Data centers – unassuming buildings with little or no signage; intentionally nondescript so the public cannot guess what is inside. The assets protected inside are not tangible, but they could be highly confidential personal or professional information or even secret encrypted keys that form the basis of communications between websites and end users.
The security model of a typical data center in some ways resembles an onion – with each inner layer harder to access that the outer one preceding it. The facility itself contains layers: the perimeter, the building itself, the data center and the cabinet. Likewise, the security should contain layers, offering at each part of the facility multiple security features including barriers, badges, biometrics and video surveillance.
While physical security may not be the first thought in an environment of cloud computing and virtualization, it should not be overlooked or underrated. Controlling access to and within the building and servers is critical to overall data center security. By peeling away each layer within the building, the options available to help your customer and grow an integrator's data center access control business becomes clear.
Peeling the Onion
A data center can be an enterprise operation – where one company’s data is stored and maintained – or a co-location (colo), where multiple companies rent space within the center to store their data. A high level of security is required for both, but the pain points for each differ slightly. Creating zones of security depending on access needs will allow for better control and prevent against human error or negligent employees.
The perimeter: Perimeter security is the first line of protection to detect, deter and delay. Fencing, a vehicle gate an exterior turnstile for foot traffic, and video surveillance should all be integral parts. The integration of motion detection and video content analytics gives a facility the ability to detect objects, determine the number of people in a space and even vehicle license plate recognition.
In the case of an enterprise location, there are more options for limiting the traffic to the exterior of the building, while a co-location, by its very nature, will have more traffic to the building as personnel from multiple companies will require access.
Visitor management: Access points into the building should be limited, while exit egress remains free. A bonus is there are only two entrances to secure, the main entrance and a loading dock area. Many data centers make doors that are required for exit by fires codes with no handles on the outside.
Layers of security at the front should allow for people entering the building to authenticate themselves a minimum of three times. The outer door to building would be a badge-in door with a buzzer or intercom system for guests. Guests should receive badges tied to the access control system for tracking. In the case of a co-location facility, security revolving doors with anti-piggybacking and anti-tailing sensor systems can be used as part of the building entrance.
In every case, three-factor authentication is the best possible scenario – something you have, something you know and something you are. The access control system should allow for pictures with badges and integration with video surveillance and have options for biometric authentication. An IP-based solution allows the system to take advantage of current and future technology requirements.
High security is not just a matter of checking whether a user has authorization to enter sensitive or restricted areas in a secure facility. The highest degree of separation and access must be achieved. The key here is control. Allowing access to only those who need it and in the case of co-location, segmenting the rooms as much as possible.
The data center itself: The data center portion, or computer room, of the building typically has the highest security. Anti-piggybacking is a must. Options include security revolvers (revolving door) and personal interlocks tied into the buildings access control system.
A security revolver may be equipped with a contact mat, scales (sensors to detect and prevent tailgating and piggybacking), or internal monitoring. Options include rotating units with emergency exit function or a night closure. Reinforced bullet resistant models are also available. Access through a security revolver should begin with either card or biometric authentication. Once again card, pin and biometrics will offer the highest level of security. A high-level sensor system in the unit will stop piggybacking and tailgating.
A personal interlock or “mantrap” works to prevent tailgating and piggybacking by only allowing one person through at a time. Upon authentication, the outer door opens and the user steps into the unit. Once the door closes behind them, the interior door will open, granting access to the data center floor. The unit works with body weight, sensors or an additional check point for identification in the middle of the interlock. Depending on the requirements, the interlock may be equipped with sensors, contact mats, scales or internal monitoring. Additional options include bullet resistant designs and the ability to authenticate via biometrics from within the interlock.
After passing through these layers of security, an authorized user finally enters the room where it happens. This is the actual data center, where the servers and critical IT equipment is located. Once in the room – especially in cases of co-location – securing the racks or cabinets themselves is a must. Providing badged access to the racks with an audit trail of who accessed, when and for how long is critical to maintaining the chain of security.
An often-overlooked layer in the security plan – cabinet control – offers an excellent opportunity for systems integrators to upsell. Many current systems have mechanical solutions. As an extension of the access control system, the racks can be secured individually or with the use of an elevator control system for a bank of servers.
While data center security is complex, understanding the type of location you are working with and the options for each layer of protection offers a new and exciting business opportunity for the smart systems integrator.
Jason Patterson is a sales manager and Dave Rogers is Business Development Manager for Physical Access Systems at dormakaba. To request more info about the company, visit www.securityinfowatch.com/12304402.
