Ensuring Physical Security in Data Centres

John Davies

John Davies

With more and more systems being hosted online and the increasing move towards The Internet of Things, the demand for space in data centres has never been greater, asserts John Davies. Organisations and individuals alike are embracing the promise of flexibility, greater reliability and tighter security that using a data centre promises.

However, recent market research conducted by renowned Swedish lock manufacturer ASSA ABLOY shows that the Number One risk to data centres is unauthorised access, suggesting that physical security is a vital aspect in securing this data.

The market research is part of a White Paper* produced by ASSA ABLOY which looks at the physical security requirements of a data centre, from the perimeter of the storage facility right through to the security of the individual rack in the server room. With 26% of respondents suggesting unauthorised access is the biggest threat (and one which has almost doubled in the last year alone), it’s clearly an area of concern for security operators and providers.

Due to the huge range and variety of data stored, and its growing importance to all parts of society, this is something that should be of concern for each and every one of us.

Protecting different types of data centre   

Effectively, data centres fall into two categories – those which serve a single organisation or group of companies and those which offer outsourced services or rack space to paying customers (the latter often referred to as ‘co-location’ data centres). While both offer similar services, the security requirements can differ quite dramatically.

The data centre for a single organisation is likely to be hosted either on-site (perhaps at one of the company’s existing facilities) or at a specially designated location that’s designed to keep the systems safe. It’s likely that internal security will not be too much of an issue while most of the security resources will be engaged in stopping outside interference.

A co-location data centre, however, will have a degree of access to representatives of any business that shares its facilities. Inevitably, this means there’s also a security element with regards to ‘authorised’ people entering the building as well.

While neither data centre model will allow a member of the public to simply enter the facility, a co-location centre will understandably involve more risk to stored data and needs even greater thought when it comes to security procedures. Perimeter security may suffice for a single organisation’s data centre (the entrance to the building and access to the server room), but a co-location data centre will ideally have locking and access control on the server rack as well.

Security and legislation

Arguably, data is one of the most valuable assets in the modern world. When you consider financial data, for instance, it’s not hard to see why.

The global economy is wholly reliant upon the security of financial transactions and data. Banks and other financially-focused organisations also have to adhere to the most stringent of legislation (such as the globally-recognised US Sarbanes-Oxley Act 2002) and quality control, partially to remain fully legal, but also to afford their customers full peace of mind. In this case, the security of your data centre is also a key part of your reputation.

If they don’t already, many financial regulations and quality standards will soon seek to ensure that the security of data is not only assured by IT security and access control to the data centre building, but it will also need to extend right down to exactly who has access to the physical servers that store this precious data.

Obviously, external access control for the outside of a data centre is a given. However, the significant value (in terms of the data and any potential crisis if it’s stolen, lost or damaged) means that it’s essential to consider the various components of security and how they will work in reality.

Main server storage area

Assuming external access control is already in place, it’s wise to have an ‘air lock’-style set of doors in place at the main server storage area. This prevents individuals who may be employed in the less secure areas from gaining access to the actual data centre’s server room.

Once inside the server room, it makes sense to employ fully-integrated security, including CCTV and intruder alarms, perhaps with a floor sensor in place to ensure nobody can hide within the restricted area when it should be empty. Biometric readers are also a highly secure way of tracking who enters and leaves the secure area.

Focusing on the actual server racks themselves, it’s vital that these stringent security levels continue. In the past, access to the servers has relied upon traditional keys, but these can be mislaid and it’s labour/time/paperwork-intensive to secure them effectively.

A modern wireless locking system makes far more sense. It’s easy to install and can be linked to the rest of the security network using the best of security components (such as biometric readers) to grant or deny access at a moment’s notice.

Safeguarding all data

Nobody is in any doubt that data centres are as vital to the economy and our everyday lives as traditional banks. On that basis, they need to be secured with the same amount of care.

Cyber attacks will always be a threat, but it’s interesting that these most modern of assets now require physical protection more than ever before.

This is something about which every modern data centre security and/or risk manager must be aware. For its part, the physical security industry needs to ensure it offers the right solutions for this most important of needs.

John Davies is Managing Director of TDSi

*For a copy of the ASSA ABLOY White Paper visit: www.assaabloy.co.uk/datacentersecurity

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts