Why the physical security of data matters
Why facilities managers need to know the basics of data protection on a physical plant level and how they can physically secure data is imparted by CARLO MINASSIAN, founder and CEO of earthwave.
Cloud computing has rapidly become the go-to IT option for businesses and government today. The massive cost savings of the cloud, which enables organisations to move their data and computing operations off premises, have become so attractive that there is a global race to slash IT budgets by transitioning to so-called cloud platforms. The US Government is reportedly saving US$5.5 billion every year with its ‘cloud-first’ approach, with a goal of saving up to US$12 billion annually soon.
What does this have to do with facilities management? Quite a bit, as it turns out.
CONSIDERING THE PHYSICAL REALITIES OF DATA STORAGE
Data and computing processes in general have always been hard to visualise in physical terms. The cloud makes this even trickier. After all, part of the allure of the cloud is the ‘out of sight, out of mind’ factor. Organisations retain seamless connection to their data, but don’t really need to worry about where it resides.
But, this is exactly the issue. Data is physical and so are computing processes and they need to reside somewhere. Unfortunately, decision-makers at all levels of business and government are often not pausing long enough to consider the physical realities of data storage. Instead, they are relying on the promises and often vague guidance of cloud providers as to their data’s security.
Given that every day brings another news story about a data breach or an important system going down at the hands of hackers, facilities managers need to know the basics of data protection on a physical plant level and need to be able to advocate for these basics when necessary.
The sad fact is that many data centres are insecure. Often, we imagine the threats to IT systems coming from outside, with hackers based thousands of miles away – often in their parents’ basements. This is a reality. But, the other reality is hacking by gaining physical access to data and IT that is vulnerable.
PHYSICAL DATA PROTECTION
Too many data centres present easy targets. Servers and other equipment may be found in locked cages, but if those servers are sitting in two post racks and not in cabinets, the cages lack roofs or are easy to get into from underneath the floor panels, they are vulnerable.
Does the data centre have windows? This is a bad idea. It’s better to have a windowless warehouse, rather than a bright and airy office in terms of data storage. Windows can shatter and do damage to sensitive equipment in the event of natural disasters or explosions; they can also allow unwanted surveillance of important processes. They make break-ins easier as well.
Ideally, not only will a data centre have concrete walls at least 30 centimetres thick, those walls will be reinforced with metal mesh or Kevlar. Redundant electrical feeds are required to keep the data centre online and it is important to make sure that all access points are secure and that there is comprehensive surveillance backed up by responsive human security.
These guidelines for the physical security of a larger, sole-purpose data centre matter for managers dealing with a range of facilities. In Australia, giant data centres, in other words places devoted solely to supplying cloud solutions to many organisations, are still not the norm. Smaller, on-site data centres are much more common, accounting for over 74 percent of the 500,000 square metres of total data centre space in Australia. In other words, many facilities managers need to contemplate how best to support and secure data centres that are part of a larger facility.
The same basic rules apply. For data to be genuinely secure, it needs to be physically secure. Facilities managers in these situations need to consider a range of questions, such as:
- is access to the data centre from a common hallway secure, limited and adequately alarmed
- is it impossible for anyone or anything to hide in the walls or ceilings
- is access limited, logged and monitored 24/7
- is an information management system in place and are all processes documented
- does the data centre or other vulnerable IT equipment have separate air-conditioning ducts, and
- if the walls are fortified (they should be), does that fortification extend into the floor and ceiling slabs?
These questions and the role of the facilities manager in data security may not seem urgent now, but given the likelihood that even with the cloud, on-site data and IT housing will remain with us, protecting that data and infrastructure with the right physical strategy will become even more important in the near future.