Data Center Security: Curb To Core
Best practices for data center physical security.
Put simply, data drives our economy. From health care to higher education, from finance to bioscience, data is critical to the success of organizations in every industry. What we do and how we support the functions of data collection, storage, and the absolute need to keep that information secure grows more critical every day.
Keeping that data secure is not a one-size-fits-all proposition. That’s why it’s necessary to thoughtfully assess your current and future needs before you allocate your budget and deploy a program to secure critical assets. To maximize the investment in physical security, consider each section of the facility from the perimeter of the property to the center of the facility where the server racks are housed. This “curb to core” approach demonstrates effective physical security measures that complement the fundamental business operations of the data center.
In this constantly evolving market, facility managers need to be aware of new physical security options and best practices for securing data and data facilities. Whether you’re a company looking to evaluate a data center, or a data company looking to upgrade and improve their security, we’ll discuss some of the codes and requirements from major organizations along with important considerations for each facility layer, from curb to core.
PROTECTING DIFFERENT TYPES OF DATA CENTERS
As a facility manager, you know that most data centers fit into one of three broad categories.
The enterprise data center essentially serves as the backbone of the corporation. Sites for these types of data centers are generally selected based on cost factors; they tend to be located where land and connectivity are the cheapest or where existing business operations can provide the needed space and infrastructure. Most of these sites have existing physical security measures and practices in place that can offer a starting point to “bolt on” the needs of the data center space.
The second type is the colocation or “colo” data center. These facilities provide a range of data management services for their clients or tenants. When it comes to security, the colocation facility can be particularly challenging in that competing entities could very well find themselves storing important data across the hall, in the cage adjacent to, or even within the same cage as one another. Keeping each client’s needs represented and fundamentally separate is demonstrated by the need and value of security all the way to the server rack cabinet.
The third type, known as a blended or distributed model, is most common among large corporations. True to its name, the “distributed model” is characterized by the use of space owned or leased by the entity that needs it. Oftentimes, the rental of external space can be a short-term solution as the company constructs additional buildings of its own, at which point the storage is brought back under the corporate roof. Obviously, the blended model responds to the ever-changing needs of rapidly expanding online companies, utility, or infrastructure providers. The fact that data is being stored in different facilities requires a more thorough approach to physical security.
STANDARDS AND CODES
Depending on the industry of the data center user, the access control solution must satisfy thorough and specific compliance requirements. Three important examples of these regulations are outlined below.
Health Insurance Portability and Accountability Act of 1996 (HIPAA): HIPAA Title II includes an administrative simplification section that deals with the standardization of health care information systems. In the information and communications technology (ICT) industries, this section is what most people mean when they refer to HIPAA. The act seeks to establish standardized mechanisms for electronic data interchange security and the confidentiality of all health care data.
HIPAA mandates standardized formats for:
All patient health, administrative, and financial data
Unique identifiers (ID numbers for each health care entity, including individuals, employers, health plans, and health care providers)
Security mechanisms to ensure confidentiality and data integrity for any information that identifies an individual
Payment Card Industry Data Security Standard (PCI DSS): The PCI DSS is a widely accepted set of policies and procedures intended to optimize the security of credit, debit, and cash card transactions and protect cardholders against misuse of their personal information. It requires that access to system information and operations be restricted and controlled and that cardholder data is protected physically and electronically.
North American Electric Reliability Corporation (NERC): Five of NERC’s nine mandatory critical infrastructure protection (CIP) standards are important to consider when managing your data center security:
CIP-003: Requires that responsible entities have minimum-security management controls in place to protect critical cyber assets
CIP-004: Requires that personnel with authorized cyber or unescorted physical access to critical cyber assets, including contractors and service vendors, have an appropriate level of personnel risk assessment, training, and security awareness
CIP-005: Requires the identification and protection of the electronic security perimeters inside which all critical cyber assets reside, as well as all access points on the perimeter
CIP-006: Addresses implementation of a physical security program for the protection of critical cyber assets
CIP-007: Requires responsible entities to define methods, processes, and procedures for securing those systems determined to be critical cyber assets, as well as the other (non-critical) cyber assets within the electronic security perimeters
The common thread across all these regulatory requirements is the need for proper security (both physical and electronic) to ensure the safety of data. While the various regulations mandate data protection, they do not prescribe the path to achieve this goal. As a result, it is critical for data center professionals to have a thorough understanding of applicable compliance requirements so they can identify the best solutions and policies for their organizations.
