Data centres – unassuming buildings with little or no signage; intentionally nondescript so the public cannot guess what is inside.
The assets protected inside are not tangible, but they could be highly confidential personal or professional information or even secret encrypted keys that form the basis of communications between websites and end-users.
The security model of a typical data centre in some ways resembles an onion – with each inner layer harder to access than the outer one preceding it.
The facility itself contains layers: the perimeter, the building itself, the data centre and the cabinet. Likewise, the security should have layers, offering at each part of the facility multiple security features including barriers, badges, biometrics and video surveillance.
While physical security may not be the first thought in an environment of cloud computing and virtualisation, it should not be overlooked or underrated.
Controlling access to and within the building and servers is critical to overall data centre security.
By peeling away each layer within the building, the options available to help your customer and grow an integrator's data centre access control business becomes clear.
A data centre can be an enterprise operation – where one company’s data is stored and maintained – or a co-location (colo). Multiple companies rent space within the centre to store their data.
A high level of security is required for both, but the pain points for each differ slightly. Creating sones of protection depending on access needs will allow better control and prevent human error or negligent employees.
The perimeter: Perimeter security is the first line of protection to detect, deter and delay. Fencing, a vehicle gate, exterior turnstile for foot traffic, and video surveillance should all be integral parts.
The integration of motion detection and video content analytics gives a facility the ability to detect objects, determine the number of people in a space and even vehicle license plate recognition.
In the case of an enterprise location, there are more options for limiting the traffic to the exterior of the building.
At the same time, a co-location, by its very nature, will have more traffic to the building as personnel from multiple companies will require access.
Visitor management: Access points into the building should be limited while exit egress remains free.
A bonus is there are only two entrances to secure, the main entrance and a loading dock area. Many data centres make doors required for exit by fire codes with no handles on the outside.
Layers of security at the front should allow people entering the building to authenticate themselves a minimum of three times.
The outer door to the building would be a badge-in door with a busser or intercom system for guests. Guests should receive badges tied to the access control system for tracking. In a colocation facility, security revolving doors with anti-piggybacking and anti-tailing sensor systems can be used as part of the building entrance.
In every case, three-factor authentication is the best possible scenario – something you have, something you know and something you are.
The access control system should allow for pictures with badges and integration with video surveillance and have options for biometric authentication. An IP-based solution allows the system to take advantage of current and future technology requirements.
High security is not just a matter of checking whether a user has the authorisation to enter sensitive or restricted areas in a secure facility.
The highest degree of separation and access must be achieved. The key here is control. They were allowing access to only those who need it and, in the case of co-location, segmenting the rooms as much as possible.
The data centre itself: The data centre portion, or computer room, of the building, typically has the highest security. Anti-piggybacking is a must. Options include security revolvers (revolving door) and personal interlocks tied into the building's access control system.
A security revolver may be equipped with a contact mat, scales (sensors to detect and prevent tailgating and piggybacking), or internal monitoring.
Options include rotating units with an emergency exit function or a night closure. Reinforced bullet resistant models are also available.
Access through a security revolver should begin with either card or biometric authentication. Once again, card, pin and biometrics will offer the highest level of security. A high-level sensor system in the unit will stop piggybacking and tailgating.
A personal interlock or “mantrap” works to prevent tailgating and to piggyback by only allowing one person through at a time. Upon authentication, the outer door opens, and the user steps into the unit. Once the door closes behind them, the interior door will open, granting access to the data centre floor.
The department works with bodyweight, sensors or an additional checkpoint for identification in the middle of the interlock. Depending on the requirements, the interlock may be equipped with sensors, contact mats, scales or internal monitoring.
Additional options include bullet-resistant designs and the ability to authenticate via biometrics from within the interlock.
After passing through these layers of security, an authorised user finally enters the room where it happens. This is the actual data centre, where the servers and critical IT equipment is located.
Once in the room – especially in cases of co-location – securing the racks or cabinets themselves is a must. Providing badged access to the stands with an audit trail of who accessed, when, and for how long is critical to maintaining the security chain.
