Securing Data Centers at the Rack Level
Innovative ways to avoid costly penalties and loss
However, managing access to the data center is becoming more complicated as data housing facilities continue to expand their hosting capabilities. From data centers housing information for a single organization to colocation data centers where multiple companies are hosting their data in one location, traditional key management is becoming a significant challenge for facility managers. Personnel from one or several organizations may access the data center at any given time, making key management increasingly difficult to track.
As paper-based information continues to go digital and organizations move toward cloud-based data storage, regulatory bodies are placing a stronger emphasis on data protection, making it more important than ever for data center managers to ensure that their security administration meets industry standards. The Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley Act, and Health Insurance Portability and Accountability Act (HIPAA), for instance, are regarded as the most significant data protection standards in the IT industry today and dictate requirements for securing and accessing information.
In response to these regulations, data center managers are focusing on extending physical security down to the rack level. Cabinet manufacturers are transitioning from traditional lock-and-key mechanisms to integrated solutions that combine electronic locking and monitoring capabilities for optimal security. These electronic access solutions (EAS) allow data center managers to easily incorporate intelligent locking throughout the facility — from its perimeter down to its servers — using the data center’s existing security system or through a separate, fully networked system.
THE COST OF NON-COMPLIANCE
According to a 2011 study performed by the Ponemon Institute, compliance with rules and regulations allows organizations to achieve a higher level of efficiency in their security programs. For the data center manager, the benefits of compliance are twofold: it not only protects the confidential nature of the data stored within the data center, it also protects the data center from regulatory penalties and the added cost of lost productivity that may occur as a result of a data breach.
Compliance with data protection regulations covers a wide range of confidential information, from financial to medical records. Compliance with these regulations extends globally as well. More and more, data management companies are hosting information overseas for American entities, which requires them to comply with U.S. guidelines and regulations. PCI DSS, for example, advises technical and operational requirements for protecting the information of credit card holders. PCI DSS includes standards for tracking and monitoring access to network resources and cardholder data, which includes server cabinets that house this information.
According to a 2012 security report by Navigant, the primary causes of data breaches are:
• Theft: 28%
• Accidental public access: 23%
• Unauthorized use: 7%
Organizations found in violation of data regulations face costly consequences. In May 2006, the U.S. Department of Veterans Affairs fell victim to a breach when unencrypted information on a laptop and external hard drive was stolen when an analyst removed the equipment from the facility. Estimated costs for prevention and loss in this case were $25 to $30 million. Clearly, the stakes are high.
SECURING ASSETS WITH EAS
To ensure full compliance, data center managers are choosing networked access solutions that provide greater control through remote monitoring and digital audit trails of information. The remote monitoring capabilities offered by electronic access solutions help data center managers identify a violation fast — enabling them to receive updates on their computer or via text or email to their smartphone.
An electronic access solution is composed of three primary components: an access control or input device, an electromechanical lock, and a system for monitoring the status of the access point. When designing an EAS, it is important that the appropriate electronic lock is chosen for the specific enclosure and provides the intelligence, flexibility, and security needed at the rack level.
Electronic locks are actuated by external access control devices, which validate user credentials and produce a signal that initiates the unlock cycle. Appropriate electronic locks can be combined with any access control device from keypads to radio frequency identification (RFID) proximity card systems, biometrics, or wireless systems. The access control device can also be integrated into the electronic lock for a streamlined, integrated solution that requires minimal installation preparations.
Each time an electronic lock is actuated, an electronic “signature” is created that can be captured to monitor access, either locally with visual indicators or audible alarms, or remotely over a computer network. The electronic signatures can be stored to create audit trails that can be viewed at any time, whether on- or off-site, to forensically reconstruct a series of access events. This electronic record can store cabinet access activity including location, date, time, duration of access, and specific user credentials.
This audit trail can be used to demonstrate compliance with data protection regulations and allows data center managers to immediately identify and respond to security breaches or forensically reconstruct events leading to a violation. Real-time monitoring eliminates the need for on-site staffing and reduces associated costs associated with managing data center security.
HOW EAS IMPROVES SECURITY
Physical security is critical in the protection of valuable data and IT infrastructure. A long-standing challenge for data center managers is combining their existing building entry with rack-entry security systems. Electronic access solutions simplify the integration of these systems with the data center’s existing security system, allowing one cohesive security network to be used across the facility to control access.
Electronic access solutions also provide an alternative solution to mechanical locks where physical keys are required. Compared to lock-and-key systems, which have the potential for keys to be misplaced or stolen, electronic access solutions offer a more enhanced level of security through the use of electronic locks that can be activated with individual user credentials. Securing server cabinetry with electromechanical locks eliminates key inventory and distribution and ensures that only authorized personnel have access to sensitive equipment and information.
There are other ways to leverage electronic locks in data centers. For example, electronic locks can link to security and environmental systems. Connecting them to IP video cameras and rack monitoring systems gives facility managers an additional tool for monitoring access activity. Electronic locks can also be equipped with a mechanical override system that enables manual access to enclosures in the event of a power failure.
DESIGNING FOR COMPLIANCE
EAS is appropriate for a variety of data center security applications, whether providing storage for one organization, or several housed in a colocation environment. Managers of colocation environments, in particular, have begun to adopt intelligent locking systems due to the challenges of protecting access to individual cabinets, rather than “caging” a cabinet or group of cabinets into separate areas of the data center. Universities have also recognized the value of EAS, especially when data storage for several academic departments is pooled in one location. Compliance also affects universities operating a medical branch or patient care facility, as confidential data stored there is protected under HIPAA.
Electronic access is highly adaptable to both structural designs and control mechanisms that are already in place. Often, building access cards or ID badges are already part of an organization’s proximity card system; using them for rack-level access eliminates the need to create new or separate credentials. Only one device is retrofitted per structure, which means existing security parameters can easily be extended across multiple applications.
THE FUTURE OF EAS
Looking ahead, there are several new developments on the horizon through which technology will continue to improve the state of rack-level security and compliance within the data center.
• One IP and one power source: In order to optimize security networks, there are new efforts in the industry to advance electronic access technology into a more streamlined online system. The ability to maximize a single access controller with several cabinets linked under one IP address is a potentially substantial step forward in the electronic security sector.
• Mobile: IT manufacturers are considering using mobile devices as access control mediums. “Near-field communications” for instance, transmit signals between a mobile device and a prox card reader after an authorization code is entered via a cell phone. This development could allow data center security personnel to monitor activity and receive information from EAS via smartphones in the near future.
• Wireless: Running cables for server racks is a known challenge for data center professionals. Converting to wireless systems would eliminate installation issues and allow for an even simpler integration process. Providers would likely follow suit and develop more compact components for inside server cabinets and other IT enclosures.
Expectations for data security and management today have changed significantly. Regulations are driving facility managers to consider comprehensive security solutions with monitoring capabilities and digital audit trails to protect sensitive information from the threat of unauthorized access and theft. In a recent study by Gartner, it is predicted that through 2015, people and process issues will actually cause 80% of all outages affecting mission-critical services, with 50% of downtime linked to issues including configuration and hand-off issues. Data center managers can prevent these situations from occurring by optimizing security down to the rack level with electronic access systems. Electronic locks extend intelligent security from existing building security networks to data center cabinet applications. As a result, data center managers can ensure their facility and its equipment are protected against the risk of data breaches and any penalties associated with non-compliance.