If you’ve ever tried to get into a data center without prior permission or the right identification, you’ll know how stringent security is. As the keepers of, arguably, the world’s most valuable asset – data – data center providers know no bounds when it comes to safeguarding their customers’ priceless information. They house critical data, including customer details and intellectual property, which makes physical security an utmost priority for facility providers. The aim is largely the same worldwide, barring any local regulatory restrictions: keep out the people you don’t want in your building, and if they do make it in, identify them as soon as possible and keep them contained.
Like cyber security, the demands on physical security are increasing as businesses recognize how much of their operations outside traditional IT functions are becoming dependent on the data center. Other emerging trends such as big data, the advent of the Internet of Things (IoT) and cloud will ensure that it continues to move steadily up the priority list.
Any data center should be designed, built and maintained to withstand everything from corporate espionage, to terrorists, to natural disasters, to thieves trying to make a fast buck. Maintaining service availability is paramount and any circumstances that could affect it need to be mitigated to ensure the precious data housed inside is protected.
Ensuring 100 percent uptime
Natural disasters are sadly becoming more frequent and there have been numerous well publicized examples where data centers have been compromised. Back in 2012, Hurricane Sandy affected connectivity in at least eight New York data centers with flooding destroying diesel pumps, stopping generators working and ultimately bringing data centers to a standstill causing mass disruption to people and businesses alike. Worryingly, it seems that the industry is not learning from experience. Many organizations are not operating a data center environment that would withstand or continue to operate after a natural disaster.
To ensure the facilities maintain uptime should they come under attack from natural sources or otherwise, physical security is not only limited to the perimeter of the building. Data centers need utilities to be resilient and redundant so if one system fails, there is a backup. These include water, power, telephone lines and air filtration systems. Battery backups are essential to ensure security systems; heating, ventilation and air conditioning; continue to operate in case of an area-wide power outage.
Keeping control of who gets in and out
Entry to data center should be tightly managed with strict procedures to monitor and control visitor access both into and within the data center. Not only is the physical security stopping criminals getting in, it is also there to delay their chances of success.
In order to achieve gold standard security, there should be seven layers of physical security.
- A physical barrier: A fence that is a minimum of three metres high (five metres in some places, depending on who or what is located next door).
- Trembler wire: A wire on top of the fence that will set off an alarm if anyone kicks, climbs or jumps over it.
- Surveillance cameras: CCTV installed around the perimeter of the building at all entrances and exits as well as at every access point throughout the building. A combination of motion-detection devices, low-light cameras, pan-tilt-zoom cameras and standard fixed cameras is ideal. Footage should be digitally recorded and stored offsite.
- 24/7 security guards: Always have more than one guard – one to man the systems and one or more to do a regular walk around to check the perimeter and the rooms.
- Vehicle trap: Access to the facility compound, usually a parking lot, needs to be strictly controlled either with a gated entry that can be opened remotely by reception or security once the driver has been identified, or with retractable bollards. The idea of this measure is to not only prevent unauthorized visitors from driving into the parking lot and having a look around, but also to prevent anyone from coming straight into the lot with the intention of ramming the building for access.
- Full authentication & access policy control: To get inside, people should need Government issued photo ID. Once provided, they should be given a formal ID card that allows them into different parts of the data center depending on whether they are a customer or a visitor – one should be accompanied and the other not.
- Biometrics: To get access to the buildings, data floors and individual areas biometrics should be used as a form of identification to ensure secure, single-person entry.
Maintaining top levels of physical security
No matter how simple or complex the security system, it will be useless if it isn’t tested regularly to ensure it works as expected. Alarms need to be tested and maintained, CCTV cameras need to be checked and staff need to be regularly trained on processes.
Most data centers have some level of compliance and certification such as Uptime Institute, Tier III and ISO27001. These kinds of accreditations need to be maintained every three to five years with surveillance visits by an external auditor required annually to ensure continued compliance. It isn’t just about having a fence, but what you would do if the fence gets breached by an accident, such as a lorry smashing into it, or an organized attack.
Nearly all information has some value to someone and the loss of data or systems shutting down has potentially very high associated costs. Data center security is about minimizing risk and maximizing operational uptime. If operators are to satisfy ever increasing customer expectations, they must not neglect physical security or make it an ineffectual afterthought. One thing we can be sure of is that security demands will continue to evolve along with changes in how we live and conduct business.
About the Author
Darren Watkins, Managing Director of VIRTUS Data Centres, began his career as a graduate Military Officer in the RAF before moving into the commercial sector. He brings over 20 years’ experience in telecommunications and managed services gained at BT, MFS WorldCom, Level3 Communications, Attenda and COLT. He joined the VIRTUS team from euNetworks where he was Head of Sales for the UK, leading market changing deals with a number of large financial institutions and media agencies and growing the company’s expertise in low latency trading. Additionally, he sits on the board of one of the industry’s most innovative Mobile Media Advertising companies, Odyssey Mobile Interaction, and is interested in all new developments in this sector. Darren has an honors degree in Electronic and Electrical Engineering from University of Wales, College Swansea.