Today, data centres house valuable data, including customer details and intellectual property, making physical security as important as IT security. The aim is simple: keep out the people you don’t want in your building, and if they do make it in, identify them as soon as possible and keep them contained. Physical security is in place to withstand everything from corporate espionage, to terrorists, to natural disasters, to thieves trying to make a fast buck. Maintaining service availability securely is paramount and anything that could affect it needs careful consideration. Specialist data centres are built from the ground up to maintain 100% uptime, keep unauthorized people out and ensure that the precious data housed inside is protected.
Ensuring 100% uptime
To ensure the facilities maintain uptime should they come under attack from natural sources or otherwise, physical security is not only limited to the outside of the building. Data centres need utilities to be resilient and redundant so if one system fails, there is a backup. These include water, power, telephone lines and air filtration systems to ensure security systems, heating, ventilation and air conditioning continue to operate in case of an area-wide power outage.
To mitigate these threats, the level of detail that goes into the design of the data centre has no bounds. Everything is thought of, even ensuring that when fibre networks are installed, a pecker board is placed on top (a piece of very hard plastic that sends a vibration back up the JCB if it touches it when digging up a road – the driver then knows to stop digging because there’s something important underneath).
Once the data centre is built, the provider is vigilant about who gets in or out of the facility.
Controlling who gets in and out
Entry to each data centre is tightly controlled with strict procedures in place to monitor and manage visitor access both into and within the data centre. Not only is physical security to stop criminals getting in, it is also there to delay their chances of success.
Each facility has different types of physical security which can be determined by geographical location. For example, city centre data centres may have restrictions on exterior fencing and others may be housed in buildings that are used for other purposes.
In order to achieve gold standard security, there should be seven layers of physical security:
- A physical barrier: A fence that is a minimum of three metres high (five metres in some places, depending on who or what is located next door).
- Trembler wire: A wire on top of the fence that will set off an alarm if anyone kicks, climbs or jumps over it. The wire is zoned, so if the alarm is activated, it will notify security where the breach has taken place so they know where to divert their attention.
- Surveillance cameras: CCTV around the perimeter of the building at all entrances and exits as well as at every access point throughout the building. A combination of motion-detection devices, low-light cameras, pan-tilt-zoom cameras and standard fixed cameras is ideal. Footage should be digitally recorded and stored offsite.
- 24/7 security guards: Always have more than one guard – one to man the systems and one to do a regular walk around to check the perimeter and the rooms.
- Vehicle trap: Access to the facility compound, usually a parking lot, needs to be strictly controlled either with a gated entry that can be opened remotely by reception.
- Full authentication & access policy control: To get inside, people should provide Government issued photo ID. Once approved, visitors should be given a formal ID card that allows them into the data centre depending on whether they are a customer or a visitor – one should be accompanied and the other not. The ID card should restrict access to their data hall to avoid footfall throughout the data centre.
- Biometrics: To get access to the buildings, data floors and individual areas biometrics should be used as a form of identification to ensure secure, singleperson entry. [You may remember the movie Mission Impossible when Tom Cruise removes someone’s eye to gain access via a biometric scanner. It may be a dramatic scene in the movie, but physical security is not so easily defeated. For example, if palm scanners are used, then access can’t be gained by chopping someone’s hand off because there has to be a pulse.
In addition to the provider’s own physical security, some data centres allow customers to tailor their own solution within the facility. This provides further enhanced levels of security as required. For example, they may install private cages, further man traps or more biometric entry systems.
Maintaining top levels of physical security
No matter how simple or complex the security system, it needs to be tested regularly to ensure it works as expected. Most data centres have some level of compliance and certification such as Uptime Institute, Tier III and ISO27001. These kinds of accreditations need to be maintained every three to five years with surveillance visits by an external auditor required annually to ensure continued compliance. The human element of security also needs to be considered so all staff should be regularly trained on processes.
There is no doubt that physical security demands will continue to evolve with changes in how we live and conduct business. Regulation will have a major role in determining requirements. For example, regulation for processing credit card data stipulates that video footage must be stored for 90 days rather than on a 24-hour loop. Data centre providers must ensure they are up to date and adhering to current regulatory standards if they are to satisfy ever increasing customer expectations.