Securing the datacentre: Higher grade physical security

2016 is seeing a drive towards greater demands for security, but not just cyber security. Physical security is becoming more important than ever before as people realise how much of their business operations outside traditional IT functions are becoming dependent on the datacentre, whether it is IP-based phones, alarm systems or access controls.

Each DC has its own needs and goals usually made up of a combination of the following: flexibility, energy efficiency, power, security or redundancy. As a DC ages our needs definitely evolve and though no DC manager would admit it to ‘the powers that be’ sometimes we have to take a Heath Robinson approach to squeezing that bit extra out of our investment. There are some areas where that is hard to do and securing the datacentre is one of them.

Physical security is an area that we have seen steadily move up the priority list in recent years, where previously areas such as flood, fire and power contingency may have taken priority. In some ways this is because those features are just expected, but another reason is the volume of data and applications that a typical DC serves to its organisation.

The size of the DC is almost irrelevant, its what the DC does for the organisation and the type of data it holds or processes. And in recent years that may have changed a great deal, as the corporate hunger for data increases and the network takes on other tasks, such as alarm system, access control, continuous remote device usage and wi-fi becoming mission critical.

For those taking a much closer look at the security of their datacentre, it would be wise to get very familiar with the Loss Prevention Certification Board’s LPS1175 standard. The aim of this standard is to assess the physical resistance of security products when various types of unauthorised access tools are used against them. Depending on how a product performs it is given one of five different grades, according to the time and tools likely to be used by somebody wanting to subvert those products to get at whatever they are protecting. Essentially the standard provides a buyers guide that those designing a datacentre (or anything else that needs protecting) can use to ensure the selected products meet the level of protection they require.

For those that have not looked at LPS1175 for a while, or perhaps are coming to it for the first time, here is brief summary of the gradings most commonly encountered in datacentre design, whether modular or purpose-built design methodologies are being adopted.

It is very important to note that individual categories of products have specific requirements for each grade of the standard, specifying both the tools and time over which they are tested for maintaining security.

  • SR1 – Products in the category are broadly secure against an opportunist attack by bodily force using minimal tools (e.g. screwdriver, knife or pliers).
  • SR2 – Again an opportunist attack but with tools of a higher mechanical advantage (e.g. those listed in SR1 plus bolt cutters, claw hammer or a drill, for example).
  • SR3 – Attacks at this level are deliberate forced entry of protected premises using bodily force and a selection of attack options (e.g. SR2 tools plus axes, chisels, crowbars or blow torches of some kind).
  • SR4 – Forced entry at this level is by experienced individuals that have planned an attack with stronger, possibly powered tools, such as a felling axe, sledgehammer, steel wedges, disc grinder or jigsaw.
  • SR5 – Products at this level have to withstand serious attempts at forced entry with top end battery power tools used by fire and rescue teams (e.g. SR4 tools plus circular or reciprocating saws with specialist blades). SR5 is a significantly higher level of protection to SR4, covering specialist cutting tools.

The standard itself goes into a lot more detail than there is space to cover here, but those wanting to learn more should visit www.redbooklive.com. The Redbook Live is a website managed by the LPCB and contains a lot of useful information including listings of suppliers and products it has tested – making it an invaluable source for those specifying products to secure a datacentre.

The essential thing to remember when considering security, is the value and importance of what you are protecting. You are not just trying to stop criminals breaking in, you are trying to delay their chances of success so that security patrols or the police can arrive on site once alerted. In the same way that your software and hardware requirements evolve to meet the demands of user needs and the security threats that you may face, physical security must adapt to.

A small datacentre room that performed a trivial role, may suddenly contain servers, data, and other infrastructure that could bring your entire operation to a stand still if a breach occurs whether through criminality or an act of nature. The physical assessment of a room is as important as the way you assess and specify the hardware that sits in it.

I’ll leave you with this thought: You might keep the cash for your cleaner in a drawer at home, just tucked away somewhere out of the way, but you wouldn’t do the same with a year’s salary.

Chris Wellfair, Projects Director at Secure I.T. Environments

Image source: Shutterstock/Ralwel