Three-pronged approach to data centre security
Facilities today face unique challenges to ensure the security of both physical and digital assets. Whether a data centre supports a single client or provides hosted services for thousands, managers are responsible for the sensitive information their users or customers rely on to conduct their business. “Many companies are seeking hosted services, which have strict physical security and auditing requirements. Operators of these type of centres must decide how to install the system that best protects the most critical environments in the facility, as well as meeting the requirements of their hosted customers,” says business development manager – Wireless Access Control at ASSA ABLOY, David Ward.
No two facilities are the same and every opening is different. In this case, ‘One size does not fit all’ – it is critical to remember that each space must be properly configured with the appropriate level of protection while keeping costs in line.
The first line of defence
Perimeter security controls access to the building. Basic components can include industrial and high security fencing, bollards, guard booths and entry barriers to create a formidable defence against unauthorised access. Look for high-security steel fencing that offers excellent strength and an integrated rail design. The heavy steel construction and intimidating profile should act as visual deterrents against intrusion, causing a potential intruder to think twice about challenging the fence. If an intruder decides to try and breach the perimeter, the fence design should delay the attempt, allowing the facility more time to respond. The latest generation of this fencing features bracket-less design, heavier posts and redesigned rails, which allow easier integration with intrusion detection systems, surveillance video and other monitoring devices.
Access to the room
Commercial grade doors, frames and hardware deliver life-safety protection at the room access point. But more than simply restricting access, they must be able to overcome forces of nature (bushfires, floods and storms, for example), emergency egress and other challenges that pose life-safety threats to building occupants. Wind debris missile impacts and drastic pressure fluctuations from powerful storms place incredible stress on doorways.
Fires, power failures and other panic-inducing events can impede emergency exit visibility. You can protect against these hazards with doorways designed and tested to overcome extreme conditions. The latest door technologies use visual and audible alerts to overcome panic and confusion, and provide a clear pathway to safety.
Depending on your facility, each opening may need to be rated for the following hazards:
- climate control, windstorms and hurricanes (exterior openings)
- blast and ballistic
- radio frequency (RF) shielded, and
- sound transmission class (STC).
Another critical consideration in data centres is airflow. Interior openings that separate rooms within the data centre should be ventilated to ensure proper airflow and facilitate temperature maintenance. Many facilities also make use of custom barriers to separate hot and cold aisles.
As more companies move into shared locations, the opportunities for unauthorised server access increase; whether the intrusion is accidental or malicious, the potential costs are very high. An additional layer of access control at the server cabinet door can reduce this risk.
This, of course, represents an added expense. However, the increased cost of adding another layer of access control to server racks can be balanced against the cost of downtime and the risk mitigated by the access control. Human error accounts for 24 percent of unplanned outages, costing an average of half a million dollars each time. If an access control system can reduce the chance of outages caused by human error, the savings can be substantial.
Locking systems on the market today provide benefits that far outweigh the cost of installation. The number of servers that can be served by access control will only increase as the cost to secure the door of the server cabinet is brought down with innovative products.
Advice from the experts: best practices
Even with the advantages provided by advanced technology, there is no single correct path to follow to design, install and maintain the physical security system protecting your data centre. However, the following recommendations for creating and enforcing access control policies can be offered based on real-world experience from several data centre managers and consultants.
Begin with a complete enterprise access control solution. Choose the platform at the head-end (for both software and physical implementation) that will meet users’ needs now and in the future.
If possible, use the latest technology. “New approaches, such as the Aperio Wireless Data Cabinet Locks, which are powered via PoE (Power over Ethernet), can result in significant cost savings and improved returns on investment (ROI),” says Ward. This type of rack-level security can save on floor space and the cost of pulling additional cables. Identify which assets you want to protect. Technology is driving access control from the perimeter further into the facility.
Start with the question, ‘Who needs to go where?’ Identify which employees require access to sensitive data and the facility itself, and install technology that can track and monitor access – this is especially critical for compliance audits.
Get buy-in from the top. Senior management must understand and support your plans and policies. Their backing will be crucial whenever there is a high-level discussion about policies and procedures.
Educate the entire team. The greatest risk to your data centre comes from the inside. Every individual working in the facility must understand the objectives of the system, so that access control is seen as a tool for increasing their productivity, not an impediment. The level of commitment to training reflects your acceptance of risk. The more you put into it, the less risk you face in the future.
Do an end-to-end analysis of the environment. Meet with stakeholders from IT, Security and Facilities to discuss each department’s challenges and requirements. If possible, hire an outside expert to help you audit the entire system, from the street to the plug in the back of the server, in order to identify potential problem areas.
Don’t skimp on power. Ensure your facility has enough power to be highly resilient and fault tolerant. Design redundancy into everything from transfer stations to uninterruptible power supplies to ensure power is there when you need it.
Design a system that complies with regulations, but also complements your business operations. A data centre that is completely walled off will not work if that design has an impact upon the main purpose of your building, whether it is manufacturing, sales or customer service.
Identify the person who will manage the facility early in the process. Make him or her part of the team, to ensure that they understand the long-term goals as well as the day-to-day procedures of the facility. Will that person report to IT, Security, Facilities or some other department? Make that decision early and share it with all stakeholders.
Establish a policy for exceptions, as they will happen. “People change jobs, new hires come on board, so does your policy allow temporary access? With a card or a key? Things will change and you need a policy in place so you are ready to react quickly,” concludes Ward.
This is an abridged version of a white paper by ASSA ABLOY titled: ‘Physical Security for Today’s Data Centres’. David Ward, ASSA ABLOY Australia, business development manager – Wireless Access Control, contributed regional insights and opinions to this article.