Data in the cloud, security on the ground
Tue 1 Apr 2014
Physical security of a data centre is just as important as cloud security argues Ivor Lewis, the chief operating officer of TSSI Systems.
As data becomes more and more centralised, increasingly relying on storage and access facilities such as data centres, the subject of effective physical security has become as important as that of logical.
The exponential rise in the amount of data organisations store and manage, coupled with the ever-increasing numbers of people migrating into the cloud, has seen outsourced data centres move to centre stage in the world of enterprise efficiency.
Yet while the business benefits of virtualisation and cloud computing are becoming increasingly apparent, for many companies the main barrier to full adoption is still security. The fear, once focused on IT security, has now shifted to the physical security of the data centre.
A compromised facility can mean a data breach that, in turn, can lead to a loss of customers, high recovery costs, and a damaged reputation, not to mention regulatory consequences and the question of compliance.
In effect, targeted by hacktivists and other criminal groups, data centres that are not properly secured could become more of a risk to organisations than lost laptops, smartphones or USB drives. As a result both the physical and logical requirements for security must be looked at in detail, as well as how the two integrate.
So how can those responsible for the integrity of customers’ data reassure their customers, and their customers’ customers, that everything that can be done is being done with regard to security?
The main area of focus, with regard to physical security, is access control. Assuming that those working in a data centre can be trusted (or at least held accountable), the main way to secure the building is to ensure access to the data centre, particularly to sensitive areas, is strictly controlled.
Owners or facility managers need to ensure they take a robust approach to establishing ‘credentials’, for example by the use of cards with pin numbers, biometrics, and comprehensive CCTV surveillance systems for the internal building, combined with perimeter and building security for the external aspects of the data centre
In her white paper ‘Physical Security in Mission Critical Facilities’, senior research analyst Suzanne Niles identifies three categories of identification: ‘what you have’, ‘what you know’ and ‘who you are’. In short this translates to something you wear or carry, such as a pass or card (what you have), a password, code or procedure (what you know), or identification by recognition of unique physical characteristics (who you are). Niles argues that the reliability of these techniques increases from the first to the least and that a combination of the three provides still further reliability.
ID cards, for example, will provide a certain degree of personnel monitoring particularly if linked to a unique pin number that combines the ‘what you have’ with ‘what you know’. An inherent weakness in the use of ID cards alone, however, is that they don’t guarantee the legitimacy of their use by the holder. The loss, theft or lending of these cards can lead to access by unauthorised personnel who are not required by the access control system to prove they are who they say they are.
When twinned with biometric solutions, however, this inherent security weakness can be overcome as we move into the category of ‘who you are’. Biometric fingerprint systems, for example, require authorised users to ‘enroll’ onto the system by capturing a template from their fingerprint, encrypting it and storing it against their PIN number usually held on a database. In this way, when the user enters their PIN number the system should recall the stored template and compare it with the presented finger. If the template and finger match, the correct person is present and only then will they be granted access to the building.
Biometric scanning techniques have also been developed for a number of other human features such as the iris (pattern of colours), retina (pattern of blood vessels), face, voice and even handwriting where the dynamics of the pen as it moves are tracked.
Whilst effective however, this technique is not foolproof, and a common issue is ‘false rejection’, where a legitimate user is not recognised by the system. This is particularly true in areas where there is poor light, hence the need to use these systems in conjunction with ‘what you carry’ and ‘what you know’ technology.
Once access to the data centre has been secured as far as possible, attention should then be turned to the monitoring of those within the building. CCTV cameras are a standard way of achieving this, and should be placed liberally and in full view as this will also act as a deterrent to any would-be saboteurs. At a basic level however, such technology still relies on the vigilance of those monitoring the video feed, at least in terms of stopping any security breach in real time. What can be done, however, is to integrate the CCTV into the wider security system, so footage can be logged against access data and a range of other scenarios in order to more effectively manage security.
For those with bigger budgets there a dizzying array of extras available in today’s market, from motion sensors and 180-degree vision to facial tracking and recognition software that can capture and record detailed imagery of every person who enters the facility.
Taking things a stage further, RfID tags can now be used to automatically monitor the movement of IT assets and, if necessary, the behaviour of people by fitting them into uniforms or ID badges. This use of smart micro-technology could well represent a big opportunity for data centres, allowing their customers not only protection and control, but also the option to monitor, trace and even produce reports regarding their assets.
The development of ‘next generation data centres’ is a subject on many people’s lips recently. It means improved efficiency by using newer technologies and techniques, such as improved cooling and the use of renewable energies; it also means better servers for more effective data storage, but all of this would count for nothing without similar improvements to security and access control.
As demand for data storage continues to grow, developments in technology will emerge to help data centre owners and managers keep pace and meet those demands. It promises to be an interesting time for security professionals.