When customers are evaluating various data center and colocation facilities, they often turn to Align’s site selection experts to help evaluate the various facilities against their business and technology criteria. An important area we suggest they pay close attention to is the way the facilities manage and operate their physical security.
The following article offers best practices insights to mitigate physical threats and intrusions.
Bolster your defenses
The most basic and obvious concern is the ability of your data center to withstand outright physical damage. Inclement weather and disasters like flooding and earthquakes should be accounted for, as well as the possibility of man-made disasters. Robust infrastructure and disaster-proofing can guard against initial damage, and it’s just as important to have resources and processes for disaster response once an incident occurs. A fire prevention system, including extinguishers and emergency shutoff mechanisms, are essential to minimizing damage. Cooling towers and a redundant power supply will also help to control and mitigate any potential fallout. Pre-disaster training and prevention are essential: staff working within the data center space should understand proper procedures for trash disposal and facilities care, as well as all processes for reacting to and recovering from disasters. Post-disaster, it’s essential to have a disaster recovery plan, which will include who to notify, the steps to access and fix any damage, as well as an understanding of available backup resources and facilities.
The design of your space should also be bolstered against physical intrusions from people, not just natural disasters and other weather-related incidents. It’s best to have a fence around the entirety of your facility (20 feet from the actual building is generally recommended), and the walls shouldn’t butt up against another building if possible. Entry points should be limited and controlled; required fire exits should be exit only and anyone entering the facility should be funneled through an authentication process. Windows should be shatter-resistant, and there should never be windows with a view of computer rooms—a direct view of your hardware can provide a target for Van Eck phreaking or other tools that use radio frequencies to damage equipment. One final concern that can be often overlooked: try not to openly advertise that your building stores sensitive data. Unassuming, unadorned buildings (ideally without “Data Center” splashed all over the sides) will attract less attention and make your space less of a target.
Your Weakest Link is Human
At every step, from the design to the maintenance and security of your data center, human error (or intent) can create problems and expose critical vulnerabilities. With so much room for error, it’s important to carefully choose and monitor the people involved in your data center. All employees from security to engineers to janitorial staff must undergo background checks to screen for potential threats or criminal history. Empower security and position them at key strategic access points where anyone enters the building, or even your parking lot. Make sure it’s clearly communicated to staff that all visitors must be escorted by the person they’re visiting, and emphasize the importance of keeping personal identifiers and information—like key cards, passwords and other access credentials—private in every situation. Maintain strict layers of access, escalating toward the most important and vulnerable parts of your data center. Anyone looking to access the most secure areas should have multiple (more than two) layers of authentication.
Accountability Through Processes
It can be tempting to hold doors or gates for people behind you as a courtesy, and this is a situation bad actors take advantage of; discourage your employees from doing so, or make your checkpoints single entry by design to preempt the problem entirely. Once you’ve screened your people and implemented security mechanisms, it’s important to regularly audit your security to ensure things are working as intended. Maintain detailed access logs, test your security systems and your employees, and keep your personnel accountable for upholding the utmost standard of diligence against to thwart threats. Security risks will continue to evolve and change, so accountability and assessments will keep your policies from becoming outdated or exploitable. Attackers will adapt their tactics, and safety depends on your defenses adapting as well.
The cornerstone of keeping your security robust and functional will be the creation of and adherence to policies, which will guide your employees’ decision-making at every stage of a physical threat. Clear, thorough policies for controlling personnel entry will support an understanding and respect for the gatekeepers in your data center space. Disaster policies, as mentioned earlier, play a critical role in minimizing and preventing damage from fires, earthquakes and extreme weather. At regular intervals, your security processes should be tested and vetted to make sure they remain compliant and effective at repelling intrusions. Building and establishing the right standards is a monumental initial step, but keeping everyone accountable and in line with best practices makes the best laid plans actually successful.
Physical threats remain a real risk and are often difficult to account and prepare for. Nonetheless, thorough preparation remains effective in mitigating and minimizing damages, which can be critical in avoiding massive data loss, IP theft, or huge disaster recovery expenses that otherwise could have been avoided. Attackers are resourceful and persistent, but a solid defense will keep you in business and keep your greatest threats at bay.
If your organization is considering a new data center or colocation facility, our specialists bring over 20 years of experience across all global marketplaces. Speak to a data center specialist today.
Data Center. Image Credit: Align