Overcoming security peculiarities in the data centre
Thu 21 Jul 2016
Data is the core commodity of any data centre. Data sometimes belongs to the centre owner, while other times it belongs to customers. Data can be a company’s intellectual property that provides the organisation with its business advantage, or it can be personal data, or even money.
Due to the wide range of functions of a data centre, security within the facilities needs to provide flexibility while providing ease of access. Balancing security and access can seem like an impossible conundrum, as providing more security would appear to compromise easy access. However, it is possible for a relatively simple access control system to assist in the provision of this.
Access control is not all about keeping the wrong people out or away from something. The challenge is letting the right people access the right points at the time they wish. Employees, customers, visitors, and service personnel all have a unique set of needs for access control and security.
Firstly, employees within any organisation are a mix of personnel who complete a variety of tasks; consequently all individual employees have different needs to access each defined area. As employees’ day-to-day tasks usually take place in the same areas of a building, the control and assignment of access rights is relatively straightforward.
This contrasts with customers and visitors, whose data is stored in the core of facilities in order to run their applications. They need periodic – but easy – access to their servers. However, just as a customer appreciates the measures they must endure to access a safe-deposit box, these people must appreciate and tolerate the security levels that are applied within data centres, to ensure secure issuance of valid and defined credentials. Customers and visitors can change regularly, and data centres must manage them with efficiency, and a customer-facing approach.
A data centre is a complex system of IT hardware, infrastructure and software that needs cooling and power systems, which require maintenance and service in order to operate. The service personnel employed in order to achieve this also demand careful consideration to be taken when access rights are being decided, as they are unlikely to be as vetted as data centre employees. Data centres must be careful about who the incoming people are and how they are monitored – and this needs careful thought, planning and implementation.
The first step to implement a successful access control system in a data centre is to consider its perimeter security. This is often straightforward, taking into account vehicle control and the reception area. Issuing car passes or automatic number plate recognition (ANPR) may be a useful addition to a traditional manned barrier, as it will assist with allowing customers and service personnel with out-of-hours access. Ensuring that all visitors register at the gates can also assist with security.
The second step is to consider the interior of the data centre; parts of this will run as a standard office space and present no major challenge. However, beyond the more open areas lies the core of any data centre’s operation, where more barriers need introducing, in order to ensure a higher level of security.
These can include a mix of security processes, including multi-factor authentication, biometrics, human tracking and CCTV – and the use of security hardware, such as locks and turnstiles that can assist with safeguarding these more sensitive areas.
The more sensitive interior areas within data centres contain a wide range of valuable equipment that needs protecting. Cabinets house individual servers – the crown jewels of any data centre. Therefore it makes sense that each of these be individually secured. Mechanical keys are not always easy to manage; consequently electronic locking solutions are now available for individual cabinets, the best using wireless technology, and even supporting door contact technology for additional security.
Data centres are faced with a number of security and access requirements that can be challenging to balance; it is impossible to meet all of these using a single source.
These can help companies ensure that their sensitive data is protected against unauthorised access, as it allows server cabinet doors and racks to be integrated with a real-time access control system, to control exactly who can access the servers, and when. In addition, smartcard-operated access control can generate audit trails – invaluable for incident investigation.
However, it is not just the data cabinets that require a level of protection; for every square metre of data centre floor space there could be an equivalent area in services (cooling systems, power supplies, generators, etc.). These are not just a requirement for the operation of the systems, but are also a potential security risk, and thus need the same protection as any of the individual servers.
A co-ordinated spectrum
From ensuring there is a secure process in place for every person who may come through the door, to protecting cabinets that house servers and areas that contain service systems, data centres are faced with a number of security and access requirements that can be challenging to balance. It is impossible to meet all of these using a single source. However, it can be useful to look for suppliers with designed-in synergies, who cooperate to make hardware and software work together seamlessly.
If suppliers work as a consortium to provide a coordinated spectrum of access and security solutions, this will enable data centres to concentrate on their core concern – keeping data safe and their customers happy.