Much of the focus on data center security revolves around the IT component: repelling DoS attacks, identifying and eliminating malware, thwarting remote intrusion attempts, and so on. But physical security is just as important, if not more so. Designing reliable physical security, however, involves many of the same principles as designing reliable network security: properly isolating certain areas, controlling access to others and anticipating (and preparing for) avenues of attack.
Principles of Reliable Physical Security Design
The layout of data centers varies widely. Some are standalone buildings that only house the computer room proper and immediate support areas, whereas others are simply one part of a larger structure with many departments or even many organizations sharing the same street address. In the case of colocation data centers, a lone facility can encompass the property of numerous businesses in the same room. Thus, physical security design must first take into consideration the situation of the data center and address the threats specific to that situation. No one approach can serve adequately in all cases.
In addition, the various aspects of security must be treated in a manner that gives each one its due weight. Jim Cober, principal of critical facilities for Corgan, said, “The key we stress is developing a balanced security design across the physical, technical and operational aspects that are appropriate for the facility. Having any one aspect over- or undervalued leads to an unbalanced dependence, which can result in a security risk.” For instance, a focus purely on preventing non-company individuals from accessing a data center may seem to resolve almost every on-site security concern, except that it fails to address insider threats. Limiting computer-room access to only those employees that need it reduces the risk of insider attacks by cutting the number of authorized individuals and therefore reducing temptations (and targets of extortion or bribery).
Brad Ratushny, director of infrastructure for INetU, notes that physical security should be treated in a layered approach. These layers can involve access control, such as perimeter fencing and guard houses to limit entrance to the campus, as well as man traps and other measures near the computer room; or they can involve authorization and accountability, such as the use of multiple identification factors, video surveillance, alarm systems and security-data analytics. Ratushny said, “Physical security is broken into two pieces. There are the physical elements such as cameras, access control systems and locks, but the operational processes such as visitor and contractor policies, and general awareness training are equally important. If both elements are not addressed, neither will be 100% effective.”
Cober views the design of physical data center security as requiring the synthesis of access and isolation—two opposing concepts. “Access control allows the necessary physical entry to spaces, but also provides accurate tracking and logging of who goes where and when. This creates a safer and more secure environment by allowing employees, visitors, tenants, and other personnel access only to those areas where they are permitted.” On the other hand, “Isolation control limits access through boundaries and creates the preferred separation between activities and spaces. The primary intent is to protect against external physical threats and unauthorized access.” Here, he defines external as residing outside the area being secured. Summarizing the two, he said, “These two control aspects must be designed as a holistic system as they are only as strong as the weakest link.”
These two complementary views help establish a broad philosophy for approaching physical security in a systematic, thoughtful and—the data center operator hopes—reliable manner.
To read this article in its entirety please click here