Designing Data Centre Security Systems
A data centre provides a secure and management environment for server facilities. How datacentre organisations across the world approach the ‘secure’ element of this definition has some very common factors. The most secure and safe datacentre infrastructures are designed to prevent intrusion, based on multiple layers and if single one is penetrated, then to be able to quickly and effectively contain the individual(s) and threat.
The basic premises for any security plan, its design and implementation is to start with a Risk Assessment and Method Statement (RAMS) document. This should cover the overall risk to the datacentre sensitive IT systems and the wider facility in terms of a breach or security violation. From this it is then possible to review physical security and build in the required systems and checkpoints.
One of the key principles when it comes to access and security in a datacentre environment is to maintain a low-key appearance. Datacentres don’t normally advertise their presence and often you cannot find their address on their website. Some datacentres build themselves within an existing building on a trading estate, simply to maintain low visibility. The only signs external to the building may be concrete bollards (anti-ramming).
As part of a secure datacentre design, windows are often avoided within sensitive parts of the building and most certainly in the data hall itself. Windows may be present in reception and general office areas but even here security measures are taken to ensure the glass is double-glazed, shatter-proof and laminated.
Entry points to any datacentre facility must be controlled. Often this starts at the building car park entrance which will have its own secure access point. No one can enter without first providing identification and being booked in for a visit to the datacentre in advance. This includes lorries delivering equipment, cleaning companies, supplier visitors and clients. Where lorry access is provided the loading bay doors should be secure and shutter motor controlled. Secure access for vehicles should include anti-pass back barriers to prevent tailgating providing a weak point of entry.
Each visitor will have to access the facility by a controlled doorway, signing in after showing proof of identity which could be a passport or driving license. Man-traps may also be used as an entry control point from reception to the main building. These allow only one person to enter at a time. Once approved for entry the person should be given a zoned specific security pass that only allows them into certain areas and always they could be observed using CCTV monitoring.
Of course, not every datacentre building is ‘new build’. Sometimes a brown field site or existing building may be refurbished. Here there is no point on scrimping on costs. It can be far better to rip and replace existing infrastructure than to make do. A classic example is to change and upgrade door locks and window locks but leave the existing hinges in-situ. By default, these will be of an old design and rarely designed for a datacentre type environment. They provide an ideal opportunity for an easy hack into a building with pins that could simply pop out.
We’ve mentioned CCTV but with CCTV the more cameras the batter. Blind spots must be avoided and there should be a certain level of resilience in the number of cameras available to avoid a single failure opening an entry point or blind spot. All CCTV cameras should be full pan, tilt and zoom with motion capture, infrared and colour pictures and automatic storage offsite in real time. This way of the local storage device (DVR) is damaged or stolen there is a backup. As well as high quality and secure perimeter cameras it is also important to have the same quality cameras inside the building on every entry and exit point.
As part of the fire planning, the building will have to have fire exit doors but these should be exit only and alarmed. Fire doors are required to meet health & safety requirements and if they are opened, alarms should sound and be monitored on both the fire/alarm and security monitoring systems. Doors should also be timed with alarms set to sound and report if they are left open for too long.
Specific zone access is an important point as visitor and employee access passes can only access through swipe card access points as allowed. Local proximity access card readers can also accommodate biometric measures for added security. Access logs should also be reviewed regularly and ideally combined with CCTV footage audits.
Any visitor to the facility or employee, sub-contractor or supplier will more than likely require a parking space and this means access to a parking area. This should also be controlled with a gated entry and exit barrier point that can be operated remotely by the security team once a drive and car registration have been identified. The car registration is an important note as this should be recorded as part of any pre-planned visit to the centre along with personnel identification, invitee name and the purpose of the visit. This will prevent anyone entering the secure car park area which by default will be close to the facility.
Landscaping the surrounding area can also help to prevent anyone either easily accessing the car park or moving from here to ram into the building itself. The car park can be set back from the facility and major access roads with suitably placed items (large ornament or boulders) to prevent direct access at any potentially damaging speed.
Security staff at the datacentre facility may be outsourced or employed directly by the datacentre facility. Sub-contract staff can be changed at any time and at short notice and this can be useful to cover illness, holidays and even to ensure ‘freshness’. This latter point is important. Employed security staff can have greater knowledge of a facility, its employees and operations which can assist in protecting the building and its operations. This can also lead to a degree of lethargy from routine. On the other hand, when using sub-contract staff, the building’s security is reliant on the HR, recruitment, training and quality control procedure of the security supplier.
No matter what level of security you want around your datacentre facility, it is important to build up layers of security around your most sensitive area; the data hall. Before entry to here, any one person should have had to go through multiple entry and control points which each providing an opportunity to prevent overall access.
Above all it is important to regularly (and irregularly) test your security systems. Whether simple or complex, single points of failure can occur and it’s only through testing that these can be identified and corrective and preventative actions taken. Typical examples include the non-return of visitor passes and access cards, or the failure to inform a building team the moment an employee has been terminated or miscommunication when security teams change or works are being carried out onsite.
Overall datacentre security remains high for many facilities. Physical access control and prevention is important to help guarantee overall datacentre operations. A well planned, installed and tested system will be the most secure and prevent any type of unauthorised access which could in the end have disastrous consequences both for the datacentre and those reliant on its data processing and services.