The unique challenges of securing data centers – “Enterprise risk management and partnerships are critical to our approach” – IFSEC Global | Region & Cash

James Moore

“There is a forecast that in two years 30% of the world’s energy will be consumed by data centers”

As George Dionisopoulos, Head of Security at Australian data center provider NEXTDC, says there is little doubt that the data center market is seeing significant growth in line with the development of cloud-based services. There is also an awareness that data centers are now an integral part of a country’s critical national infrastructure – whether officially recognized or not – and only high quality security solutions and risk management strategies are sufficient.

IFSEC Global was fortunate to sit down with George along with Adam Savage from Barkers Fencing at IFSEC International in May to learn more about the unique challenges that come with securing such facilities and why partnerships are critical to an organizational security strategy meaning are.

NEXTDC is described as one of Australia’s largest and most reliable data center providers, with data centers in Brisbane, Canberra, Sydney, Melbourne, Perth, Darwin and Adelaide. Customers include global cloud computing providers, corporations and governmentsand many more. George Dionisopoulos is NEXTDC’s head of security.

IFSEC Global (IG): Hi George, what is your background in the industry?

George Dionisopoulos (DG): I have over 20 years of progressive leadership experience specializing in security, compliance and risk management, and government relations, earning multiple certifications in the process. My passion for security began in construction, my professional life then shifted to project management, specifically deploying fiber optic networks at NDC (Telstra) before building AAPT’s National Backbone Network. At AAPT I was given the opportunity for the first time to lead a security and risk operations function that was transforming and taking on all layers of security including fraud and law enforcement. This initial foundation helped formulate the concept of converged security in my DNA and supported the importance of partnerships in delivering a mature security risk management program.

George Dionisopoulos, Chief of Security, NEXTDC

In my current role at NEXTDC, I am responsible for leading NEXTDC’s security risk and compliance initiatives and effective security risk management practices, from strategy to operations. This is achieved through close collaboration with key stakeholders, external partners and business units.

I have worked to embed a security risk management culture into the design, construction, support and operations of NEXTDC. My responsibilities also include the ability to lead security risk management to enable it to operate in accordance with applicable policies and procedures, manuals and guidelines to ensure the physical integrity and security of all NEXTDC data center facilities are maintained. Key collaborates with the relevant authorities, government departments and colleagues, not only in the data center environment, but in all critical infrastructure environments.

IG: How important do you think it is for physical and cyber to work together and communicate – and how does NEXTDC do that?

DG: My overall responsibility is NEXTDC’s broader security portfolio, which encompasses all facets of security. That being said, however, we have a dedicated cyber group with staff employed with the right skills and mindset to stay ahead of us, who report directly to the CIO and are the experts I refer to in this area support.

Because cyber risk has evolved so rapidly, the broader security portfolio can be undermined a bit and take a back seat. For this reason, security at NEXTDC is undifferentiated and treated as a holistic program of converged security to ensure all pillars of security are part of the foundation of our security risk management program.

Security risk management is based on four pillars – cyber, physical, human and supply. These four pillars should make up your overall organizational risk management program and should “converge” and work together – this way it is much easier to win management over to a safety culture.

I G: What are the top challenges in protecting data centers from physical threats?

DG: All valid and consistently included threat vectors are monitored – although I’m sure many people would mention threat environments such as terrorists and criminal elements. The insider threat in particular is something we are aware of – something our security risk management program has developed to mitigate the potential threats.

In Australia, the most challenging aspect is the requirements of our local government and council regulations, which play a large part in our ability to physically secure data centers. Land is important in Australia and data centers must be located within what is considered a metropolitan area. They require us to consider aesthetics and nature, which adds a bit of complexity but also challenges how we then provide that first level of deterrence and delay.

“It’s about deploying a subtle deterrent that gives our teams the opportunity to have enough time to spot them and respond accordingly” – George Dionisopoulos, NEXTDC

At NEXTDC we use the CPTED methodology in these situations and integrate it with the broader physical environment into our electronic security management system. The installation of lighting around the facility also serves as an aid in natural surveillance as well as CCTV surveillance.

It’s about deploying a subtle deterrent that gives our teams the opportunity to have enough time to spot them and respond accordingly. Just adding stairs to a facility can help minimize space requirements. We also design the building in layers, with the high-value assets within the central layer, while increasing the entry restriction on each layer.

Adam Savage (AS): I was even lucky enough to recently visit George and three of the data centers he protects. What was really impressive was the amount of critical thinking and innovation that goes into protecting the facilities, and in my experience this has truly been the gold standard for data center protection. The sector is growing significantly – countries like Ireland, for example, are investing heavily in data centres, so a holistic approach to security is clearly a necessity.

Adam Savage, Director of Marketing and Sales, Barkers Fencing

For our part we have assisted in the introduction of UK standards such as LPS 1175 and through Barkers’ expertise in fencing solutions and shown how both work together in a deterrence and delay protection strategy.

IG: How important are independent standards like LPS 1175 when specifying perimeter protection products?

DG: It is very important to have a standard to base yourself on when designing your environment. At NEXTDC we actually use the LPCB LPS 1175 as a guide to hold our suppliers accountable. As the foundation of all your converged security solutions, you must have relevant policies, procedures, and guidelines in place to help your teams deploy the right security environment.

We invest heavily in building a sophisticated, multi-layered security posture and processes to ensure our customers’ critical IT infrastructure is secured and protected to the highest global standards. Just as our data centers are built to support the evolving and dynamic needs of our customers, our security protocols follow suit. For this reason, we take our certifications and attestations very seriously, knowing how important they are in support of our safety posture and culture, but equally important that our customers require them as a foundation.

Partnerships are also worth mentioning. It’s about interacting with each other and understanding each other’s environment and expertise – for example, the conversations I’ve had with Adam and the Barkers team regarding security fencing and LPS have helped me set new standards that we can implement to understand better.

HOW: And we think that’s just as important as George says. Physically visiting George and the facilities he protects gave us a much better understanding of his challenges and the environment in which George and his security team operate. LPS has been an integral part of our discussions and we also understand specific solutions that are best suited to the site required.

Different data centers may require HVM (Hostile Vehicle Mitigation) and the most expensive fencing available, while others may require more targeted solutions where we would take a different approach.

IG: What role does technological innovation play in protecting the data centers you manage?

DG: Technological innovation is a critical piece of the puzzle in your security risk management program. At NEXTDC, we use analytics and the intelligence of our broader electronic security management system to provide our teams with up-to-date information about what’s going on around us. In conjunction with our two-factor authentication program, we’re always keen to explore innovative ways to manage our security risk portfolio.

AI and machine learning will play an integral role in security risk management, which requires us to understand how to integrate these into our broader portfolio and, more importantly, how they can work seamlessly together to not only provide a secure environment, but also to provide a great customer experience.

Related topics

Leave a Comment