BLOG
DATA SEPARATION: WHY PUTTING ALL YOUR EGGS IN ONE BASKET IS A CYBER SECURITY RISK
Centralising your data with a single provider might seem convenient — but it could be your biggest vulnerability
Centralising your data with a single provider might seem convenient — but it could be your biggest vulnerability
It's easy to see the appeal. One supplier, one contract, one invoice, one phone number to call when something goes wrong. Consolidating your technology and data with a single provider feels efficient. Tidy. Simple.
But from a cyber security standpoint, it's one of the riskiest decisions you can make. Because what you're actually doing is creating a single point of failure — one door that, if kicked in, lets an attacker walk off with everything.
This isn't a hypothetical concern. It's one of the most common and costly mistakes organisations make, and it's particularly dangerous when the data involved includes things like CCTV footage, access logs, and facial recognition records.
Think about what a modern security operation might store with a single provider: live camera feeds and archived footage, facial recognition databases, door access logs and entry records, staff HR files, visitor management data, and site maps or floor plans.
Now imagine that provider suffers a breach. It happens — and it happens to large, well-resourced companies as well as small ones. When everything sits under one roof, a single successful attack gives criminals access to all of it at once. They don't just get a piece of the puzzle. They get the whole picture.
We've seen high-profile cases where large vendors — cloud storage platforms, managed IT providers, security software companies — have been compromised and dozens or even hundreds of their clients have been caught up in the fallout simultaneously. The clients didn't do anything wrong. They simply trusted too much to one place.
Good security practice has always recognised the importance of not putting everything in one place. The principle of data segregation — keeping different types of sensitive information in separate, isolated systems — is a cornerstone of proper risk management.
The logic is straightforward. If a breach occurs on one system, the damage stays contained. The attacker gets into one room, not the whole building. Your facial recognition database isn't connected to your HR records. Your access logs aren't sitting alongside your financial data. Each system is its own isolated environment, and a compromise of one doesn't automatically mean a compromise of all.
This isn't just good practice in theory — it's increasingly what regulators and insurers expect to see. If you suffer a breach and it turns out you had everything centralised with a single vendor, you may find yourself in a difficult position when explaining your risk management decisions.
Not all data is created equal, and biometric data — including facial recognition templates — sits at the very top of the sensitivity scale. Under UK GDPR, biometric data used for identification purposes is classified as special category data. That means it carries the highest level of legal protection and the strictest requirements around how it's handled, stored, and processed.
Given this, it makes no sense for facial recognition data to be lumped in with general IT infrastructure, shared cloud environments, or multi-purpose platforms used by multiple clients. The risk profile is simply too high. A breach involving standard business data is serious. A breach involving biometric data — faces, identities, recognition records — is on a completely different level in terms of legal exposure and the potential harm to the people affected.
Biometric data deserves dedicated, specialist storage. Not a shelf in a shared warehouse — its own secure, isolated facility with appropriate controls built around it from the ground up.
If you're working with a facial recognition or security technology provider — or evaluating one — here are some questions that should be part of any serious conversation:
Where exactly is my data stored, and in what type of environment? Is it on a shared platform used by multiple other clients, or is my data held in its own dedicated space? What happens to my data if another client on the same infrastructure suffers a breach — am I exposed? Is my facial recognition data kept separate from other data types, such as general IT records or business files? Who can access my biometric data, and what controls are in place to prevent unauthorised access?
These aren't aggressive or unreasonable questions. They're basic due diligence. Any reputable provider should be able to answer them clearly and confidently. If you're met with vague answers or the conversation gets redirected, that tells you something.
Many technology platforms — particularly those offering cloud-based services — operate on what's called a multi-tenant model. That means multiple clients share the same underlying infrastructure. It's cost-effective for the provider and often perfectly acceptable for lower-sensitivity applications.
But for biometric and security data, multi-tenant environments introduce a risk that's hard to justify. If the platform is breached, the question isn't just whether your data was targeted — it's whether it was caught up in an attack aimed at someone else. In a shared environment, you're only as secure as the weakest client on the platform.
Dedicated infrastructure eliminates that risk. Your data isn't sharing space with anyone else. An attack on another client doesn't reach you, because there's no shared wall between you.
At FaiceTech, we've built our infrastructure around the principle that biometric data requires its own dedicated environment. Each client's facial recognition data is held in segregated, isolated storage — not a shared database, not a multi-tenant platform, not pooled alongside other clients' information.
This is a deliberate architectural decision, not an afterthought. It means that even in a worst-case scenario, the blast radius of any incident is contained. Your data is yours — separated, protected, and not connected to anyone else's environment.
It's also the right thing to do given the nature of what facial recognition data is. We take the legal and ethical weight of handling special category biometric data seriously, and that starts with the basics: making sure it's stored the way it should be.
Convenience is a reasonable thing to want from your technology providers. But convenience should never come at the cost of security — particularly when the data involved is as sensitive as biometric records.
The principle is simple: keep sensitive data separate, understand exactly where it lives, and make sure a problem with one system can't cascade into a problem with everything. Ask the hard questions before you sign up, not after something goes wrong.
When it comes to facial recognition, working with a provider who treats your biometric data as a distinct, protected asset — not just another file in a shared folder — isn't a luxury. It's the minimum standard you should expect.