Doing your own due diligence is perhaps the most important piece of your data center security strategy.
To help you do your due diligence, we’ve identified 12 questions you can ask to help qualify a potential data center colocation provider.
1. How do you control physical access to the data center environment?
Ask about controls at the perimeter, upon entering the data center, and at the entrance to your IT infrastructure, such as:
- Defensible perimeter
- Security fencing
- Traffic bollards/barriers
- Car traps
- 24/7 on-site guard staff
- Digital video surveillance
- Customer-defined access lists
- Badged entry/visitor tracking
- Biometric screening
- Locking cabinets, cages, suites and modules
- Customer-provided private access control systems
- 24×7 customer access without delay
2. How do you monitor physical access to the data center environment?
There should be digital video surveillance around the perimeter that’s monitored 24/7. The data center should also have operating system software that monitors entrances to and exits from each data center module.
3. What are your processes for vetting employees, supply chain partners, vendors, and customers?
Your data center provider should diligently vet all employees, supply chain partners, vendors, and customers. Ask about their vetting processes to make sure you understand them.
4. What are your training procedures? How often do employees attend training?
Data center employees should receive regular trainings and updates to stay aware of the latest threats and adversaries, particularly social engineering threats.
5. Are you ISO 27001 or SOC 2 Type 2 compliant?
ISO 27001 and SOC2 certifications help ensure that the right systems and processes are in place to ensure the highest data security, availability, process integrity, privacy, and confidentiality.
6. Is there physical separation between my IT infrastructure and other customers’ infrastructures?
Look for complete physical separation from other customers’ IT infrastructures. These may include locked cabinets, cages, suites, or modules.
7. Who can access my IT infrastructure?
You should understand who can enter your IT infrastructure and controls around such entry.
8. Does the data center enable you to match security levels to application needs?
Data center providers should allow their customers to access high speed Internet services via interconnections with a wide range of upstream ISPs who provide visibility into the performance and availability of each interconnection.
9. Can the data center deliver higher levels of security for applications that require it? How?
Understand all of the security measures used by your data center provider and how they protect the data center from every angle that a potential adversary might attack it—from external physical and logical threats to insider threats, both malicious and unintentional.
10. Do you offer DDoS threat visibility and mitigation?
Your data center provider should be able to monitor all network activity in real time for network services they provide, alert to anomalous behaviors, and quickly mitigate any events at the network edge.
11. If your site becomes unavailable, do you have secondary sites from which data can be quickly and easily recovered?
Look for data center providers that have a national or global data center footprint with colocation services in multiple regions, so that data can be backed up, stored, and recovered in the event of a disaster to ensure business continuity.
12. How many security breaches have you gone through?
Not only is it important to understand the number of data breaches, it’s important to understand how your data provider managed those data breaches.
Learn more about why data center security matters and how IO delivers data center security better than the status quo by reading “Data Center Security in an Insecure World: How Outsourcing Supports an Overall Risk Mitigation Strategy.”Download now
DISCLAIMER: This document is for reference purposes only. The information contained herein should not be relied on and neither IO Data Centers, LLC nor any of its affiliates makes any warranties or representations as to its accuracy.