The importance of physical security for data centres

Written by Mark Bailey, Head of Security, VIRTUS Data Centres Published 2017-11-23 09:36:21

When IT executives talk about security, it often revolves around defence against cyber attacks using clever technology.  However, cyber security is just part of the equation; physical security - keeping the bad guys from physically accessing servers - is also essential.  With businesses placing more and more operations outside of traditional IT into the data centre thanks to emerging trends like big data, and the advent of the Internet of Things (IoT) and cloud, there is a real drive towards greater demands on the physical security of commercial data centres.  The loss or compromise of a facility could have a disastrous economic impact or cause significant reputational damage as customers and trading partners could be affected by the inability to operate.

Any data centre should be designed, built and maintained to withstand everything from corporate espionage, to terrorists, to natural disasters, to thieves trying to make a fast buck. A security threat assessment is essential to identifying areas of potential threat to a business and will enable decision makers to include a range of cost effective and practical counter measures.    Maintaining service availability is paramount and any circumstances that could affect uptime needs to be mitigated to ensure the precious data is protected. Data centres need utilities to be resilient and redundant so if one system fails, there is a backup. These include water, power, telephone lines and air filtration systems to ensure security, heating, ventilation and air conditioning continue to operate in case of an area-wide power outage.

Ensuring 100 per cent uptime:

Natural disasters are sadly becoming more frequent and there have been numerous well publicised examples where data centres have been compromised.  Back in 2012, Hurricane Sandy affected connectivity in at least eight New York data centres with flooding destroying diesel pumps, stopping generators working and ultimately bringing data centres to a standstill causing mass disruption to people and businesses alike.  Worryingly, it seems that the industry is not learning from experience. 

To ensure the facilities maintain uptime should they come under attack from natural sources or otherwise, physical security is not only limited to the perimeter of the building.  Data centres need utilities to be resilient and redundant so if one system fails, there is a backup.

Keeping control of who gets in and out:

Entry to the data centre should be managed with strict procedures to monitor and control visitor access both into and within the data centre.  Not only is the physical security stopping criminals getting in, it is also there to delay their chances of success.

In order to achieve gold standard security, there should be several layers of physical security.

  1. A physical barrier: A fence that is a minimum of three metres high (five metres in some places, depending on who or what is located next door)
  2. Trembler wire: An early warning detection system on the fence that will set off an alarm if anyone attempts to break, climb or jump over it.
  3. Surveillance cameras: CCTV installed around the perimeter of the building at all entrances and exits as well as at every access point and other critical areas throughout the building.  A combination of motion-detection devices, video analytics, low-light cameras, pan-tilt-zoom cameras and standard fixed cameras is ideal.  Footage should be digitally recorded and stored securely for 90 days minimum.
  4. 24/7 security guards: Always have fully vetted and licenced, appropriately trained multiple guards – at least one to manage the systems and one or more to execute regular patrols  to check the perimeter and the data centre.
  5. Vehicle trap: Access to the facility compound, usually a car park, needs to be strictly controlled either with a gated entry that can be opened remotely by security once the driver has been identified, or with retractable bollards. The idea of this measure is to not only prevent unauthorised visitors from driving into the car park and having a look around, but also to prevent anyone from coming straight into the area with the intention of ramming the building for access
  6. Full authentication & access policy control: To get inside, people are required to present Government issued photo ID.  Once provided, they should be given a formal ID card that allows them into different parts of the data centre to assigned areas where they have authorised access, depending on whether they are a customer or a visitor – one should be accompanied and the other not.
  7. Biometrics: To get access to the buildings, data floors and individual areas dual factor authentication, preferably biometrics should be used as a form of identification to ensure secure, single-person entry.

Maintaining top levels of physical security:

No matter how simple or complex the security system, it will be useless if it isn’t tested regularly to ensure it works as expected.  Alarms need to be tested and maintained, CCTV cameras need to be checked and staff need to be regularly trained on processes. 

Most data centres should have some level of compliance and certification such as Uptime Institute, Tier III and ISO27001.  Accreditations of this type need to be continually audited by an external, third party certification body with all accreditations re-certified every three years  to ensure continued compliance.  It isn’t just about having physical security measures,  but what tried and tested, robust processes you would execute should an incident occur, and ensuring all staff are familiar with them

Nearly all information has some value to someone and the loss of data or systems shutting down has potentially very high associated costs.  Data centre security is about minimising risk and maximising operational uptime.  If operators are to satisfy ever increasing customer expectations, they must not neglect physical security or make it an ineffectual afterthought.  One thing we can be sure of is that security demands will continue to evolve along with changes in how we live and conduct business.