Data center security is more critical and complex than ever before. Physical security plays a crucial role in preventing unauthorized access to facilities, equipment, and data.
When it comes to physical security, there are many factors to take into account. However, four crucial areas must be addressed when considering best practices for data center security: the site; building exterior; mechanical, electrical, and plumbing (MEP); and interior white space.
While several of the approaches covered here can be applied to more than one area of the property, each solution will only be addressed once to avoid redundancy.
Securing the Data Center Site
The front line of defense is protecting access to the data center site, and the first step is to implement multiple layers of security. Begin by evaluating the site with the goal of mitigating risk of damage from natural disasters, such as floods, tornadoes, and hurricanes. Human risks, including airplane flight paths, chemical plants, force majeure, and easements, must also be taken into consideration.
If possible, establish a 100-foot buffer zone around the property on all sides. The existing landscape may serve as a natural barrier, or this can be achieved by planting trees, placing boulders, and constructing gullies and/or grass berms around the perimeter. Surrounding the site with a 10-foot K-rated fence that is strong enough to withstand the force of an 18-wheeler traveling at 60 mph will provide added security.
Limiting the number of entry points is critical for maximum control. Establish a single entrance to both the data center site and the building itself and have surveillance in place to carefully monitor who enters the facility and when. Install 24/7/365-manned security posts in each location as well as in the loading dock area to authenticate visitors. Position one or more retractable crash barriers and a bomb detection device at all entrances and install video surveillance cameras with infrared and motion sensor detection around the entire perimeter of the site. Recorded information should be maintained for no less than 90 days and up to 12 months (this applies to all three areas covered in this article).
Anyone entering the facility must be authenticated multiple times. Ideally, employees, vendors, and visitors should be authenticated three times (when entering the site, building, and data hall). Visitors and vendors must always be accompanied by an employee. Depending on their status, authentication options for employees, vendors, and/or visitors can include access cards and identification badges; combination locks and/or keys; or biometric identification using fingerprint, hand, face, or retinal scanning. Physical entry logs should be utilized and kept for 12 months.
Building Security Best Practices
Maintaining the highest level of building security requires many of the same practices and techniques used to secure the overall site. Before the facility is constructed, building materials should be chosen with security and protection in mind. This includes 12-inch steel-reinforced concrete or Kevlar walls and/or ballistic walls and windows.
Protect outdoor MEP yards by surrounding them with bollards and concrete walls topped with fencing or barbed wire. The roof should be secured from the inside and the outside so that only authorized personnel have access. Depending on where the site is located, the roof should be rated for 120-mph winds or higher. Air handlers must be protected against a biological, chemical, smoke, and/or radiological event. The system should be able to shut down outside air and recirculate internal air. In addition, all fire exits should be alarmed, and they should not have a handle on the exterior of the door.
The importance of establishing one main entrance and posting security guards to authenticate persons entering the building cannot be overstated. If a loading dock area offers secondary access to the building, security personnel should be stationed in both locations. All deliveries should be inspected for bombs at the loading dock.
Camera surveillance TVs should be at each entrance, so when one guard steps away, a second guard can monitor the same areas. Everyone on the site should have a set procedure for entering and exiting the building, and personnel should have access only to the area or areas they are authorized to enter (the facility’s access list should be in real time). Background checks should be performed on all employees and vendors, with standards reevaluated every 24 months. All internet devices that have an IP address should be encrypted.
Maintaining Interior and MEP Security
Walls in the data hall and MEP rooms should be built slab to slab with wire mesh and/or Kevlar. This is to ensure the walls cannot be penetrated, as well as to protect encased wiring or pipes. Install separate restrooms for visitors and employees — visitor restrooms should be near the loading dock, and employee restrooms should be near the main entrance to the building.
Data halls, a/c galleries, PDUs, UPSs, generators, switch gears, and transformers should be in separate, secure rooms that are not side by side. Ceilings and raised floors should be secured with smoke, water, and motion detection systems and monitored at the guard station and/or the network operations center (NOC).
Each individually secured area should require more than one form of authentication and access control. Depending on the sensitivity of the data and equipment involved, consider enforcing specialized security measures for each room and area.
Mantraps should be installed at the entrance to the building, secured areas, and/or the data halls. There are several types of mantraps that perform different functions, and the design of the site and level of security required will depend on the design and function of the mantraps.
In the absence of a mantrap, two methods of authentication, such as a cardkey and a finger/hand/face/retinal scanner, should be required to gain access to the data hall. Cabinet layout should be done by department, and cage access should require at least one authentication. Locking cabinets should be installed inside the cage. Surveillance cameras in the data halls should be able to view multiple sides of all cabinets. Data center operators should also have a manned NOC with the same security cameras monitored around the clock.
Install an asset-tracking system in all IT equipment. This tag transmits real-time data that includes temperature, humidity, and other environmental information, and it can even indicate when a server cabinet is opened. This information can be monitored in the NOC or by cellphone, but mobile applications should be avoided, as they may compromise site security.
Increasing the redundancy to a minimum of an N+1 MEP design makes the site more secure and is categorized as a Tier III data center. Increasing to Tier IV brings the site to the top redundancy level, which includes dual utility feeds that can come from separate substations and/or from two different utility companies. It is best to install these electrical lines underground; alternatively, they can be 50 feet apart on the poles leading into the building or from two separate sides of the building. The Tier IV solution is the most secure for a data center operation.
Fiber should come into the building from two sides and into two separate meet-me-rooms (MMRs) located at least 50 feet apart. The site operator should also consider two separate telco providers taking separate paths to service any vital location. These rooms should be monitored continuously from the NOC.
IMPLEMENT AND VERIFY
Data center operators are advised to perform an annual security audit and review of the site’s security policy for all three areas addressed here. A simpler spot audit is suggested every quarter or when there is personnel turnover. Keep in mind that the tier rating for the site does not reflect the level of security required or outlined here.
Data centers play a critical role in an organization’s operations and productivity. While data center security is complex and multifaceted for enterprise and colocation sites, it is crucial to ensuring smooth and safe operations. Addressing these three key factors effectively is what will separate preferred operators from the pack.
Ideally, employees, vendors, and visitors should be authenticated three times (when entering the site, building, and data hall).