- The U.K. joins the U.S. and several other countries, which classify data centers as critical infrastucture
- This designation usually offers help from the government to thwart attacks, but also requires providers to meet baseline security benchmarks
- Analysts told Fierce that networks and applications should get similar protection
Call it VIP status if you will. With a growing role in global commerce and everyday life, data centers are finally gaining recognition as critical infrastructure. But what does that mean for the way they are built and operate?
According to analysts, though there are some commonalities, the answer can depend on the country. The U.K. last week became the latest to designate data centers as critical infrastructure. Germany also regulates IT as key infrastructure as does the European Union through The NIS Directive and Digital Operational Resilience Act (DORA). DORA is focused on the financial sector but includes provisions for managing third party ICT risks.
The U.S. also classifies data centers as critical infrastructure per a National Security Memorandum signed by President Joe Biden in April, which included the IT sector as one of 16 covered by the order.
Thomas King, CTO at DE-CIX, told Fierce that from a U.K. perspective, the critical infrastructure designation generally means two things. First, it means data center operators – think hyperscalers but also players like Equinix and Digital Realty – need to demonstrate that they’ve implemented a certain level of security. That includes both physical security to protect data center facilities as well as cybersecurity.
Steven Dickens, VP and practice lead at The Futurum Group, told Fierce physical security could include ensuring campus designs have “geographic redundancy, climate resilience (e.g., flood zones, extreme temperatures), and secure locations far from potential physical threats.”
He added an “enhanced focus on backup power, cooling systems and disaster recovery will also be expected, which may lead to increased capital investment. These companies will have to reassess the siting of new facilities, considering the level of government oversight and support they can expect in certain regions.”
The critical designation also means data center operators can tap into support from the government to mitigate large scale or ongoing attacks, King said. Indeed, CISA indicated that while private sector data center owners retain primary responsibility for protecting their assets, they can collaborate closely with the federal government via the Information Technology Sector Coordinating Council (IT SCC) and the Government Coordinating Council (IT GCC) to boost security, manage risks and develop best practices.
Dickens said that in practice, that could look like government agencies sharing intelligence and offering access to both government resources and prioritized protection during incidents.
Is it enough?
But why does any of this matter? Will it really “deter cyber criminals from targeting data centers” as the U.K. government claimed in its press release?
Perhaps not, but Dickens noted that at least this “collaborative approach will likely reduce the burden on these companies to defend entirely on their own against large-scale cyber threats, allowing them to focus more on operational efficiencies while maintaining security compliance with government standards,” he explained.
Interestingly, both King and Dickens said it’s not enough to protect just data centers. The critical infrastructure designation, they said, needs to cover the networks that connect them along with the applications that run on their infrastructure as well.
“From my point of view it needs to go up the full stack,” King said.
“It is good that we as a society have a conversation about what is critical infrastructure because digital service have invaded our lives for good,” King concluded. “Now we need to make sure we can rely on these services.”