Data center security is a serious undertaking, and while much of the conversation about protecting servers focuses on repelling digital attacks, today’s mission-critical facilities require state-of-the-art protection against physical human intruders as well. A malicious outsider may be able to steal more information by walking into a data center’s server room with a flash drive than by hacking into the system. Similarly, one attacker could hypothetically destroy as much data as any virus, or thieves looking for valuable server hardware could cause widespread outages, as in a 2011 data center robbery at British telecom provider Vodafone. In one period from 2005 to 2007, one Chicago data center operated by C I Host was hit by at least four robberies, according to The Register.
As a result of such threats, data centers need solutions to strictly control access to server rooms and colocation cabinets. Fortunately, most mission-critical facilities have anticipated these dangers even if they haven’t encountered them, and a set of physical security best practices exists among industry leaders. A layered physical security approach that incorporates features such as turnstiles and mantraps is the most effective way to keep intruders out. By checking visitors multiple times using a variety of methods, data center operators can weed out human threats.Caption
Most data centers have security guards – this one is taking extra precautions.
Limiting Outside Entry
The first point of contact between a visitor and the data center should occur before the visitor is even inside the building. Ideally, the building grounds will have vehicle access controlled by retractable barriers, senior editor Sarah Scalet noted in a data center security guide for CSO magazine. Additionally, the use of planters or fences around the actual building can prevent intruders from getting too close.
There should also be a limited number of entry points to the building to control outsider access, Scalet noted. Not only does limiting entry to just a loading dock and a main entrance prevent attackers from coming in through a side door, it can cut the staffing costs needed to secure the facility. While fire doors are mandatory for safety reasons, they should be exit only, with hardware inside the building.
Visitors should have to check in or announce themselves at the outer door, Scalet explained. At the same time, while security is important, data center operators shouldn’t forget that visitors do need a way to access the building, and it’s critical to include a buzzer to get in.
In a secure facility, visitors should have to check in at the door with a security guard. In a column for TechRepublic, journalist Michael Kassner explained the screening process he encountered during one recent visit he made to a mission-critical data center.
“The guard asked me for two forms of ID, which I was told I would get them back when I left,” Kassner wrote. “My driver’s license and credit card worked. I had to turn over my phone and any other electronics I had with me, so there went my idea of taking pictures. I was then issued a guest pass card (RFID) specific to me.”
Turnstiles, Mantraps and More
Ideally, a data center should have at least three layers of authentication for anyone entering its highest-security area. In addition to an outside door and inside check in, some of the other checks can include floor-to-ceiling turnstiles and mantraps, which are used to not only control the identity of the people entering but also to prevent an unauthorized visitor from following an authorized visitor in.
Visitors generally use an RFID pass card or some type of biometric scanner to enter a turnstile or mantrap. While the turnstile is fairly straightforward, mantraps can be a little more unique. A solution dating back to the Middle Ages, according to TechTarget, mantraps consist of an airlock or vestibule with two doors. After the visitor uses credentials to enter the first door, it closes behind him or her, and he or she must use credentials to exit the second door.
Not only does this provide a physical barrier to more than one person entering at a time, the most sophisticated solutions are designed to use weight detection as well. An abnormally high weight that signals two people entering may cause the mantrap to lock. These solutions can be highly sensitive and tailored to the visitor as well: Kassner described being handed a box by his friend when he entered the data center. When he exited without the box, the mantrap detected the difference in weight and confined him. This has the secondary benefit of detecting if someone is exiting carrying more than he or she came in with or vice versa, helping to limit the possibility of theft.
Accessing The Server Rack
Beyond these controls limiting access to the server room, data centers should have a final layer of authentication at the server rack or cabinet level. Particularly in colocation centers where many clients might have access to the server floor, it’s essential that the actual server hardware be inaccessible except to those who are permitted to tinker with it. Locking the racks with a key or passcode is a good precaution, although some facilities may use biometric scanners instead.
Evaluating Data Center Security Based on Authentication Layers
When companies are building a new data center facility or evaluating a colocation space, layered physical security precautions should be part of their criteria. Without a reliable set of checks limiting access to the server room and cabinets, a business could easily find its sophisticated cybersecurity techniques rendered useless by a single physical attacker and its data stolen or destroyed. Therefore, such protection is critical from both a business and compliance standpoint.
A multi-layered approach incorporating the above precautions is a company’s best bet in securing its facilities. However, the data center decision will inevitably require a balancing act. While it might be nice to have multiple guards, mantraps and biometric scanners, physical security technology can be expensive, as can staffing costs. As with any security choice, companies may ultimately have to strike a balance between pragmatism and thoroughness. Regardless of the specific precautions implemented, however, a layered approach that incorporates at least some of the above techniques and requires at least three layers of authentication is essential for preventing data center intrusions. As cybersecurity continues to be an executive focus for companies looking to protect their data, physical data center security is not to be neglected, either.