A physical security checklist for your data centre

When IT executives talk about security, it often revolves around defence against cyber attacks using clever technology.  However, cyber security is just part of the equation; physical security - keeping the bad guys from physically accessing servers - is also essential. With businesses placing more and more operations outside of traditional IT into the data centre thanks to emerging trends like big data, the advent of the Internet of Things (IoT) and cloud, there is a real drive towards greater demands on the physical security of commercial Data Centres. The loss or compromise of a facility could have a disastrous economic impact or cause significant reputational damage as customers and trading partners could be affected by the inability to operate.

Physical security is put in place to withstand everything from corporate espionage, to terrorists, to natural disasters, to thieves trying to make a fast buck. Continuing service availability securely is paramount and anything that could affect it needs careful consideration. All precautions should be built into the data centre design with three simple goals: maintain 100 per cent uptime, keep unauthorised people out and ensure that the precious data housed inside is protected.

Ensuring 100 per cent uptime

Natural disasters are sadly becoming more frequent and there have been numerous well publicised examples where data centres have been compromised. Back in 2012, Hurricane Sandy affected connectivity in at least eight New York data centres with flooding destroying diesel pumps, stopping generators working and ultimately bringing data centres to a standstill causing mass disruption to people and businesses alike. Worryingly, research by Zenium Technology Partners last year revealed that one in two organisations are not operating a data centre environment that would withstand or continue to operate after a natural disaster.

To ensure the facilities maintain uptime should they come under attack from natural sources or otherwise, physical security is not only limited to the outside of the building. Data centres need utilities to be resilient and redundant so if one system fails, there is a backup. These include water, power, telephone lines and air filtration systems to ensure security systems, heating, ventilation and air conditioning continue to operate in case of an area-wide power outage.    

Controlling who gets in and out 

Entry to each data centre is tightly controlled with strict procedures in place to monitor and manage visitor access both into and within the data centre.  Not only is physical security to stop criminals getting in, it is also there to delay their chances of success.

Each facility has different types of physical security which can be determined by geographical location. For example, city centre data centres may have restrictions on exterior fencing and others may be housed in buildings that are used for other purposes.

In order to achieve gold standard security, there should be seven layers of physical security.

1. A physical barrier: A fence that is a minimum of three metres high (five metres in some places, depending on who or what is located next door)

2. Trembler wire: A wire on top of the fence that will set off an alarm if anyone kicks, climbs or jumps over it. The wire is zoned, so if the alarm is activated, it will notify security where the breach has taken place so they know where to divert their attention

3. Surveillance cameras:  CCTV around the perimeter of the building at all entrances and exits as well as at every access point throughout the building.  A combination of motion-detection devices, low-light cameras, pan-tilt-zoom cameras and standard fixed cameras is ideal.  Footage should be digitally recorded and stored offsite.

4. 24/7 security guards: Always have more than one guard – one to man the systems and one to do a regular walk around to check the perimeter and the rooms.

5. Vehicle trap: Access to the facility compound, usually a parking lot, needs to be strictly controlled either with a gated entry that can be opened remotely by reception.

6. Full authentication & access policy control:  To get inside, people should provide Government issued photo ID. Once approved, visitors should be given a formal ID card that allows them into the data centre depending on whether they are a customer or a visitor – one should be accompanied and the other not. The ID card should restrict access to their data hall to avoid footfall throughout the data centre

7. Biometrics: To get access to the buildings, data floors and individual areas biometrics should be used as a form of identification to ensure secure, single-person entry. [You may remember the movie Mission Impossible when Tom Cruise removes someone’s eye to gain access via a biometric scanner. It may be a dramatic scene in the movie, but physical security is not so easily defeated. For example, if palm scanners are used, then access can’t be gained by chopping someone’s hand off because there has to be a pulse]

In addition to the provider’s own physical security, some data centres allow customers to tailor their own solution within the facility. This provides further enhanced levels of security as required.  For example, they may install private cages, further man traps or more biometric entry systems.

Maintaining top levels of physical security

No matter how simple or complex the security system, it needs to be tested regularly to ensure it works as expected.  Most data centres have some level of compliance and certification such as Uptime Institute, Tier III and ISO27001. These kinds of accreditations need to be maintained every three to five years with surveillance visits by an external auditor required annually to ensure continued compliance. The human element of security also needs to be considered so all staff should be regularly trained on processes.

Nearly all data has some value to someone else and the loss of data or systems shutting down has potentially very high costs associated. Data centre security is about minimising risk and maximising operational uptime. If operators are to satisfy ever increasing customer expectations, they must not neglect physical security or make it an ineffectual afterthought. One thing we can be sure of is that security demands will continue to evolve along with changes in how we live and conduct business.

Darren began his career as a Military Officer in the RAF before moving into the commercial sector.  He bring to VIRTUS [www.virtusdatacentres.com] over 20 years experience in telecommunications and managed services gained at BT, MFS Worldcom, Level3 Communications, Attenda, COLT and euNetworks.