Policy paper

Data storage and processing infrastructure security and resilience - call for views: Clarification and further information

Updated 20 July 2022

To aid respondents in answering the call for views, we are publishing:

• Three updates that we have made to the call for views.
• Additional guidance on how to answer and how we will use the findings from the call for views.

If you have further questions about the updates, or additional questions that are not covered here, please contact datainfrastructureviews@dcms.gov.uk.

Updates to the call for views

We have recently added three clarifications to the call for views. The updates do not change the content of the call for views, but add additional clarity as to how to answer certain questions.

1. Answering about data centres: We have added guidance to our questions about existing security and resilience measures in place in UK data centres (Q2 to Q7). - If you are a data centre operator, you answer about your organisation’s data centre(s) and, where relevant, about the sector as a whole. - If you work with data centres (e.g. a cloud platform provider, MSP, security company), you answer about the data centre(s) you work with and, where relevant, about the sector as a whole.

2. Sharing incident data: We have added guidance suggesting that respondents include incident data, in addition to processes/standards when explaining the measures in place that manage risks to data centres (Q3).

3. Metrics for reporting customer breakdown: We have added guidance for which metric to use when data centre operators, cloud platform providers and MSPs provide a breakdown of their customer base (Q17). We have suggested that: - Data centre operators provide contracted load (megawatts MW). - Cloud platform providers and MSPs provide contracted maximum storage space (i.e. volume of data) (gigabyte (GB) or terabyte (TB)).

Guidance - crossover with existing or proposed security and resilience regulations

• We have listed organisations in the call for views who are currently regulated for security and resilience, or have proposals for regulations in place, such as cloud platforms providers and MSPs. However, these are respondents we would like to hear from due to their knowledge of the infrastructure and the risks. We are interested in the relationship between data centres and their major partners, suppliers, and customers; and, in particular, how responsibility for security and resilience is split between these. Cloud platforms providers and MSPs who purchase data centre services to offer their customers data storage and processing services make up a significant proportion of data centre customers. Therefore, they are well placed to provide information and answer questions about security and resilience in data centres.

Guidance - scope

• Where our questions ask about data centres, we are focussed on “third-party” or colocation (“colo”) data centres i.e. data centres that store or process data for multiple other organisations. We are not intending to gather evidence about enterprise-owned data centres used by a single organisation.
• We are not investigating the risks to Software-as-a-Service (SaaS) specifically. We are however looking at risks relating to organisations such as MSPs that may also offer SaaS. The primary focus of the call for views is on how risks to data centres are managed, whether that is by data centre operators, or by the major customers of data centres, such as cloud platform providers or MSPs. Therefore, we are asking cloud platform providers and MSPs about their use of data centres. Risks to the (SaaS) applications that the cloud platform providers and MSPs offer are not in scope for this call for views, as they are comprehensively covered by the UK’s Network and Information Systems (NIS) regulations.
• We are not investigating infrastructure based outside the UK. We have considered risks stemming from infrastructure located outside the UK in our assessment of the risk landscape. However, we are using this call for views specifically to seek evidence about data storage and processing infrastructure located within the UK Government’s jurisdiction. However, if respondents think this is a key element that is missing from our work we would be grateful to learn more about it in your CfV response.
• In publishing the CfV, we are effectively testing our scope and line of questioning. With all questions in the call for views, if respondents feel our scope or focus should change or is missing a key element - to ultimately ensure our understanding and response to the risks detailed are effective and future proof - they should record their thoughts in the most relevant question, in the “any other comments” question at the end, attaching a document to the response, or contacting the email address provided.

Guidance - breakdown of who should answer each section

• Part 1 can be answered by any organisation with knowledge of UK data storage and processing infrastructure.
• Part 2 can be answered by data centre operators, or organisations that work with data centres. This includes customers like cloud platform providers and the MSPs that use data centre services, as well as partners and suppliers in a range of fields such as security, construction or management consultancy. These organisations should answer from their perspective as a partner, supplier or customer of data centres as they will have knowledge of, or be responsible for, certain security and resilience measures.
• Part 3 asks data centre operators, cloud platform providers and MSPs who provide storage and processing infrastructure for details of the types of customers they serve. Only these three types of organisations will be able to respond to these questions.

Guidance for Managed Service Providers (MSPs)

• The call for views glossary definition of an MSP in the call for views aligns with the recent consultation on Proposal for legislation to improve the UK’s cyber resilience:
  • Providers of a business to business (B2B) service involving regular and ongoing service management of data, IT infrastructure, IT networks and/or IT systems who are supplied to a client by an external supplier.
• Our guidance for how an MSP should answer each section of the call for views is based on their relationship with data centres.
• Part 1 can be answered by any MSP.
• Part 2 can be answered by any MSP that works with data centres, however, they should answer from a different perspective depending on their relationship with data centres.
  • If an MSP purchases services from a data centre in order to offer data storage or processing services to its customers, we are interested in their views as a data centre customer. This is because, as a customer of data centres, these MSPs may be responsible for, or aware of, the security and resilience measures in place in the data centres. They may also have views on whether the data centre market is providing them with the security and resilience measures in data centres that the MSPs require for their business needs.
  • If an MSP does not offer data storage and process services but does work with data centres in another capacity (e.g. providing its security services, supporting customers in how they manage security) we are interested in any knowledge of data centre security and resilience practices they will have through working with data centres.
  • If an MSP does not provide data storage and processing services, or work with data centres at all, they do not need to respond to Part 2.
• Part 3 should only be answered by MSPs who offer data storage and processing services to their customers by procuring third-party data centre services.