When you envision a cybercriminal staging a data center attack, who do you picture? Perhaps it's an individual behind his computer in a dark room. Maybe it's an offshore group with serious infrastructure working in a sweatshop-like environment, or even a bad-actor nation-state! Would you ever suspect that a cybercriminal is the young professional in a suit walking through the front door? Or a client who normally performs change control, but this time brings a guest?

The truth is that it’s often easier for a cybercriminal to physically breach a data center than to break through layers of digital cyber protections. Firewalls, virtual networks, encrypted communications, multifactor logins, out-of-band monitoring, and other forms of cyber protections work dutifully to prevent cyberattacks, constantly evolving to meet the latest imperative. Working so well, in fact, those with criminal intent would often rather bypass many of those robust digital defenses and try their chances at thwarting a data center’s physical defenses.

Today’s threat actors employ a range of effective measures to gain unauthorized entry to an attack surface, even with multiple well-intentioned systems in place. For example, an access control system may ask every employee to scan their badge to gain entry, manually opening and closing the door immediately behind them. This is rarely the case with good natured individuals holding a door open for those who are entering behind them. It could be a technician whose hands are full carrying tools, an older individual needing assistance, or even the young professional in the suit. Regardless, any of these individuals can be a cybercriminal, and traditional access control systems are ill-equipped to prevent such instances of unauthorized entry as they happen.

The presence of access controls, cameras, and guards provide a visual deterrent and minimize accidental incidences affecting compliance; however, these measures can fall short with a determined attacker. From a social norms perspective as described above all the way to collusion, including bribery and coercion, these all make up the threat surface resulting in a number of potential risks. Layering defenses certainly help, however, unattended secured entry solution designs that automate identity verification are the only true defense for the threat surfaces described above.

Understanding Secured Entry Solutions

Data centers can help prevent cyber threats by installing unattended secured entry design solutions at entry and exit points at the perimeter of a facility, and at critical internal access points. These fortified solutions include security revolving doors, security interlocking mantrap portals, and full height turnstiles. Each of these solutions can not only deter and detect unauthorized entries, but they can also automate issue resolution, incorporate important redundancies, and segment any kind of threat, and as a result, prevent unauthorized entry.

Security entrances that deter or detect unauthorized access serve largely as a visual deterrent against casual attempts to gain unauthorized access and most often utilized are optical turnstiles. These types of waist height or full height glass turnstiles have presence sensors and alarms to alert guard staff of infiltration but cannot prevent any better than an open swing door with sensors. Therefore, their presence only deters individuals who may attempt to climb or crawl through the entrance. These solutions are appropriate for highly-guarded data center supervised locations, or any internal location requiring authorized access, such as food court areas or private work spaces or on-site office suites. Security entrances that prevent unauthorized entry allow for the elimination or reallocation of guard supervision, providing owners with a quick return on investment. These solutions include revolving doors and interlocking mantrap portals, which are virtually impenetrable and capable of automating the tailgating and piggybacking prevention governance. Deployed at main entrances, employee-only entrances, and to secure ingress and egress to critical infrastructure, these solutions incorporate the same security principles that are used in network security design. Segmented connectivity, redundant unauthorized entry checks, and automated issue resolution, all very important to effectively deploy an unattended entry design.

Layered Security for Data Centers 

In addition, cost effective layering of physical security is critical. As you move from the perimeter of a facility to the critical infrastructure, the layering of unattended secured entrances becomes exponentially effective and must report and measure its own risk level. Every entry point must clearly define the risk of a breach, and that’s what’s missing in most layering strategies deployed today. Implementing this “layered” strategy with increasing security levels protecting each step towards the most sensitive materials is the best way to protect a data center’s assets and people. And while every data center and colocation is different, the following outline provides a foundation for a strong cyber-physical security strategy.

Layer 1: The Perimeter 

Physical security starts with keeping unauthorized pedestrians and vehicles outside the inner fence line premises altogether. Full height turnstiles are ideal for this first layer, providing a physical deterrent against infiltration. Until recently, full height turnstiles were susceptible to piggybacking wherein two people would squeeze through in the same compartment. New robust outdoor rated sensor technology now detects when two people attempt to enter the turnstile using one credential and locks the turnstile, preventing entry. These new sensors also feature “walk-away” detection that locks the turnstile if an individual presents their credentials for access authorization, has been approved allowing the turnstile to be unlocked, starts to enter the turnstile, and then backs out. This feature combined with a completed rotation switch output can determine, with certainty, always knowing who is, or is not, inside the building.

Layer 2: The Building Entrance 

Once inside the facility perimeter, authorized people should either be staff, customers, or confirmed contractor visitors. Installing a security revolving door at the building entrance can easily accommodate already confirmed staff, customers, and visitors with badges. Approved individuals without a badge will have to be escorted into the facility and issued a credential while escorted, which is typically exchanged for a driver’s license or passport. By using security revolving doors at the building entry, sophisticated sampling algorithms can confirm only a single person enters with each approval, similar to the sensors used on full height turnstiles at the fence line as described above. The significance of these algorithms is that the security revolving door can then measure and predict the level of risk, which data center operators do not currently do. In addition, the architectural revolving door is always closed even during use and as a result further supports building air make up and humidity and dust filtration environmental systems. These revolving doors can be reinforced with vandal-resistant or bullet-resistant glass for additional security and to help buy precious time when under a serious brute force attack. 