An often-overlooked layer in the security plan – cabinet control – offers an excellent opportunity for systems integrators to upsell. Many current systems have mechanical solutions. As an extension of the access control system, the racks can be secured individually or using an elevator control system for a bank of servers.
While data centre security is complex, understanding the type of location you are working with and the options for each layer of protection offers a new and exciting business opportunity for the smart systems integrator.
What is Data Center Security?
A data centre is a place where information is stored, typically on servers. It can be located on-site, at another location, or managed by a third-party vendor. Regardless of where the data centre is located, security protocols must be in place to prevent breaches.
Since data centres contain all the information that pertains to the business, it’s often the target of hackers. To prevent cybersecurity breaches, controls that limit access to the data centre are used. These controls not only restrict access to the data centre’s physical location but also to all devices.
Datacenter security best practices include everything the business puts to handle access, from tangible items to the controls that manage them. However, before a company can start restricting data centre access and implement the appropriate authorities, a risk assessment should be conducted.
A risk assessment is a handy tool that helps businesses stay in compliance with cybersecurity regulations. It will also help companies identify potential and immediate threats to the data centre. Some examples of common data centre threats include,
- Denial of Services (DoS) attack
- Confidential/Protected information is breached
- Identify theft
- Theft or altering data
- Unauthorised access and use of network/system resources
Not only will a risk assessment identify threats, but it will also spot vulnerabilities that hackers could exploit. Some common weaknesses in data centre security often include,
- Software and security protocols improperly implemented
- Preliminary testing of systems, applications, software, etc.
- Inaccurate configuration of data systems
- Flawed cybersecurity design
- Lack of adequate physical/environment access controls
- Lack of redundancy for critical systems
There are various types of access controls businesses can implement to reduce cybersecurity threats. Knowing what the weaknesses are will make it easier to know which controls are needed.
Data Center Access Controls Best Practices
Before companies start implementing access controls, it’s necessary to consider the data centre tier. This is the classification of a company based on the amount of information they handle. Tier 3 and 4 businesses are typically more extensive and more complex. They have more redundant infrastructure than smaller companies. This means higher tier organisations require sophisticated cybersecurity practices for managing and protecting their data.
Even though the amount of cybersecurity needed will vary depending on the size of the data centre, some access controls apply to all businesses regardless of their size.
Layered Cybersecurity Measures
It is vital that all aspects of data centre security work smoothly together and with other elements. This will provide a layered system that is more difficult for hackers to breach. Layered security means that hackers must break through several layers before they’re able to access any information. Even if one layer is ineffective at stopping a hacker, there are still others that will likely be able to prevent the potential breach.
Having an access list of everyone authorised to handle data should be automatic. This applies to all businesses, even those that use a third-party data centre. Even at a third party location, not everyone needs access to the data to perform their jobs.
All businesses should operate under the “zero trust” cybersecurity philosophy. “Zero trust” is precisely what its name implies. Everything that pertains to non-public protected information (NPPI) should be viewed as “suspicious”. This includes all data transactions and movements.
The access lists should be constantly updated. Employees frequently change. By keeping these lists updated, companies can prevent breaches and mistakes by employees that aren’t authorised to handle NPPI.
More companies realise the value of video surveillance. Being able to monitor the data centre constantly will prevent some unauthorised access and identify others. Closed-circuit television cameras (CCTVs) should be placed where all exterior and interior access points are covered. The cameras should come with zoom, tilt, and pan. Footage should be digitally backed up and archived.
Secure Access Points
Locked doors and surveillance cameras are not enough to fully secure all data centre access points. Fully locking gates over access doors when the data centre is deserted is an option. However, there can still be security problems during business hours.
Human-crewed security stations will prevent unauthorised access, along with security entry points that make it impossible for an authorised employee to pass their credentials back to someone else. While these security measures will cost money, they are essential practices that every data centre should consider adopting.
This access control generally only applies to tier 3 and 4 companies that often have large, off-site data centres. Along with management at all entry/exit points and on the data centre floor, companies must employ on-site staffed security. Data centres with routine security patrols typically report fewer breaches that were the result of human error – accidental, unauthorised access.
