Although a large portion of data center security focuses on virtual threats, such as hackers, malware and so forth, physical site security is nevertheless critical as well. A thief or saboteur in the flesh can cause as much—if not more—damage than one in cyberspace. One of the keys to strong data center security is careful control of access to the facility. But every security procedure can be compromised; even the most stringent multifactor biometric authentication system can be defeated, particularly in the case where an intruder “piggybacks” or “tailgates” legitimate personnel into a secure area. That’s where so-called mantraps can offer some benefits.
Mantraps: Basically What the Name Indicates
A mantrap is essentially just that: a small room designed to “trap” those who would enter a secure area of a facility. This “trap” enables security—whether a system or an employee—to verify the credentials of the entrant and either allow access or trigger alerts indicating an unauthorized entry attempt. Mantraps, which are sometimes called security vestibules, are small rooms with two or more doors. Authentication procedures may be required either at just the door to the secure area or at all doors.
The simplest implementation of a mantrap involves two doors: one connects the vestibule to the secure area, and one connects to the nonsecure area. Here’s a brief overview of how an automated version of these security systems works; in this case, authentication is assumed to be required at both doors.
- Someone wishing to gain access to a secure area applies the necessary credentials at the door to the mantrap. These credentials might include a keycard, PIN, biometrics or some combination thereof. On successful authentication, the door to the mantrap unlocks automatically, allowing entry to the mantrap.
- The first door to the mantrap then locks, preventing other individuals from entering the mantrap. A good automatic mantrap will implement some system, or a combination of systems, to prevent more than one person from entering the mantrap at a time. If more than one individual is detected, access is denied and alerts are triggered.
- The individual in the mantrap then applies required security credentials once more—these may be the same as for the previous door or different. When these credentials are verified, the individual is allowed entry to the secure area. Until this door is closed and locked once more, no one else is allowed into the mantrap.
Thus, mantraps seek to eliminate piggybacking and tailgating into secure areas, improving access control by more carefully allowing or denying admittance to these areas. Any number of variations on the above example can also be used. For instance, a manual mantrap might involve security guards monitoring potential entrants as they pass through. This system provides a better guarantee (assuming the guards remain attentive) that only the credentialed individual can access the secure area, but it may be more expensive in the long term. Automated mantrap systems require a greater capital cost, but this cost can quickly be exceeded by the labor costs associated with employing guards. For companies that want the ultimate in security, a combination of automated and manned monitoring of the mantrap is an even stronger option; of course, the costs rise commensurately.
The Challenge: One Person in the Mantrap
Mantraps are designed to prevent unauthorized individuals from following authorized personnel into secure areas. Thus, the key to making a mantrap work is ensuring that only one person is in the mantrap at a time. If done properly, this means that only individuals with proper credentials can enter secure areas (of course, those credentials must legitimately be only for the correct personnel—another security challenge altogether). If the mantrap is monitored by a security guard, this isn’t difficult, conceptually. As long as the guard is paying attention, he can check to be sure that only one individual is in the mantrap at any one time. The challenge is performing this task automatically.
A variety of approaches to this problem have been devised. Some involve infrared sensor beams that count the number of entrants to the mantrap. Others involve pressure mats that ensure only one individual is in the mantrap, or video analytics that attempt to ascertain whether more than one person is present. One of the difficulties with these approaches, however, is allowing access by authorized personnel bringing large items into the secure area. In these cases, pressure mats or beam-break systems may interpret a pull-behind contained, for instance, as a second individual, thus triggering an alert. More-advanced systems attempt to solve this problem; an example is Newton Security’s T-DAR system.
Obviously, a more complicated system for ensuring only one person is present in a mantrap is more costly, but it still may be a more appropriate option for companies that wish to keep overall costs down, since it eliminates labor costs. Again, however, an actual set of eyes on the mantrap improves security further, and this may be appropriate for companies desiring maximum security around their data centers.
One major concern with mantraps is safety. To avoid a dangerous situation in the event of a fire or other disaster, the mantrap must allow an individual to exit into the non-secure area. This may, of course, trigger an alarm, but the individual cannot be forcibly detained—for fire-hazard and other reasons. Furthermore, mantraps must be built large enough to comply with U.S. ADA (Americans with Disabilities Act) regulations, allowing disabled personnel to use them. The basic construction of a mantrap need not be complicated, so it doesn’t add huge costs in and of itself. Automated security measures, however, will add fair costs, although they may be a small price for the added security.
Do You Need a Mantrap?
So, does your data center need a mantrap? Obviously, the answer to this question varies. Some security is always a good preventative measure to protect your facility, but a mantrap may be overkill if physical threats to your company are minimal. In such cases, the added cost of constructing and either purchasing automated security systems or hiring guards may be unaffordable or simply unnecessary. This is especially true if other security measures prevent access to the company campus. If security is a high priority, however, a mantrap can be a good addition that prevents piggybacking and tailgating into secure areas, like a data center. As with any design decision, determining whether to use mantraps requires balancing security concerns with budgetary concerns. If you opt to build a mantrap, be sure your company can afford either (or both) the automated systems or the security employees necessary to ensure the mantrap works correctly—that is, only one person is admitted at a time, and that person is required to provide the proper credentials to gain access to secure areas.
Photo courtesy of Tom Raftery