Layer 3: The Building Interior

In some designs, a traditional swing door with a card reader is used to enter the reception area of the data center. This is acceptable when the proper measures are in place for vehicles and pedestrians as described above. When this design is used, the second layer is installed between the entrance lobby and the rest of the building interior. This layer, which can again be implemented with a security revolving door, prevents any visitors from slipping by the reception desk and allows customers and contractors to simultaneously come and go freely. In addition, you still benefit from all the humidity and dust air filtration advantages and brute force protections described above.

Layer 4: The Critical Infrastructure (Server Rooms)  

For the protection of the most sensitive areas in a data center, the critical infrastructure (server rooms or white space), interlocking mantrap portals enforce the one-person rule and the verified right person critical for maintaining compliance. The most important design aspect to an interlocking portal design is the user substitution prevention. This is an automated enforced sequence of operations that guarantees that the identity verification does not allow for collusion and substitution. It’s not enough to guarantee one person at a time, you must make sure that it’s the right person. Once a user presents their credentials the first door opens. As you enter the portal a sampling to confirm the one-person rule takes place. If those samples are good, the first door closes. As it completes its closure, the portal redundantly re-samples. If those samples are good, only at that time the biometric device is turned on. This is how you prevent substitution, delaying the operability of the biometric device, combined with redundant one-person rule samplings. By using an unattended secured entry interlocking portal design that utilizes the same sophisticated sampling algorithms used by the security revolving doors, you now measure risk again which is how you exponentially reduce the threat surface by layering and measuring at each point. The significance of these algorithms is that you can then measure and predict the level of risk, which data center operators do not currently do. As previously mentioned, the interlocking portal supports building air make up and humidity and dust filtration environmental systems and can be reinforced with vandal-resistant or bulletproof glass as well.

Many applications require that interlocking mantrap portals be incorporated into fire-rated walls. which can be easily accomplished by securing one directly to a fire-rated swing door. Half portals that attach to an existing fire rated swing door also make it easy to transform an ordinary door into a high-security entrance. 

The Power of Unattended Secured Entry 

While deterring, detecting, and preventing unauthorized entry are the primary functions of secured entry solutions, there are a number of secondary benefits afforded by security entrances related to energy efficiency, regulatory compliance, and efficient labor allocation. 

Conventional swinging and sliding door entrances create a hole in the building envelope every time someone passes through, allowing outside air to rush in to displace the controlled internal atmosphere. In fact, as much as 50% of the total energy loss in a well-insulated building occurs through and around doors and windows. Security revolving doors and interlocking portals provide energy-efficient entrances that are always closed, thus driving efficiency and assisting with contamination control during everyday use. These types of solutions further minimize air infiltration and pressure changes inside the white space of a data center and therefore help to reduce the negative impact of dust referred to as zinc whiskers.

Beyond security, secured entry solutions empower staff with the infrastructure and tools they need to meet certifications and demonstrate absolute customer audit compliance. This includes automating compliance for physical entry/exit points, reducing downtime, and creating immutable 90-day archived records and alarm retrieval records for customers, shareholders, insurance, and audits. In this way, secured entry solutions are ideal for maintaining compliance with industry regulations such as Gramm-Leach-Bliley-Act (GLBA), the December 9, 2022 Safeguards Rule, the Federal Information Security Management Act (FISMA), ISO 27001, the Health Information Trust Alliance (HITRUST) Common Security Framework (CSF), the Payment Card Industry Data Security Standard (PCI DSS), System and Organization Controls (SOC) 1, SOC 2, SOC 3, the International Traffic in Arms Regulations (ITAR), and more.

Lastly, many data centers choose to employ guards as a part of their security strategy. And while guards provide a strong physical deterrence, the recent talent shortage has made sourcing reliable staff a challenge for many data centers. Security entrances successfully fill the gap between labor supply and demand by offering solutions that operate independently of or in tandem with security guards. These solutions reduce the current strain on human capital by offering a technology-based alternative. In the case of preventative secured entry solutions, organizations can now rely on unmanned security entrances that function 24/7/365 instead of employing multiple guards to maintain secure entrances.

Physical Security is Cybersecurity

Most data centers are aware of the critical nature of physical security as it relates to the protection of their cyber assets. Unfortunately, the traditional methods of data center security are largely governance-dependent or reactionary in nature. Surveillance systems can not actively stop an intruder. Guards can be fooled by social engineering tactics. And access control systems, as discussed, are unable to prevent unauthorized entry commonly caused by tailgating or piggybacking.

It takes a proactive, preventative solution installed at the door to thwart various attempts of unauthorized entry – one that only unattended secured entry solutions can provide.