While IT physical security measures are incredibly important to protecting assets housed in a data center, they represent only one aspect of a comprehensive, multi-layered approach to security. Colocation customers have a crucial role to play here by maintaining rigorous access policies that stipulate who is authorized to enter the data center and manage their equipment.
Here are a few questions companies should keep in mind when formulating their data center access policy:
In many ways, sorting out who is authorized to access colocated IT assets is the easiest question to answer, but it’s also an easy one to complicate. When a colocation data center stores a company’s computing equipment, its physical access policy typically requires the customer to provide a list stipulating who is authorized to enter the facility unaccompanied by an escort of some kind. Every provider works a little differently, but generally speaking, they require that all pre-authorized individuals come to the facility to receive proper credentials (key cards, biometric data, etc), which they can then provide when they visit in the future.
The burden of determining who should have access falls on the customer, not the data center itself. After all, it’s the customer’s IT assets being colocated, so they have the right to identify which people should have access. The customer is responsible for managing their access list, adding and removing people as they see fit as well as keeping track of any credentials issued by the data center. While data centers may automatically revoke access privileges that go unused for a long period of time or deny access to people who are not in good standing with the facility for some reason, they generally trust the customer to conduct the proper vetting and assessment procedures.
Organizations should reassess their access lists regularly, verifying that the people on it need access privileges. If someone hasn’t visited the facility in a year, for example, the risk of them losing their credentials may not be worth the benefit of having them on the list in the first place. Keeping lists small and manageable makes it easier to account for who is coming and going and reduces the logistical burden of tracking access credentials over time.
Most data centers security standards require that customers designate a specific representative within the company who serves as their point of contact for access list issues. This person is authorized to add or remove people from lists and is sometimes needed to confirm access requests or other actions within the data center. By designating a representative, customers can ensure that their physical access policy is being actively managed and reviewed to ensure that they’re up-to-date. They can also authorize guests, such as potential clients or vendor partners, to visit the data center as needed.
In addition to data center physical security standards, every facility follows strict logical security procedures laid out in their colocation contracts. The process usually involves a security check-in at the facility’s entrance. In order to enter the data center unescorted, a person must not only be on the customer-approved access list, but also possess the necessary credentials. In most cases, some form of two-factor authentication will be required, such as an ID badge and a biometric scan of some kind. In any event, all visits will be documented by the data center’s security personnel, which allows both the facility and the customer to review who accessed their IT assets and when.
If someone is unable to provide the necessary credentials or is not on the access list, they may still be permitted entry as a visitor, but they will not usually be allowed to enter the data center unaccompanied. Of course, data center security personnel will not allow just anyone to stroll in and declare themselves a visitor as this could easily lead to security breaches. Their entry will need to be authorized with the customer’s access representative to verify that they’re temporarily approved.
Managing their data center access policy is an important step companies can take toward enhancing their security. By keeping careful records of who is authorized to access valuable IT assets and when they do so, colocation customers can help data centers augment their layered security measures and ease the burden on security personnel. Effective access policies also clarify roles within an organization, stipulating who has authority to make IT decisions and reducing the risk of human error by limiting the number of people involved in managing computing equipment. While it may not be as imposing as a perimeter fence or a biometric scanner cabinet lock, access lists are every bit as effective at protecting valuable colocation assets.
As the Marketing Manager for vXchnge, Kaylie handles the coordination and logistics of tradeshows and events. She is responsible for social media marketing and brand promotion through various outlets. She enjoys developing new ways and events to capture the attention of the vXchnge audience.