Many data centre managers claim to have the best IT infrastructure and software to protect their companies’ sensitive data from the attention of hackers. But what about securing the actual building?
Thefts from data centres are rare and only a couple of events, such as one in London in 2007 and in Chicago in late 2006, have reportedly occurred recently. But, this small number shouldn’t cause data centre managers to be complacent.
A basic alarm system, security gateman and simple video surveillance were commonplace in data centres ten years ago, but with more companies relying on these critical facilities to store sensitive information, such “simple” security measures are just not good enough.
Develop a policy
Data centre managers should establish a well-defined physical security policy that covers two fundamental considerations?operational and personnel security. A facility should be secured by systems designed to prevent malicious intent, theft or physical attack?and so should the operations staff tasked with running the data centre.
The policy should detail all access management rights; identify risks associated with securing the facility, its mechanical and electronic safety, maintenance procedures, compliance requirements and a comprehensive entrance and exit procedure.
Once developed and agreed, the policy should then be distributed to employees and all tenants and contractors who occupy the facilities. Personnel must know how to act quickly should an incident or emergency occur?and the systems should be tested frequently, just as the mechanical and electrical systems are tested to ensure they’re in top operational condition.
Secure the front door
The policy should address what security measures are taken at the entrance/exit of the data centre and identify any weaknesses that could be exploited by criminals. Closely monitor and manage the flow of personnel, material, equipment and systems used to transport them such as loading bays, ramps and freight lifts and through using live video image comparison, facial recognition and biometric authentication technologies.
Essentially anything or anyone attempting to enter a facility should be checked thoroughly by security staff at the entrance, prior to being authorised to enter. Security barriers and retracting posts should be installed at the vehicle entrance and natural barriers such as rocks should be placed around the perimeter to prevent forced entry to the site.
Establish a central security hub
Once inside, all authorised personnel and material moving around or being transported through the facility should be monitored by the security team in a central control room. The team should frequently patrol the campus, checking all access points and ensuring that personnel haven’t illegally attempted or gained access.
It’s vital that security teams are supported by an integrated alarm system which monitors all internal activity visually, from fire alarms to algorithm controlled video monitoring and to surveillance of the entire building.
Who are you protecting your data centre from?
A number of possible threats to a data centre’s security are often overlooked when defining a policy. Customers and local authority representatives may challenge the security systems by attempting to illegally enter a facility, to test whether the systems are robust and all personnel are doing their jobs properly.
Carefully consider how a natural event such as a flood or lightning strike would affect the technology controlling the physical security infrastructure. These and other threats should be studied by planners when conducting a risk assessment of the area. It would be beneficial to include these specialist skills in the development of security policies.
Furthermore, don’t overlook malicious or accidental internal threats to security, whether from a staff member incorrectly using the facility’s systems and equipment or carelessly leaving packages or equipment in sensitive areas around the data centre.
Terrorist attacks on data centres are possible, but operators can’t realistically and totally protect facilities from determined attack, which are obviously unpredictable. However, data centre managers should implement specific disaster recovery measures such as the distribution of sensitive data across a number of facilities, to ensure they are well protected. The impacts on businesses of data loss are frequently reported in the media and measures must be taken to protect your data centre to ensure your business is not affected in this way.
Securing a data centre is a complex and challenging job and those who manage their security systems and procedures well should be able to deter thieves from attempting to illegally enter, protecting sensitive data, personnel and high value infrastructure from malicious intent.