Physical security – getting your house in orderPosted: January 10th, 2015
Data centres face many physical security threats – here, Securiclad’s managing director, Mike McColl, looks at how businesses can meet these challenges.
Theft. Sabotage. Terrorism. Corporate espionage. All reasons why data centres could be targeted by criminals. And all reasons why it’s vital to ensure that physical security is high on operators’ agendas.
The consequences of a physical security breach at a data centre can be catastrophic, with damage caused to high value equipment, operational capability and a company’s reputation – not to mention an organisation’s balance sheet.
A burglary, in 2011, at an exchange facility of a major telecommunications provider in Basingstoke, is an alarming example of the potential repercussions of a security breach. During the night, thieves broke into a data centre with the intention to steal specialist networking equipment and IT hardware, and damaged routing equipment in the process. The result? Thousands of people being unable to make calls or send text messages for a significant amount of time and uncertainty, at one point, as to whether personal data had been accessed or compromised.
Protecting data centres from physical attack is therefore a key challenge.
‘Traditional’ security measures have a part to play in protecting a site – and these should form part of a multi-layered approach to safeguarding a data centre. Externally, perimeter fences, barriers, retracting posts at vehicle access points, CCTV cameras and security staff can all deter a physical security breach. Landscaping and planting can also be effective: rocks, for instance, can be used around a site perimeter to prevent forced entry.
Internally, CCTV, alarms, integrated access control systems and appropriately rated security doors and alarms all form part of the defence. Biometric controls, such as fingerprint recognition, are beginning to replace swipe cards, which can be easily stolen, and these controls can be used to monitor and record movement of staff in a facility.
Keeping the number of potential entry points (such as windows) to a minimum is also good practice, as is ensuring that staff are aware of their security responsibilities, and limiting access to only certain members of staff to ‘mission critical’ areas, through access control systems.
However, these measures may not be enough to prevent a physical security breach in a data centre. That’s because more traditional partitioning methods will often be used to form enclosures for server rooms, using materials such as plywood, plasterboard and insulation held within a timber frame.
These solutions are not certified by an appropriate security body and offer little or no resistance to an attempted breach by determined criminals using high impact tooling equipment such as sledgehammers, disc grinders, jig saws and high powered cutting devices.
Standard brick or block walls are also vulnerable, as their joints can act as points of weakness. Due to onsite delays and the requirement for wet trades, the implementation of these traditional building methods can create major disruption to a facility and hinder operations.
Any physical security measures – such as wall panels, ceiling panels and locking systems – used to protect critical areas in a facility should be certified by the Loss Prevention Certification Board (the standard is LPS1175) and/or approved by the Centre for the Protection of National Infrastructure (CPNI) to guarantee their quality, suitability and level of certification.
However, even when high-security rated products are used, they are often combined with measures which can easily be breached. A door rated to LPS1175 Security Rating (SR) 4, for instance, can itself withstand attack from implements such as a felling axe, sledgehammer, or drill. But fitted in a poorly specified ‘single skin’ block wall, and its level of resistance can be rendered irrelevant.
Data centre operators should therefore carefully consider the quality of a prime barrier when protecting servers, data and IT hardware. A certified, approved system – whether it’s a full modular room or partition – will not only protect critical areas, but will also help operators to comply with insurance requirements.
Security rated composite panel systems can also address the security concerns created by co-location premises, allowing tenant companies to compartmentalise to an increased level of security and protect their IT hardware and data from unauthorised access from elsewhere in a site: after all, firms in co-location premises may not be able to control who their neighbours are during the duration of an occupancy, so securing partitions may offer them peace of mind.
It’s also important to ensure that security measures, such as panelling, have a hygienic, easy to clean finish, as this will minimise the exposure of sensitive hardware to dust.
In recent years, we have observed refinements in the design of new build premises and retrofit alterations which identify ‘mission critical’ areas in a site. These have helped industry decision makers to simplify the product evaluation process by determining the correct and most viable building methods to be utilised in a particular environment.
However, all too often, an ‘inner sanctum’ containing servers, sensitive data and expensive equipment can be left vulnerable to physical attack by haphazard planning, poorly designed security methods and materials which are not fit for purpose. Many systems which have been built up on-site may provide the ‘facade’ of being secure, but have never been tested so offer no reassurance.
Just as they would ensure that a perimeter fence is in good condition, an entrance door is properly secured, or a CCTV system is working correctly, so data centre operators should take steps to install the best level of protection possible to safeguard server and data rooms. Anything less and they will be leaving the door open to disaster.
This article appeared in Inside Networks – read the article here.< back