Bonus Online Exclusive: Data Center uses Biometrics to Solve Access Control, Compliance Issues
When ScaleMatrix opened its 50,000 sq. ft. San Diego co-location and cloud data center in August 2011, it included cutting-edge extras like custom rack enclosures with cabinet-level fire suppression and electrical protection, which shield customers from service interruptions due to accidental emergency power-off or incidents elsewhere in the data center.
That customization of technologies extends to access control, as the facility has deployed a networked, fingerprint-biometric access control system that extends all the way from the front door to individual cabinet enclosures.
Co-location facilities compete fiercely, and demonstrating the physical security strengths of facilities is paramount. ScaleMatrix CEO and data center industry veteran Mark Ortenzi wanted to promote his as “the most secure data center in Southern California.” However, multi-layered security would be the only way to back that claim.
Security Starts at the Perimeter
The ScaleMatrix facility’s perimeter and parking lot are secured in two important ways. First, surveillance is provided by an advanced MOBOTIX digital video security system that includes CCTV cameras with motion sensors, 180-degree vision, facial tracking and recognition software that captures and records detailed imagery of every person who enters the facility. Second, the ScaleMatrix facility is patrolled and monitored by armed security personnel, which augments the surveillance system by safeguarding against forcible entry. “We’re the only facility of our type in San Diego that employs highly trained, armed guards,” Ortenzi says. “This is the last data center the bad guys should even approach with criminal intentions.”
Physical entry into the facility is secured by Digitus Biometrics’ wall-mount, fingerprint-recognition access control units. All client personnel who are authorized to enter the facility are enrolled into the biometric system in a process that stores a biometric fingerprint template – but not the person’s actual fingerprint – in a database. To enter the facility, an authorized person punches in a pin and places an enrolled finger on the biometric reader, which then opens an electromechanical lock if the fingerprint matches the stored template. There are no keys or proximity cards to get lost, stolen or separated from authorized users.
Taking Biometrics to the Cabinet Level
With the combination of digital video surveillance, armed security patrols and biometric access control at all facility doors, it is virtually impossible for any unauthorized person to gain access to the facility. “That’s extremely important,” Ortenzi says, “but you still have to be concerned with controlling what an authorized person can access after entering the data center.”
In a co-location facility, as in any data center, it is rare that anyone with authorized access has an actual need to access all server cabinets. Just as data center operators go to great lengths to limit access to files and applications to only those individuals who actually need them, thorough physical security calls for ensuring that only authorized personnel have access to physical assets that pertain to them. “When physical access control stops at the front door, a person who has legitimate access can become a problem insider,” Ortenzi says. “When server cabinets are unsecured, all it takes is a thumb drive for data security to be compromised.”
Initial design requirements were geared toward making sure that could not happen. Every server cabinet in the ScaleMatrix facility is biometrically protected. After entering the facility with a fingerprint scan, each authorized user must complete an additional fingerprint scan to open a server cabinet, which restricts co-location customers’ access to only those cabinets containing their specific assets.
In addition to giving ScaleMatrix the ability to demonstrate the highest level of protection to its customers, the system proved useful in satisfying another important group that matters greatly to those customers: regulatory auditors.
The Physical Security Side of Regulatory Compliance
When we think of compliance with various data privacy rules and regulations – PCI DSS, HIPAA, FISMA etc. – what generally comes to mind is the need to secure data networks against unauthorized access. However, data privacy directives invariably focus on physical security as well as network security, and consider the protection of physical assets to be as important as protecting the data stored or processed in those assets. PCI DSS Requirements 9 and 9.1; HIPAA Title II, Physical Safeguards; and FISMA (FIPS 200 Section 3) all speak explicitly to the requirement to limit physical access to hardware systems that contain cardholder data, health records or classified information, respectively.
With the biometric system providing a single, indisputable audit trail from the front door to every cabinet door, ScaleMatrix and its customers can demonstrate to compliance auditors that physical access to hardware containing sensitive data is completely limited to authorized personnel, and that should a breach occur, the audit trail will show conclusively which individuals accessed any cabinet in question, and at what time. “By delivering a precise audit trail all the way to the rack level, with one package to control it all, we know who’s coming, who’s going, exactly when, at every access point,” Ortenzi says. “The compliance advantage is always recognized immediately by compliance officers and personnel whose jobs make them sensitive to the importance of regulatory issues.”
Because the system is IP-networked, ScaleMatrix is able to extend access and audit trail reporting to customer security personnel, wherever they are located. “Any customer who wants to know who has been in his cabinet can pull up a report immediately on any timeframe,” Ortenzi says. “Most data center operators would prefer not to be in the business of producing access reports, and we’re not – we put it right in the customer’s hands.”
To ScaleMatrix, that’s what security at the co-location and cloud facility is all about. “It’s one thing for a customer to be told that the facility has top-notch security,” Ortenzi says. “Real security comes from knowing firsthand what’s going on — by having meaningful, real-time visibility themselves into a facility that’s separate from their company. That’s security in the old ‘peace of mind’ sense.”