Why You Need to Improve Your Data Center Access Policy
By: Kaylie Gyarmathy on April 30, 2020
While IT physical security measures are incredibly important to protecting assets housed in a data center, they represent only one aspect of a comprehensive, multi-layered approach to security. Colocation customers have a crucial role to play here by maintaining rigorous access policies when it comes to their equipment.
What is a Data Center Access Policy?
Put simply, a data center access policy determines who is authorized to enter the facility and interact with the colocated assets stored there. In some instances, this could be as simple as a list of people who have complete access or as complex as a detailed, conditional list that grants some people very restricted forms of access and others more expansive permissions.
Many companies think about access policies in terms of their own employees. While this is certainly important, employees aren’t the only people who may have reason to access colocated equipment. Third-party vendors contracted to install hardware or perform maintenance often need to pass through data center security to access equipment. Similarly, if a colocation customer needs to have an audit performed or wants to give a trusted partner a close-up look at their deployment, these guests will need to be granted access before the facility’s security personnel will allow them to enter.
Having all of these scenarios laid out in a data center access policy makes it easy for everyone to understand what process needs to be followed for someone to enter the facility. It also eliminates any confusion about what forms of authentication need to be provided. With an access policy in place, the chances of someone accessing secure assets improperly are greatly reduced.
Why You Need a Strong Data Center Access Policy
Colocated servers often contain mission-critical data that organizations must keep secure at all costs. Whether it’s proprietary information about products, essential code used to deliver services, or data collected from customers, protecting that data is a top priority both for keeping operations running smoothly and avoiding compliance violations.
A strong data center access policy can mitigate the risks associated with unauthorized access and provide clarity when unexpected situations emerge. During the COVID-19 outbreak, for instance, these policies have made it easier for companies to know how their off-site equipment should be managed in a crisis. That allowed them to quickly determine how every policy change they made in response, such as shifting to a remote workforce, would impact their access policies. Companies with strong policies could quickly make changes accordingly to ensure that they maintained the same level of security to protect their sensitive assets.
3 Questions to Ask When Formulating Your Data Center Access Policy
1. Who Has Access?
In many ways, sorting out who is authorized to access colocated IT assets is the easiest question to answer, but it’s also an easy one to complicate. When a colocation data center stores a company’s computing equipment, its physical access policy typically requires the customer to provide a list stipulating who is authorized to enter the facility unaccompanied by an escort of some kind. Every provider works a little differently, but generally speaking, they require that all pre-authorized individuals come to the facility to receive proper credentials (key cards, biometric data, etc.), which they can then provide when they visit in the future.
The burden of determining who should have access falls on the customer, not the data center itself. After all, it’s the customer’s IT assets being colocated, so they have the right to identify which people should have access. The customer is responsible for managing their access list, adding and removing people as they see fit as well as keeping track of any credentials issued by the data center. While data centers may automatically revoke access privileges that go unused for a long period of time or deny access to people who are not in good standing with the facility for some reason, they generally trust the customer to conduct the proper vetting and assessment procedures.
2. Who Manages Access?
Organizations should reassess their access lists regularly, verifying that the people on it need access privileges. If someone hasn’t visited the facility in a year, for example, the risk of them losing their credentials may not be worth the benefit of having them on the list in the first place. Keeping lists small and manageable makes it easier to account for who is coming and going and reduces the logistical burden of tracking access credentials over time.
Most data centers security standards require that customers designate a specific representative within the company who serves as their point of contact for access list issues. This person is authorized to add or remove people from lists and is sometimes needed to confirm access requests or other actions within the data center. By designating a representative, customers can ensure that their physical access policy is being actively managed and reviewed to ensure that they’re up-to-date. They can also authorize guests, such as potential clients or vendor partners, to visit the data center as needed.
3. How Is Access Handled On-Site?
In addition to data center physical security standards, every facility follows strict logical security procedures laid out in their colocation contracts. The process usually involves a security check-in at the facility’s entrance. In order to enter the data center unescorted, a person must not only be on the customer-approved access list, but also possess the necessary credentials. In most cases, some form of multi-factor authentication will be required, such as an ID badge and a biometric scan of some kind. In any event, all visits will be documented by the data center’s security personnel, which allows both the facility and the customer to review who accessed their IT assets and when.
If someone is unable to provide the necessary credentials or is not on the access list, they may still be permitted entry as a visitor, but they will not usually be allowed to enter the data center unaccompanied. Of course, data center security personnel will not allow just anyone to stroll in and declare themselves a visitor as this could easily lead to security breaches. Their entry will need to be authorized with the customer’s access representative to verify that they’re temporarily approved.
Managing their data center access policy is an important step companies can take toward enhancing their security. By keeping careful records of who is authorized to access valuable IT assets and when they do so, colocation customers can help data centers augment their layered security measures and ease the burden on security personnel. Effective access policies also clarify roles within an organization, stipulating who has authority to make IT decisions and reducing the risk of human error by limiting the number of people involved in managing computing equipment. While it may not be as imposing as a perimeter fence or a biometric scanner cabinet lock, access lists are every bit as effective at protecting valuable colocation assets.
Make Sure Your Data Center Access Stays in the Right Hands with vXchnge
As part of vXchnge’s ongoing commitment to delivering control directly into the hands of our colocation customers, our award-winning in\site platform allows them to easily manage their data center access policy. Granting or removing access is as simple as logging into the in\site portal and making the changes, which will update the access list in real-time. With the in\site mobile app, you can manage your data center access policy at any time, from anywhere. Thanks to this innovative capability, vendors and visitors will never be stuck waiting outside the data center for someone to accompany them inside or for a new version of the access list to be uploaded.
As the Marketing Manager for vXchnge, Kaylie handles the coordination and logistics of tradeshows and events. She is responsible for social media marketing and brand promotion through various outlets. She enjoys developing new ways and events to capture the attention of the vXchnge audience.