Data Centers
Data Center Security from the Outside In
03.15.2023
Amid growing concerns about cybersecurity, physical data center security can sometimes be a blind spot. With attacks of critical infrastructure on the rise, however, it’s critical that data center managers give it the attention it deserves.
Approaching physical data center security in layers—relying on multiple levels of control—is the best way to physically protect your data center. If the first layer of defense is breached, then the attacker has to go to work on the second layer. This hopefully makes it much harder for an unauthorized person to gain access to your data center.
Here are four layers to consider in your data center security strategy.
1. Perimeter Security
The opportunity to create a first line of defense exists at the building perimeter. While not every threat begins here, some will inevitably start beyond your building’s walls.
The goal of perimeter data center security is to detect potential threats that may be approaching, delay access to the facility (or utility systems) and deter unauthorized parties from reaching the door or a restricted zone or floor.
Depending on your site, perimeter security can take on many forms:
- Tall barriers surrounding the facility, such as anti-scale fencing
- Landscaping that provides natural surveillance and creates natural barriers
- Locked entry gates integrated with access control
- Perimeter fencing with sensors that detect motion and send alerts (intrusion detection systems)
- High-definition surveillance to monitor activity around the facility, including parking areas, property lines and docks; built-in video analytics can read license plates and send alerts about unusual behavior or activity
- Exterior lighting to reduce potential hiding spots
2. Building-Level Security
If an intruder is able to slip past the perimeter and move closer to your facility, then building-level security acts as a second layer of defense. They may be able to reach your exterior walls or entrances, but can they get inside?
To restrict access to your facility, building-level security can include actions such as:
- Reduced numbers of entry points
- Access control systems with anti-tailgating features to allow only one person through at a time
- Dual-identification systems (biometrics + a badge)
- Visitor management systems that track and monitor who enters and exits—and what they have access to while they’re onsite
- Human guards to manually check IDs and grant access
- A mantrap that unlocks an access door only after the entry door to the mantrap is closed and locked
- High-definition surveillance to monitor entrances, hallways and public spaces; built-in video analytics can help with facial recognition
Within this layer, it’s important to protect against not only bad actors, but also against natural disasters. While this topic warrants a separate discussion, it’s vital to consider smoke detection systems, water leakage detection systems, rodent repellent systems and remote monitoring for HVAC systems. They can all help detect problems early before they lead to data center problems and downtime.
3. Security for White Space and Gray Space
If an unauthorized person gains access to your facility, the next step is to keep them far from your production floor: the data center’s white space. This is the area dedicated to IT equipment and infrastructure. If a bad actor makes their way into your white space, then they have access to network gear, racks, servers, power distribution and more.
This security layer must protect not only against unwanted threats, but also against insider threats—people who are authorized to access the white space but may have malicious intent.
Data center security at this level can involve:
- Reduced numbers of entry points
- Access control systems with anti-tailgating features to allow only one person through at a time
- Dual-identification systems (biometrics + a badge)
- High-definition surveillance to monitor the data center entrance, aisles, etc.; built-in video analytics can help with facial recognition as well
These same tactics can be used to protect your data center’s gray space. While it contains back-end equipment instead of IT equipment, unauthorized visitors could still wreak havoc on your data center by tampering with chillers, UPS systems or other electrical or mechanical systems.
4. Cabinet- and Rack-Level Security
The fourth and final layer of data center security involves protecting cabinets. If an unauthorized visitor or employee happens to make it into your data center, the goal is to keep them out of your cabinets. They shouldn’t be able to gain access to the gear residing inside.
Cabinet-level security can include a number of options:
- Keyed cabinet systems
- Access card authentication or biometric systems that can record access attempts and send alerts to designated staff when needed
- Systems that allow remote locking and unlocking of specific cabinets
- In-cabinet or in-room cameras that capture video and photos of who’s accessing the cabinet—and when
- Dual-custody mode (requiring two users to be present to gain access)
Cabinet-level security systems should also ensure that even trusted users have access only to the cabinets they’re authorized to work on. If a service technician is authorized to work on a specific server rack, then they should be able to gain access only to that rack. There should also be an extensive audit trail detailing who touched the systems and when. This can help with HIPAA and PCI requirements, detailing who accessed your equipment for reporting purposes.
Learn More About Data Center Security
Finally, it’s critical to remember that the physical layer—your network infrastructure—needs to be able to support these physical security technologies. If cabling and connectivity cause transmission errors, then your security systems may not perform as expected.
Related Links:
Network Protection Starts with Basic Data Center Security
The Value of a Data Center Risk Assessment for Your Next Project