Paramount security in a digital age
Fri 30 May 2014
Lawrence Buxton looks at how to design security into a data centre and how to protect that key vulnerability – the front gate and beyond
A data centre facility is known to house expensive and often mission-critical IT equipment that in turn holds a huge amount of digital data, which in most instances is confidential. It’s no surprise that security is one of the top concerns of an IT manager when it comes to selecting a data centre facility, and similarly of an operations manager at a data centre, who is responsible for ensuring the facility is secure. However, effective security is only valid if it’s deployed from the ‘ground up’.
Security starts at the perimeter
Security should always start with the actual physical location of the data centre itself, if a data centre is situated near a floodplain or under a flight path, you may need to invest money into counteracting these external threats, when the problems could be avoided altogether.
Generally, the facility should be discreet with a bland appearance, with windows limited to areas used for administrative purposes only, as well as being set far back from roads limiting the number of traffic and pedestrian passers-by. Facilities should also consider high fencing accompanied by tremor sensors or trembler wire that will alert the facility of any intruders. High resolution CCTV cameras that survey the entire site are needed in order to ensure maximum protection and provide round-the-clock surveillance. However, these measures are only really valuable if there are permanent onsite security personnel who regularly patrol the site, preferably in a non-routine manner.
Entrance points are vulnerable, so turnstiles and a vehicle lock are recommended, and while it is wise to limit entrance points, if one vehicle lock was to break, security and access could be compromised so two access points are better than one. It also recommended that further security procedures are put in place such as a full EMS (electro-magnetic shielding) system around the perimeter of the building and bomb-blast proof walls.
Once inside the facility
It’s no good investing in exterior security, if any visitor can walk into the building itself. Disallowing any visitors is unrealistic as IT technicians will inevitably need access to the site to maintain the physical equipment. Therefore it is wise to have procedures in place designed specifically for this.
Begin by validating all visitors before they attend the site and ensure to ask for proof of ID such as a passport or driving license and consider all visits to the site accessible by appointment only. Consider fingerprint or palm reader authentication to strengthen security access within the building by ensuring it is only the person allocated the swipe card that is using it.
It is also good practice for areas of high security to be physically and effectively segregated from lower areas of security via man traps or air lock corridors. Achieve this by providing each individual with an appropriate access level and empower all data centre staff to challenge anyone they do not recognise.
Data centre facility staff
Data centres should be vigilant when hiring personnel to staff the facility as they will have the most access and will need to be trustworthy. Ensure all security personnel are approved SIA (Security Industry Authority) contractors and perform CRB (Criminal Records Bureau) checks. After all, these are the people who will most probably have the most access to the facility. These will have to be individuals that you can trust around expensive equipment, hosting sensitive information, and to ensure the facility is kept secure.
Once you have security processes and procedures in place, it is important to test them. After all, what good is it having these procedures and systems in place if they fail in reality? It’s best to find out the pitfalls and possible weakness in a test scenario rather than in a real breach situation, by which time it will be too late.
It’s a good idea to run practice scenarios to test the security measures. Security systems in the data centre should have the ability to randomly generate false-positive alarms to test the staff and processes so that the overall systems can be reported on and monitored against the expected metrics.
Lawrence Buxton is operations director for Sentrum Colo
First published in Data Centre Management magazine Spring 2014