Radio-frequency identification (RFID) is a technology that allows digital data to be encoded with tags. These tags or i.d. labels make it easier for data centres to track and manage their assets in real-time. RFID labels can also be designed to send alerts when the instant data is moved or altered. This allows data centre employees to respond to any perceived threat immediately.
Employee Background Checks
Data centres can be busy places, especially if it’s managing the information for an upper-tier company. Along with the regular employees, companies often hire third-party contractors that also have to be vetted. Background checks help prevent unauthorised access to data, but it also gives consumers confidence that the company can be trusted with their information.
Implement Exit Protocols
Employees will leave the company, and others will see the scope of the jobs change. When this happens, businesses must have an exit plan in place to ensure data remains secure. Exit protocols should include collecting employee keys, updating data centre access lists, and deleting any biometric information about that person. The goal is to keep data secure after access has been removed or changed.
Require Multi-Factor Authentication
The “zero trusts” policy that companies should already be following includes requiring multi-factor identification for data centre access. When it comes to data centre security best practices, this is one of the most critical access controls. Strong passwords can be broken, even if they’re changed regularly. They required authorised users to provide additional i.d often with an employee badge, fingerprint, or even using facial recognition software.
Keep Access Lists Up to Date
Datacenter access policies identify who is authorised to enter certain facility areas and handle equipment that stores valuable data and applications. When a company colocates assets with a data centre, it must provide an access list that lays out which people can be admitted to work with its servers and other hardware. These lists may also include third-party vendors, such as managed service providers (MSPs) who handle certain IT functions on a contractual basis. Access should be restricted to as few people as possible to mitigate security vulnerabilities and the potential for human error.
It’s also imperative to update these lists regularly. As people change positions within an organisation, their need for access can change along with it. More importantly, when employees leave the company or third-party vendors are replaced, they could present a severe security risk if they’re not removed from the access list. Companies need to monitor their access lists to make sure that they accurately reflect which people have legitimate reasons for accessing colocated assets.
Implement Multi-Factor Authentication
One of the core tenants of data centre security standards is multi-factor authentication. These systems require visitors to provide more than one form of credential to verify their identity and need for access. Simply providing credentials like an ID badge or a password should not be sufficient for gaining access to crucial IT assets. The more forms of authorisation are required, the more difficult it will be for someone to falsify their identity or justify their need for access.
Many data centres use biometric security access as a core element of multi-factor systems. Biological identifiers like retina scans, fingerprints, and voice patterns are much more difficult to forge or steal than things like critical fobs or magnetic card keys. Even so, biometric security access should only be one aspect of multi-factor authentication. Anyone trying to gain access to colocated assets in a data centre should also need to provide additional verification, which could include a photo ID, a password, or even a work order that explains why they need access.
Adopt a “Zero Trust” Philosophy
Any access control system in a data centre must balance convenience against security. While an organisation may want to have its personnel breeze through the front door and walk right into the server room, colocation facilities are responsible for ensuring the safety of every customer’s assets. When someone enters the data centre, systems need to be in place to prevent them from accessing areas they have no business in.
A “zero trust” approach to security brings the “trust, but verify” philosophy of network security into the realm of physical security systems. Every access point within a data centre should require authorisation, and in many cases, visitors should be escorted through the facility by data centre personnel. This ensures that no one will present credentials a single time and then go wherever they want to go within the facility.
Use Interlock Checkpoints
A core physical security measure, personal interlocks (commonly known as “mantraps”), prevent unauthorised visitors from slipping through access points by “tailgating” or “piggybacking” behind someone with credentials. The system functions like an airlock, with an outer door and inner door that only allows one person through an access point at one time. Since each visitor is isolated and the outer and inner doors cannot be open simultaneously, no one can pass their credentials back to another visitor.
Personal interlock mantras can be monitored in several ways. Some use video cameras or an on-site security station. Still, others incorporate contact sensors that measure body weight or use biometric security access that requires authentication inside the mantrap.