SECURING THE PERIMETER
Regardless of the type of data center, physical protection begins at the perimeter. A berm of dirt or land, for example, can be created to establish a physical barrier that prevents vehicles driving on the property. With permission of local jurisdictions, the physical security solution can begin with landscaping, high-security fencing, or a combination of the two. High security perimeter solutions from Ameristar include top-of-the-line steel fencing with anti-ram barriers, designed to withstand multiple vehicle threats.
Within the fencing is an ideal spot for exceptionally sensitive intrusion detection systems, or IDS. These systems use a variety of technologies such as lasers to detect movement across the top of the fence and then generate an alert when someone tries to cross, or wire tension sensors to alert when someone attempts to scale a fence.
The next layer is the main entrance to the facility, which is typically a vestibule housing the visitor management and access control functions. In some cases this includes a mantrap. This space is a neutral zone where the visitor or employee is out of the weather but still needs to be qualified before being granted access to the building, a step that requires accompaniment by authorized personnel or evidence of access rights such as a credential. Typically, a mantrap includes an electrified deadlatch, such as the 4300 Steel Hawk from Adams Rite, which combines mechanical locking hardware with electrified access control while working within standard aluminum entrance door preparation.
Next is the interior, where conference rooms, managerial offices, and an array of general purpose space requires different types of physical security measures. Securitron offers a variety of entry devices, particularly the R100 surface mounted wireless reader and Aperio hub, which brings access control to entryways with fully encrypted AES 128 communication and audit trail capabilities.
These areas are separate from the data center floor and often house other large equipment such as batteries and generators, which are mission critical to protect data during power outages. The openings into these spaces are generally oversized and therefore require specialty doorframes and hardware. Ceco offers an RF shielded door and frame that prevents outside interference, ensuring that sensitive and confidential data is contained. These openings guarantee a high level of durability, thickness, blast resistance, and gasketing to prevent fumes from escaping.
CRITICAL INFRASTRUCTURE SPACE
The next layer enters the very core of the building. When it comes to protecting the servers and the infrastructure that supports their operation, there must be a durable, proven access control solution in place. Often a biometric reader is employed to identify people based on their hand geometry, fingerprints or irises, as a method of dual authentication aside the traditional card access system.
Cages are generally associated with colocation spaces. If a client rents a 10-ft-by-10-ft space, he will almost certainly expect that space to be physically separated from the spaces rented by other clients. The cages offer six-side protection and are usually protected by a combination of biometrics, Securitron maglocks, and card access. Client business models generally drive security deployment at this level to ensure regulatory compliance.
The server cabinets are the last stop. This is an area with security options ranging from relatively simple locks to advanced access control solutions with audit trail capabilities.
To protect the data held within each server rack, HES offers the KS100 server cabinet lock and Aperio hub. If there is an existing access control system, the Aperio hub ties in directly, bringing real-time access control to each cabinet in a single-card system. This wireless solution greatly improves the monitoring and security level of each server cabinet. It uses existing ID badges so there are no keys to control or replace and no codes to secure or remember.
If a hardwired solution is required, HES offers the KS200 server cabinet lock that uses Wiegand wiring to integrate seamlessly with any existing access control and ID badge system. Both options support a small format interchangeable core (SFIC) key override and provides robust, cost-effective access control that meets strict regulatory compliance and protects data. Both the KS100 and KS200 have the added capability of extending their impact to include three contact points that are commonly used to monitor the side panels of the racks, providing a central point for the communication back to the access control platform. This not only extends the value and impact of the access control device but also lowers the cost of deployment vs traditional installations.
There is also the option of enhancing the KS200 by removing the mechanical override and replacing it with a Medeco XT electronic cylinder for a full accountability solution. Since data centers are indeed critical, and need more than what a mechanical solution can offer, there is also the XT Intelligent Key System that provides scheduling, audit, and ability to expire keys thereby increasing accountability and security.
The products selected will depend in large part on the way the servers are arranged in the space. With either an open room with many rows of server racks or a hot aisle or cold aisle configuration there are operational and environmental challenges. In either scenario, the HES KS100 and KS200, with a Medeco XT Intelligent Key System as well as the Securitron R100, are optimal solutions.
It is important that protocols are in place not just for data security but also for life safety and good business practices. In fact, when procedures are not developed or deployed, it creates significant vulnerabilities for the organization.
Like other facets of facility management, execution is paramount. Several organizations, including BICSI, the Federal Emergency Management Agency, and ASIS International, offer guidance in the development and management of security protocols.
Regardless of the type of data center you’re managing, the advances made in this field make it possible to offer higher levels of security from the perimeter through to the server cabinet itself as a competitive advantage. In nearly any industry, companies will pay a premium to protect their critical data.