Executive Summary
A DCIM solution communicates with your most critical networked assets—including power distribution gear. This makes DCIM one of the highest-risk applications on your network. A 2022 survey cited in Security Week identified field monitoring and control applications—including DCIM, SCADA, and IoT—as among the most commonly targeted in cyber breaches. Five security practices govern whether a DCIM solution reduces or adds to your cyber risk: local data collection, transmission encryption, data storage security, secure data sharing, and application access controls.
What makes a DCIM solution secure?
Encryption and architecture must be applied together to achieve a truly secure DCIM solution. Encryption protects data during transmission (or at rest for database encryption). Architecture is a careful design and data flow engineered to remove risks, typically by limiting points of access to the system.
Let’s look at the top five aspects of DCIM security and how encryption and architecture are applied:
Local data collection from devices reduces risk
Data collected from devices should be collected “at the edge” and encrypted in transport. This data should be collected and encrypted as close to the target device as possible as a best security practice.
If you access a device from another location (including VPN) to collect monitoring data, the risk is much higher than an architecture that collects the same data across segments of the network. When possible, data should be collected physically and logically (network) as close to the asset as possible – on the same subnet, at the same location.
Your DCIM solution should be able collect data at the edge, reducing the exposure of the device itself. Direct access to the device does not have to be exposed to the internet, or even across external subnets if you collect the data from within the device’s local subnet.
Encryption and DCIM data transmissions
The data from a device (such as power load on a PDU or power strip) is not particularly sensitive, but the transactions can contain sensitive data – like the IP address of the device. This information can be used to target the device in a network attack.
Some protocols do not support security, like Modbus and SNMP v1. When possible, encrypted protocols should be used, such as SNMP v3, to ensure the device’s login credentials are not exposed. If this is not possible, the concept of collecting “close to the device” becomes critical to protecting the data exchange. Modbus queries should not span networks or subnets without encryption. When accessed remotely these connections should be across a secure connection like a VPN.
It is critical that your DCIM solution encrypts data, regardless of the data protocol, or where the data is collected. This ensures that the information is protected, regardless of whether it is transmitted across a local network, secure VPN, or any other connection.
Data storage
Once the data is collected, the transmission from the collector to the main application should be encrypted and secure as well – to protect details and device addresses within the data.
For the highest security requirements, data should be encrypted at rest. To achieve this, the database solution must support full database encryption.
A secure DCIM solution should be built on a database, like Microsoft SQL Server, that can be encrypted in the data store and accessed via a secure connection.
Data sharing – SLA transparency requirements
Hyperscalers now have data transparency requirements when renting space from colocation providers. These requirements include access to raw telemetry data from the most critical power distribution assets. Many of these assets use protocols like Modbus, which introduces significant risk if the devices are exposed directly to the customer.
This data must be provided without adding risk – and a next generation DCIM solution can fill this role. Using the read-once-use-many approach, the data can be shared to the external customer via the DCIM, without adding risk by exposing direct access to the hardware (if your DCIM solution supports an API and point publishing).
Application access
Network applications must have secure access. This includes encrypted web services, logins, and support for MFA (multi-factor authentication). Any API or other service must provide a secure, strongly protected interface. Your DCIM solution should support security and authentication across these services.
A DCIM solution should provide high granularity access control to limit the devices and data available to any given user. This provides compliance with the Principle of Least Privilege (PoLP) to minimize risk. This principle is required for many government service contracts and certifications like CMMC.
The Principle of Least Privilege includes the ability to limit which devices an operator can access, and which rights (read, acknowledge alarms, close alarms, etc.) that have on each device across your infrastructure.
Conclusion
Does your DCIM support collecting data at the edge, near the device?
Does your DCIM encrypt data with a NIST certified encryption?
Does your DCIM support a fully encrypted back-end database? With secure connections?
Does your DCIM provide fully compliance with Colo Tenant data transparency requirements without exposing critical power infrastructure gear to added risk?
Does your DCIM solution provide a secure front end, with high granularity rights-based access control down to individual devices?
Your evaluation and selection of a DCIM solution should consider these five aspects, so your selected solution helps minimize risks on your network, rather than adding new ones.
Frequently Asked Questions
Why is DCIM a high-risk application for cyber security?
Answer: A DCIM solution communicates directly with critical power distribution infrastructure—PDUs, UPSs, generators—making it a high-value target. A 2022 survey cited in Security Week identified field monitoring and control applications, including DCIM and SCADA, as among the most commonly targeted in security breaches.
What is edge data collection and why does it matter for DCIM security?
Answer: Edge data collection means gathering telemetry from devices within their own local subnet, rather than accessing them across external network segments. This limits device exposure to the internet or external networks. Most DCIM platforms require remote device access; Modius OpenData is specifically architected to collect at the edge, reducing the attack surface around critical power infrastructure.
How should a DCIM handle protocols like Modbus that lack native encryption?
Answer: When encrypted protocols like SNMP v3 are unavailable, two mitigations apply: collect data as close to the device as possible (same subnet), and ensure all data is encrypted before transmission across any network boundary. Modbus queries should never span networks or subnets without encryption, and remote access should always traverse a secure VPN.
What is the Principle of Least Privilege and why does it matter for DCIM?
Answer: The Principle of Least Privilege (PoLP) limits each user to only the devices and operations they need for their role. For DCIM, this means access control down to the individual device—controlling read access, alarm acknowledgment, and alarm closure separately. PoLP is required for many government contracts and certifications including CMMC. Modius OpenData implements granular PoLP across all monitored devices.
How can a DCIM share data with hyperscaler tenants without exposing critical hardware?
Answer: A read-once-use-many architecture allows the DCIM to collect data from power infrastructure and re-publish it to tenants via a secure API—without granting tenants direct access to the underlying hardware. Modius OpenData supports this approach, satisfying SLA transparency requirements for hyperscaler colocation customers while keeping critical assets protected.
What database and encryption standards should a secure DCIM use?
Answer: A secure DCIM should use a database platform that supports full at-rest encryption—such as Microsoft SQL Server—with encrypted connections between the application and database. All data in transit between collector and application must also be encrypted. The DCIM Buyer’s Guide outlines these and other security criteria for evaluating platforms.
Consider Modius
As we built Modius® OpenData® over the past 16 years, we are proud that we have addressed all five of these aspects of DCIM security to protect your company. If you are looking for a next-generation DCIM solution that can help you better understand and manage your data center’s operational status, without adding cyber security risk, consider Modius OpenData.
OpenData is a ready-to-deploy DCIM featuring an enterprise-class architecture that scales incredibly well. In addition, OpenData gives you real-time, normalized, actionable data accessible through a single sign-on and a single pane of glass. Let us show you how OpenData helps reduce your cyber security risk, while providing a top tier DCIM solution.
We are passionate about helping clients run more profitable, secure data centers and providing operators with the best possible view into a managed facility’s data. We have been delivering DCIM solutions since 2007. Modius is based in San Francisco and is proudly a Veteran Owned Small Business (VOSB Certified). You can reach us at sales@modius.com or 1+ (888).323.0066.