This article originally appeared in the December 2020 issue of Security Business magazine. When sharing, don’t forget to mention @SecBusinessMag on Twitter and Security Business magazine on LinkedIn.
Enterprise organizations thrive on data – it is at the heart of virtually every operation involving customers, employees and vendors, financial records, and intellectual property. Heavily secured data centers house massive quantities of digital information, and the size and scope of these centers may vary, but every facility is mission critical. Unlike some corporate operations, data centers have no room for downtime.
Frequent news stories report on network breaches often involving millions of records containing detailed customer data; however, a physical breach resulting in damage or destruction of data and equipment could have an equal or more devastating, long-term impact.
Data centers may be owned and operated by a single organization, or they can serve as a co-location (shared) facility hosting data from many smaller companies. In either case, physical security must encase the entire location from the outdoor perimeter to the servers storing data. In addition, integrators must design, install and maintain plans need to stop threats ranging from ransomware hackers to corporate espionage and terrorism.
The level of security required for a data center is beyond what is necessary and affordable for less mission-critical sites; however, security is much more than hanging cameras and readers – it means preparing an integrated solution that protects people, property and other valuable assets.
Data centers fall into one of four internationally recognized tiers. Tiers one and two are often offsite data storage facilities not accessed on a real-time basis. A higher level of security is required for tier three and four locations that provide mission-critical services, often every minute of each day. Here is a look at the type of physical security needed for this latter group.
A Specialized Security Plan
Begin with a risk assessment, whether the equipment is installed into new construction or is an upgrade to existing devices. Identifying a location’s security strengths and weaknesses before making any purchases will help ensure the budget is spent wisely. It will also help guarantee that the final product meets internationally recognized standards, such as ISO27001, used to certify a center has implemented appropriate security controls. A thorough risk assessment may generate additional revenue opportunity for integrators.
The best place to stop intruders is before they access the property. Ten-foot high fencing provides a quality first barrier. Install fiber optic cable and motion detectors to spot climbers. By integrating the sensors with the video surveillance system, security officers can view alarm sites and take appropriate action. Keep the perimeter well lit, but also consider thermal cameras for low-light vision.
Provide employees with access control cards to open entry and exit gates at a parking lot or garage. Vendors and visitors should stop at a guard station, show ID and confirm they have an appointment with an authorized employee. All roadways entering the property should zig-zag to slow vehicles. Concrete bollards installed in front of entries further protect the facility from a vehicular attack.
Make multi-factor authentication the norm for employees beginning at outside building entries. That typically includes card and biometric readers. Personal identity verification (PIV) cards, including a chip with a biometric template, offer greater security. During the COVID-19 pandemic, a contactless iris biometric reader is unaffected by the wearing of facial masks or goggles.
Officer-monitored metal detectors at all entrances may prevent weapons from entering the facility. By making everyone exit through the same doors, the detectors can alarm if someone attempts to steal a hard drive.
Visitors require a separate lobby entrance. Greet guests at a lobby reception desk, where their government-issued IDs are swiped through a visitor management system to record the data before printing a temporary badge. From this point, authorized employees must escort visitors throughout their stay.
Moving through the Building
Require everyone moving between levels – ranging from the lobby to offices, the security operations center and the server room – to enter through two doors separated by mantraps. Use multi-factor authentication at each entry with only one person at a time allowed to pass to prevent tailgating. The unattended security these entries offer makes them worth the extra time and expense. Exiting a level requires the same process in reverse. Program the access control system to enable only those needed to enter the next level be permitted to do so.
Server rooms are the heart of the facility and require the highest level of protection. Ideally, they should be located deep inside the building without any exterior doors or windows. Include water, humidity, temperature and fire sensors ensuring the servers operate within tight environmental parameters. Also, consider laser beam barriers and vibration and touch sensors.
Reliable electronic locking systems, requiring two-factor authentication to open, are recommended for all server cabinets. Servers with the most sensitive information, such as credit card data, may require two different sets of credentials to access.
Guards should conduct daily walkthroughs to confirm all elements of the security system are operational. Bi-monthly audits of the SOC ensure equipment and employees are meeting expectations. Station security guards at the vehicle entry, lobby and the SOC, as well as one or two to regularly patrol the outdoor perimeter. Employees require written policies and procedures for admitting vendors, handling deliveries and emergency evacuations.
Ensure any evacuation routes, doors and fire escapes only allow people to exit the building. Prevent re-entry by removing any handles from outside doors and have an alarm sound when one of these doors opens. Select both interior and exterior muster sites, being aware they may change due to environmental conditions or a terrorist attack. The end-user should appoint a captain and assistant from each department to help oversee evacuations.
Do not forget to secure the HVAC system – ducts provide an entry and pathway into and through a facility. Also, do not overlook the need for redundant power systems. Install UPS and generators to keep the center operating at a minimal level to maintain servers in case of a blackout.
Add analytic software to the video surveillance system to scan for objects left behind. Although they may be harmless, they may contain explosives capable of interrupting center operations. Maintain all video and entry logs for at least 90 days.
When choosing security devices, aim beyond meeting today’s security needs. Look for scalable equipment using open standards for easy firmware and software updates to accommodate growth and other changes in a center’s operation.
Additional Revenue Sources for Integrators
According to some estimates, employees account for 60% of data center security threats – both inadvertent and malicious. Consider recommending to the end-user that they prohibit employee-owned devices, such as laptops and smartphones, in mission-critical areas.
Identifying and writing policies and procedures, disaster recovery plans and providing training are potential sources of integrator revenue. Training is vital due to the variety and complexity of security devices. If employees cannot consistently and correctly use the systems, they will become frustrated and more likely to cut corners. Train employees on security only to the level they need to complete their jobs.
Resiliency is essential for data centers that require 100% uptime. A disaster recovery plan will include who to notify, the immediate steps necessary to limit damage, along with information on available backup resources and facilities.
When something goes wrong with the security system, a center needs help quickly. A service-level agreement (SLA) provides a recurring source of revenue for integrators. An SLA should outline specific service response times for emergencies while also defining what constitutes an emergency – for example, an inoperable reader at the employee entry would qualify, but a broken reader at a conference room might not.
Integrators might also consider the idea of embedding staff members. Permanently assigning one or more members of the integrator’s staff to the data center may enable many potential security problems to be solved before they arise. Integrator staff members also may conduct daily walkthroughs and assist with other security functions, such as downloading and installing device software updates.
John Nemerofsky is chief operating officer of Kent, Ohio-based Sage Integration