Most companies are quite aware of the threat posed by cyberattacks. After all, there’s no shortage of high profile DDoS or ransomware attacks in the media today. While companies may be right to be concerned over these attacks, they should also consider the less obvious physical threats posed to their IT infrastructure. From sophisticated industrial espionage to simple carelessness on the part of unwitting employees, physical data breaches have the potential to be even more damaging than those resulting from a cyberattack.
When assessing a data center, organizations should keep a few key questions in mind when it comes to physical security:
Are Security Measures Layered?
The most effective forms of physical security are designed to work in tandem with one another to provide multiple layers of defense against a potential breach. This ensures that if someone manages to get past one security check, they must still overcome several more before they can gain access to the data floor or other core operations. On a very basic level, layering can refer to security measures like gates, doors, and security checkpoints. It can also incorporate multiple security methodologies into a single solution. For instance, gaining access to a specific room might require a security key card and a biometric scan rather than just one form of authentication.
As a general rule of thumb, anyone seeking to gain access to the most secure areas of a facility should have to pass through several authentication checkpoints where they will be required to produce identification in the form of credentials or biometrics.
Some basic checkpoint systems include:
The outer gate where visitors’ vehicles approach the facility.
The main entry point where visitors enter the building. Credentials, and possibly biometric scans, will be required here.
Data floor entrances with floor-to-ceiling turnstiles or man-traps to ensure that no one sneaks through behind an authorized visitor or has credentials “passed back” to them by someone who has already gained access.
Lockable racks and server cabinets, protected by combination locks and/or biometric authentication.
Are Access Lists Kept Up-to-Date?
Organizations don’t want just any employee to be able to access their IT assets in a data center. Only people with a genuine business need should be authorized to access the data floor. This reduces the number of people who could conceivably enter the facility and create a potential security risk (people are, after all, the biggest threat to data center security). Each organization must provide an access list to their data center containing information about the people who are permitted to enter the facility for any reason. This list must be maintained, however, to reflect the person’s current status with the company. If they move to a new role in which data center access is no longer necessary to their job functions, their access should be revoked and the data center should change its authorization protocols accordingly.
Is There Comprehensive Surveillance?
Closed Circuit Television Cameras (CCTVs) should cover every access point and sensitive area of the data center. These cameras create a record that can be checked against access logs to determine whether or not any unauthorized access or tampering has occurred. The exterior of the building should be covered by cameras with full pan, tilt, and zoom features while the interior units should cover all entrances and exits as well as the data floor. For thorough data center security best practices, footage should also be backed up digitally and archived offsite in the event that the camera is damaged during a breach.
Does the Facility Pass the “Eye Test?”
It may sound strange, but appearances matter when it comes to protecting a data center. One of the most important best practices of data center security is ensuring that the facility doesn’t look like a data center in the first place. There should be few, if any, outward indications of the building’s function. A secure data center should be nondescript, with few windows or entry points. It should be set back far enough from the road to avoid notice, preferably hidden behind trees or other landscaping elements. An outer fence should funnel traffic through a single entry point. Fire doors should allow only one-way access, and exterior doors should be designed with their hinges on the inside so they can’t be removed to bypass locks.
Are Regular Audits Conducted?
All the security measures in the world won’t amount to very much if data center personnel don’t adhere to the proper protocols and procedures that make them work effectively. Human-based breaches resulting from intentional sabotage, carelessness, and failure to follow established policy can compromise even the best security measures, making it extremely important for facilities to rigorously enforce their training and accountability standards with data center security audit checklists. Internal and external audits that evaluate how well data centers follow their security policies are essential to maintaining high levels of readiness and awareness.
With so much focus on cyberattacks in the media, many organizations don’t put a lot of thought into the level of physical security at their data center. Robust physical security standards, however, are one of the best lines of defense a data center can provide, not only protecting valuable IT assets from external threats, but also from internal threats that exist within every organization. By limiting access to their customers’ IT infrastructure and data, data centers can provide security assurances that go above and beyond what many companies could provide even through their own private facilities.
About Kaylie Gyarmathy
As the Marketing Manager for vXchnge, Kaylie handles the coordination and logistics of tradeshows and events. She is responsible for social media marketing and brand promotion through various outlets. She enjoys developing new ways and events to capture the attention of the vXchnge audience.