Data centers are undergoing significant expansion, driven by factors, including the work-from-home demand for bandwidth, major growth in cloud computing applications, and the massive growth of video conferencing platforms. As the industry invests in expanding its capabilities — adding more floors to existing locations and building new facilities — investments in data security and physically securing these new facilities reliably must be a top priority.
It’s not just data centers that are rapidly growing either; the costs of data breaches of all kinds are rapidly increasing. The average cost of a breach in the U.S. is $9.4 million, according to IBM Security’s “The Cost of a Data Breach” report.
There’s a strong incentive for those in the data center industry to make significant investments in protecting their facilities from all types of risks. One area leading data centers are investigating — one that remains a vulnerability in some locations — is rack-level security. There are now ranges of electronic locking, access control devices, and systems designed to protect every server cabinet and rack from unauthorized access.
A MULTILAYERED APPROACH TO SECURITY
Virtually all data centers have well-established security systems and processes to manage and track technician access — from teams installing new equipment or carrying out a variety of maintenance tasks. There are multiple layers of security and access control: at the front door of the building, a man trap to get past the lobby, access control to get into each data center room, and then possibly a cage depending on the data center structure. All of this is usually backed by 24/7 video surveillance from multiple angles.
However, it’s at the rack level where data security and access control have the potential to fall short. If the servers are behind doors, there may not be physical locks securing those doors. And in older server farms, the server racks are wide open to all who have gained access to the cage that surrounds them.
The impact of such data breaches can be steep, not just the actual costs noted above — personal data is protected by multiple regulations and standards that apply to data center operations. The Health Insurance Portability and Accountability Act (HIPPA) lays out three rules for protecting patient health information covering patient privacy, security, and breach notification. Failure to adhere to the three rules, compliance obligations, and security policies — or any security breach of electronic information systems, unauthorized access to electronic health records, or electronically protected health information — can result in severe civil and criminal penalties as well as loss of professional reputation.
The Payment Card Industry Data Security Standard (PCI-DSS) specifies that any physical access to data, or to systems that house cardholder data, or provide the opportunity for individuals to access and potentially remove data, devices, systems, or hardcopies, should be appropriately restricted. Additionally, the Federal Information Security Management Act (FISMA) specifies that organizations must limit physical access to information systems, equipment, and the respective operating environments to only authorized individuals.
APPROACHES TO RACK-LEVEL SECURITY
Responsibility for rack-level security can differ depending on the type of data center. Some are wholly owned and operated by one company or entity, so responsibility for securing server racks and cabinets is with one organization. In colocated data centers, with multiple users owning and operating one or several racks or cabinets with many other owner/operators, it is typically the server owner who defines how to secure those racks and how sophisticated that locking and access management solution will be.
Under these conditions, it’s important for all data center users to appreciate the range of options available for rack-level security. Cabinet manufacturers are transitioning from traditional lock-and-key mechanisms to integrated solutions that combine electronic locking and monitoring capabilities for optimal security.
Electronic locks are actuated by external access control devices, which validate user credentials and produce a signal that initiates the unlocking cycle. Leading suppliers now offer modular electronic locks that can be combined with any access control device, including keypads, radio frequency identification (RFID) cards, biometric readers, or wireless Bluetooth systems.
One major advantage of these modular electronic locks it is relatively easy to upgrade reader technology over time. The systems are engineered to protect the customers investment from the start. These systems are designed for efficient installation and performance; they typically feature microprocessor-controlled gear motor designs that ensure minimal power consumption and provide intelligent locking and monitoring capabilities.
These modular electronic locks can provide the linchpin for rack-level security that can be modified or adapted to the unique requirements of each server and cabinet owner — offering greater flexibility to accommodate an individual company’s security and access control processes. Leading electronic lock retrofit kit suppliers have also developed multiple variations to make it easier to install electronic locks on a wide range of cabinet door formats and configurations.
In addition, some data center and server owners are seeking to augment standard access security procedures with multifactor authentication. With this, one piece of information alone does not grant access. An electronic lock can be designed to require the user to present an RFID card and then enter a PIN code on a keypad. The modular capabilities of the newest generation of electronic locks can support this capability.
ADVANTAGES OF COMPLETE EAS PLATFORMS
EAS platforms allow data center managers and rack owners to easily incorporate intelligent locking throughout the facility — from its perimeter down to its servers. This can be accomplished by either leveraging the data center’s existing building management system (BMS) and integrating with newer electronic systems, or through a separate, fully networked system.
An electronic access solution is composed of three primary components: an access control reader or input device; an electromechanical lock; and a controller system for restricting, monitoring, and recording access. When designing an electronic access solution, it’s important that the appropriate electronic lock is chosen for the specific enclosure, and provides the intelligence, flexibility, and security needed at the rack level.
EAS platforms allow for very specific access control. For example, a technician would receive an electronic key through an app on their company smartphone or tablet equipped with Bluetooth. That key would actuate only a single cabinet door and only for a set period of time to let them carry out a specific service task.
Each time an electronic lock is actuated, an electronic “signature” is created and recorded to monitor access — either locally with visual indicators or audible alarms, or remotely over a computer network. These signatures can be stored to create audit trails that can be viewed at any time to forensically reconstruct a series of access events, keeping track of location, date, time, duration of access, and specific user credentials.
These audit trails provide data center managers with an additional capability: tracking the amount of time a server rack door is opened in order to monitor maintenance and service activity. If a server rack is scheduled for activity that should take 30 minutes, but the audit trail shows the door was open for several hours, management can find out why the delay occurred and exercise better management of service personnel and costs for service.
This audit trail can also be used to demonstrate compliance with data protection regulations, and quickly identify and respond to security breaches or forensically reconstruct events leading to a violation. Remote management and real-time monitoring eliminate the need for on-site staffing and reduce costs associated with managing data center security.
CHOOSING THE RIGHT SOLUTION
As data center use and construction dramatically increase, there are major incentives to ensuring that protecting the data and applications held in those centers is fully supported — and that means making smart decisions about how to implement rack-level security.
This is a challenge for both new facilities, and in many cases, older existing data centers that have not fully invested in rack-level electronic locks and access control. Leading security systems providers have developed a range of electronic locking platforms for new installations and retrofit applications to meet each end user’s unique requirements and processes. Partnering with these suppliers and drawing on their expertise can help find the right rack-level access and security solution to properly protect critical digital infrastructure.