that stores its backups “in a shed next to the runway”.
However, he admits that Amex found flaws even in its own recovery plans following 9/11: “Amex had a small data centre [near the World Trade Center] destroyed in 9/11. We didn’t know that while we were on the third floor underground, on the sixth floor underground were 200,000 litres of diesel. There was a shot from 9/11 on YouTube of something going up like a rocket – we think it was one of our CPUs.”
Following the attacks, he says, Amex didn’t expect to have a long delay in getting access, “but staff weren’t allowed back into the company’s New York HQ until six months later”.