Physical security of a data center

In addition to many layers of software cybersecurity, protection of  data centers with layers of physical security systems is paramount.

Data centers store large amounts of data for processing, analyzing, and distributing—and thereby connect organizations to service providers. Many organizations rent space and networking equipment in an off-site data center instead of owning one. A data center that caters to multiple organizations is known as a multi-tenant data center or a colocation data center, and is operated by a third party.

Industrial facilities with on-premise data centers need to secure the hardware and software within them. There are two types of security: physical security and software security.

Physical security is the protection of people, property, and assets, such as hardware, software, network, and data, from natural disasters, burglary, theft, terrorism, and other events that could cause damage or loss to an enterprise or institution. Software security involves techniques to prevent unauthorized access to the data stored on the servers. Because new malicious software (malware) is being developed year after year to break the various firewalls protecting the data, security techniques need to be upgraded periodically.

Physical security controls

Physical security of a data center comprises various kinds of built-in safety and security features to protect the premises and thereby the equipment that stores critical data for multi-tenant applications. For the safety and security of the premises, factors ranging from location selection to authenticated access of the personnel into the data center should be considered, monitored, and audited vigorously. To prevent any physical attacks, the following need to be considered:

1. proximity to high-risk areas, such as switch yards and chemical facilities

2. availability of network carrier, power, water, and transport systems

3. likelihood of natural disasters, such as earthquakes and hurricanes

4. an access control system with an anti-tailgating/anti-pass-back facility to permit only one person to enter at a time

5. single entry point into the facility.

Organizations should monitor the safety and security of the data center rack room with authenticated access through the following systems:

1. closed-circuit television (CCTV) camera surveillance with video retention as per the organization policy

2. vigilance by means of 24×7 on-site security guards and manned operations of the network system with a technical team

3. periodic hardware maintenance

4. checking and monitoring the access control rights regularly and augmenting if necessary

5. controlling and monitoring temperature and humidity through proper control of air conditioning and indirect cooling

6. uninterruptible power supply (UPS)

7. provision of both a fire alarm system and an aspirating smoke detection system (e.g., VESDA) in a data center. A VESDA, or aspiration, system detects and alerts personnel before a fire breaks out and should be considered for sensitive areas.

8. water leakage detector panel to monitor for any water leakage in the server room

9. rodent repellent system in the data center. It works as an electronic pest control to prevent rats from destroying servers and wires.

10. fire protection systems with double interlock. On actuation of both the detector and sprinkler, water is released into the pipe. To protect the data and information technology (IT) equipment, fire suppression shall be with a zoned dry-pipe sprinkler.

11. cable network through a raised floor, which avoids overhead cabling, reduces the heat load in the room, and is aesthetically appealing.

Security systems include CCTV, video, and other access control systems, such as biometrics and perimeter monitoring systems.

Security in data center

Security of a data center begins with its location. The following factors need to be considered: geological activity like earthquakes, high-risk industries in the area, risk of flooding, and risk of force majeure. Some of these risks could be mitigated by barriers or redundancies in the physical design. However, if something has a harmful effect on the data center, it is advisable to avoid it totally.

The most optimal and strategic way to secure a data center is to manage it in terms of layers (figure 3). Layers provide a structured pattern of physical protection, thus making it easy to analyze a failure. The outer layers are purely physical, whereas the inner layers also help to deter any deliberate or accidental data breaches.

The four layers of data center physical security.

The security measures can be categorized into four layers: perimeter security, facility controls, computer room controls, and cabinet controls. Layering prevents unauthorized entry from outside into the data center. The inner layers also help mitigate insider threats.

First layer of protection: perimeter security. The first layer of data center security is to discourage, detect, and delay any unauthorized entry of personnel at the perimeter. This can be achieved through a high-resolution video surveillance system, motion-activated security lighting, fiber-optic cable, etc. Video content analytics (VCA) can detect individuals and objects and check for any illegal activity. Track movements of people and avoid false alarms.

Second layer of protection: facility controls. In case of any breach in the perimeter monitoring, the second layer of defense restricts access. It is an access control system using card swipes or biometrics. High-resolution video surveillance and analytics can identify the person entering and also prevent tailgating. More complex VCA can read license plates, conduct facial recognition, and detect smoke and fire threats.

Third layer of protection: computer room controls. The third layer of physical security further restricts access through diverse verification methods including: monitoring all restricted areas, deploying entry restrictions such as turnstile, providing VCA, providing biometric access control devices to verify finger and thumb prints, irises, or vascular pattern, and using radio frequency identification. Use of multiple systems helps restrict access by requiring multiple verifications.

Fourth layer of protection: cabinet controls. The first three layers ensure entry of only authorized personnel. However, further security to restrict access includes cabinet locking mechanisms. This layer addresses the fear of an “insider threat,” such as a malicious employee. After implementing the first three layers well, cabinets housing the racks inside the computer room also need to be protected to avoid any costly data breach.

There are multiple significant considerations for the critical fourth layer, like providing server cabinets with electronic locking systems. To ensure secured access, the same smart card can be used to access the cabinets. In addition, biometrics may be provided. The above systems can be linked with the networked video cameras to capture the image of the person and his or her activities, and log the data automatically for further analysis and audit. PTZ cameras can be preset to positions based on cabinet door openings.

An integrated IP network of the four layers of security can create an effective, efficient, and comprehensive system for any application. Further integration with the Internet allows for centralized searching, storing, recording, sending, sharing, and retrieving capabilities.

Best practices

A data center audit involves an asset inventory and creates a library of accurate, up-to-date information about all of the equipment in the data center—from servers and cabinets to storage devices. The following are some of the best practices for building up security at a data center facility.

1. Conduct regular audits. Internal audits check the implemented systems and processes. An external audit is used to check the commitment of internal audits. Audits should check for any vulnerabilities in the data center facilities that are provided to ensure security. Check to see if access control systems, CCTV cameras, and electronic locks are functioning and are being maintained. Check if any job role changes in the employees call for an update in the procedures and systems.

2. Strengthen access control systems. As an outcome of the audit checks, any facility requiring extra protection should receive additional security. For example, multiple verification methods for personnel entry into a certain area may be recommended, such as an access card and fingerprint or retinal recognition. Make an audit of the entire facility to check if the access control system needs to be tightened.

3. Enhance video surveillance. Video cameras should include both indoor and outdoor areas of the facility. Similar to the access control systems, coupling these with 24-hour surveillance by security staff can significantly enhance the safety of the facility.

4. Enforce security measures. This requires employee training on the security measures to be followed and the consequences if procedures are violated.

5. Establish redundant utilities. Create redundancy in utilities like electricity and water and distribute the same to avoid common-mode failures and to achieve high availability of the systems.

Physical security comprises a four-layer protection that provides a defense-in-depth approach in case control is bypassed. Controls include administrative decisions such as site location, facility design, and employee control/assigning the access level. Physical controls include perimeter monitoring, motion detection, and intrusion alarms. Technical controls include smart cards used for access control, CCTV systems, and intrusion detection systems.

Most organizations focus on software security and firewalls. However, a breach in physical security could cause the theft of data and devices that will make software security useless.