Physical security for modern day data centres
Demand for data centre services is growing rapidly, driven by the insatiable consumer appetite for smart devices, combined with a trend towards business migration to cloud services and outsourced data management.
To manage increased capacity demands, organisations will consider building a new facility or renting wholesale data centre space.
According to research firm, Frost and Sullivan, the Australian data centre services market is forecast to grow at a compound annual growth rate of 13.7 percent between 2015 and 2020. In 2014, data centre services’ revenue in Australia reached $826 million, a growth rate of 18.3 percent over 2013, the firm says.
With this growth, and the role data availability plays in making critical business decisions in Australia, effective physical security measures that protect the data centre are increasing in importance.
Human error and system failures caused nearly two-thirds of data breaches globally in 2012, while malicious or criminal attacks cost an average of US$157 per compromised record. In 2014, the average total cost to a company was US$3.5 million, up 15 percent from the cost of data breaches last year.
In addition to customer dissatisfaction, the cost of unprotected data includes business disruption, damage to brand reputation, and fines and penalties levied for non-compliance to security regulations.
The three rings of physical security
Facilities today face unique challenges to ensure the security of both physical and digital assets. Whether a data centre supports a single client or provides hosted services for thousands, managers are responsible for the sensitive information on which their users or customers rely to conduct their business.
The objective of physical security, whether it be for a collocated facility or a stand-alone data centre, is to protect data from unauthorised personnel and to identify those who have been granted access. A well-designed system can be seen as three concentric circles moving from the facility’s perimeter in to the rack level.
No two facilities are the same and every opening is different. In this case ‘one size does not fit all’ – it is critical to remember that each space must be properly matched with the appropriate level of protection while keeping costs in line.
The first line of defence
Perimeter security controls access to the building. Basic components can include industrial and high security fencing, bollards, guard booths and entry barriers to create a formidable defence against unauthorised access.
Look for high-security steel fencing that offers excellent strength and an integrated rail design. The heavy steel construction and intimidating profile should act as visual deterrents against intrusion, causing a potential intruder to think twice about challenging the fence.
If an intruder decides to try to breach the perimeter, the fence design should delay the attempt, allowing the facility more time to respond. The latest generation of this fencing features bracketless design, heavier posts and redesigned rail that allows easier integration with intrusion detection systems, surveillance video and other monitoring devices.
Access to the room
Commercial grade doors, frames and hardware deliver life-safety protection at the room access point. But more than simply restricting access, they must be able to overcome poor weather, emergency egress and other challenges that pose life-safety threats to building occupants.
Wind debris missile impacts and drastic pressure fluctuations from powerful storms place incredible stress on doorways. Fires, power failures and other panic-inducing events can impede emergency exit visibility.
Organisations can protect against these hazards with doorways designed and tested to overcome extreme conditions. The latest door technologies use visual and audible alerts to overcome panic and confusion, and provide a clear pathway to safety.
Depending on the facility, each opening may need to be rated for the following hazards: climate control and storms; blast and ballistic; fire, radio frequency shielded; and sound transmission class (STC).
Another critical consideration in data centres is airflow. Interior openings that separate rooms within the data centre should be ventilated to ensure proper airflow and facilitate temperature maintenance. Many facilities also make use of speciality barriers to separate hot and cold aisles.
As more companies move into shared locations, the opportunities for unauthorised server access increase – whether the intrusion is accidental or malicious, the potential costs are very high. An additional layer of access control at the server cabinet door can reduce this risk.
“With this level of access control at the cabinets, by reducing the chance of outages caused by human error, the savings can be substantial.
This, of course, represents an added expense. However, cost-effective modern day locking systems utilising the latest wireless technology, like ASSA ABLOY Aperio products, make this additional layer of access control an affordable cost balanced against the cost of downtime and the risk mitigated by controlling access to cabinets.
With this level of access control at the cabinets, by reducing the chance of outages caused by human error, the savings can be substantial.
Even with the advantages provided by advanced technology, there is no single correct path to follow to design, install and maintain the physical security system protecting a data centre.
However, the following recommendations for creating and enforcing access control policies can be offered based on real-world experience from several data centre managers and consultants:
- Begin with a complete enterprise access control solution. Choose the platform at the head-end that will meet users’ needs now and in the future.
- If possible, utilise the latest technology, new approaches such as the Aperio Wireless Data Cabinet Locks, which are powered via PoE (Power-Over-Ethernet) and can result in significant cost savings and improved ROI. Rack-level security can save on floor space and the cost of pulling additional cable.
- Identify which assets you want to protect. Technology drives access control from the perimeter further into the facility. Users must decide how to install the system that best protects the most critical environments in the facility.
- Start with the question: who needs to go where? Identify which employees require access to sensitive data and the facility itself, and install technology that can track and monitor access – especially critical for compliance audits.
- Get buy-in at the top. Senior management must understand and support plans and policies. Their backing will be crucial whenever there is a high-level discussion about policies and procedures.
- Educate the entire team. The greatest risk to a data centre comes from the inside. Every individual working in the facility must understand the objectives of the system, so that access control is seen as a tool for increasing their productivity, not an impediment.
- Location, location, location. When selecting a site, choose a geographical location with minimal exposure from natural disasters and other environmental threats.
- Do an end-to-end analysis of the environment. Meet with stakeholders from IT, security and facilities to discuss each department’s challenges and requirements.
- Don’t skimp on power. Ensure the facility has enough power to be highly resilient and fault-tolerant.
- Design a system that complies with regulations, but also complements your business operations. A data centre that is completely walled off will not work if that design impacts the main purpose of the building.
- Identify the person who will manage the facility early in the process. Make him or her part of the team to ensure that they understand the long-term goals as well as the day-to-day procedures of the facility.
- Establish a policy for exceptions. Will your policy allow temporary access? With a card or a key? Things will change and a policy is needed to react quickly.
Regulatory compliance, an important requirement facing almost every industry today, is perhaps most critical in data centres, which house information that is literally irreplaceable for our business and personal lives.
Various regulations mandate data protection, but do not prescribe the path to achieve this goal. As a result, it is critical for IT and data centre professionals to have a thorough understanding of compliance requirements, so they can identify the best security solutions and policies for their organisations.
The author, Andrew Evans – ASSA ABLOY national sales manager, contributed regional insights and opinions to this article. This is an abridged version of a white paper by ASSA ABLOY titled: ‘Physical Security for Today’s Data Centres’.