Data centers and the security professionals who staff them face competitive concerns, terrorist threats, federal regulations and natural disasters as they work to enhance both physical and logical security operations to seamlessly protect sensitive customer data.
Here’s a look inside the Security Operations Center at the QTS Atlanta Metro Data Center, the second largest data center in the world.
Despite the slow economy, the multi-tenant data center industry is growing rapidly. According to the Uptime Institute, more than a third of data center facilities will run out of space, power, cooling, or all the above by 2013. Driving the demand is the need for private companies to securely host information technology (IT) infrastructure in a world of increasing threats. Multi-tenant data centers provide companies with a more unified and cost-effective approach to securing data.
However, data centers and the security professionals who staff them face competitive concerns, terrorist threats, federal regulations and natural disasters as they work to enhance both physical and logical security operations to seamlessly protect sensitive customer data. To handle the growing numbers of threats, large organizations are being driven by their security professionals to significantly increase IT security spending. According to a Forrester Research survey conducted last year, 42 percent of enterprises and 37 percent of small and medium-sized businesses planned to increase security spending by five percent or more annually. Most significantly, today’s data centers are managing increased customer demand for privacy features due to the intellectual property race and gaining competitive advantage.
Taking on the Insider Threat
While instances of hacking are widely publicized and must be guarded against, much illicit use of proprietary information is obtained from current or former employees. A well-known example of internal privacy violation is Lawrence R. Marino from Goffstown, N.H., who pleaded guilty to computer intrusion stemming from his repeated hacks into the computer system of his former employer, OneSky. Marino acquired other employees’ log-in credentials for their OneSky e-mail accounts, which contained confidential information about the company’s existing and prospective customers. Following his departure from OneSky, Marino used his illegally-obtained information to solicit new customers on behalf of his new employer, according to the Department of Justice.
To prevent similar breaches, data center providers must review the access that employees have to sensitive data and determine if greater restrictions are needed. Many multi-tenant data centers are implementing anti-passback security procedures that mandate a specific sequence in which access cards must be used in order for customers, contractors and visitors to swipe in and out of customer suites. Additionally, in the unlikely event of an emergency requiring evacuation of the facility, an anti-passback procedure provides the security team and first responders with accurate information on whether or not a complete evacuation has taken place.
Security Staff and Visitors
For added internal security, data center providers are turning to in-house security teams, as opposed to contract or off-duty patrol officers, to monitor facilities around-the-clock. According to ASIS International, proprietary security is “any organization, or department of that organization, that provides full-time security officers solely for itself.”
Proprietary security staff are believed to be more loyal and have a vested interest in company success. On the other hand, use of contract security staff is usually less expensive with recruiting, hiring and training managed by the contract company. A combination of both proprietary and contract security may be desirable based on customer mission and information sensitivity.
Visitor protocol is heightened with identification and security checkpoints throughout large data center campuses. For example, Quality Technology Services (QTS), the nation’s third-largest data center provider, employs two to three officers per shift who conduct two physical security tours each shift. Officers review access logs, check access control systems at each man trap entryway, and observe the physical appearance of areas in and around customer suites.
Technology and Cyber-Defense
Identity-based and biometric applications such as iris eye scanning devices are being installed to secure the privacy of individual customer suites within the data centers. Iris scanning was perfected in the early 2000s and uses algorithms to identify the number of concentric circular outer boundaries of the iris and the pupil, which is unique in every human. Iris-scanning devices are so secure that they are even employed at government immigration check points and airports.
In response to rising terrorist threats, the Department of Homeland Security (DHS) has implemented an Enhanced Critical Infrastructure Program to periodically survey the nation’s data centers. Data centers must comply with a checklist of DHS requirements, and participate in follow-up reviews. Physical security components of the review include, but are not limited to: fences, parking, security lighting and vehicle access. Personnel security, background investigations and critical infrastructure dependencies such as electric, water, waste water and telecommunications also are considered when developing a terrorist protection program.
In addition to customer demands, data centers must combat the ever-increasing threat of terrorist cyber-attacks. Most data center companies now develop anti-terrorism training guides to safeguard customer data against cyber intelligence attacks. These guides, updated regularly, share information with customers on best practices that enhance the safety of their mission-critical data.
Data Center Compliance
While DHS is focused on cyber-attacks, the Obama administration is focused on storing classified data more efficiently. In 2009, the White House announced the Federal Data Center Consolidation Initiative that will close 800 out of 2,094 government-owned data centers by 2015. The initiative aims to increase the overall IT security posture of the government and shift to more efficient computing platforms and technologies. Specifically, the initiative will reduce the overall energy and real estate footprint as well as the cost of data center hardware, software and operations. The move allows private data centers to obtain federal contracts, and, in turn, forces these companies to meet strict federal security guidelines for storing classified data.
In order for data centers to become compliant, they must physically separate government data systems from all other customers and often separate federal data from similar federal data on an agency-by-agency basis. In addition, federal data must have separate storage, backup systems and tapes than unclassified tenants. Further, only cleared personnel are allowed to enter government suites to perform routine operations. These staffers must meet or exceed background investigation requirements as determined by each federal customer. Finally, the facility that houses classified data must have defined wall upgrades, conduit accesses and access control systems.
Data center security personnel must also contend with Mother Nature. This spring, much of the Midwest and Southeast experienced the deadliest tornado season in 50 years. As a result, many corporations have invested in off-site data storage in facilities that can withstand severe weather.
Tornadoes, hurricanes, earthquakes and harsh winter weather often result in power loss, frozen or broken pipes, tainted water supply, equipment malfunctions and building damage. Ultimately, natural disasters provide an opportunity for physical security breaches and risk the safety of data center personnel responsible for the uninterrupted operations of the facility.
Therefore, chief security officers are challenged to meet physical requirements, such as wind and flood resistance, plus emergency plans to ensure the safety of employees and privacy of customer data. A typical Business Continuity Plan (BCP) will include emergency contacts for pre-selected vendors, essential operations personnel, local emergency officials and relocation plans.
Last spring’s tornado activity was a stark reminder of the ever-increasing number of risk factors that impact both the logical and physical security of data centers. The security community must meet these ongoing challenges by working both individually and together to combat threats, develop new strategies and react to the growing security needs of the organizations whose people and mission critical data we protect.
Editor’s Note: Want to read an enhanced version of this article? Check out the exclusive STE iPad App, available now in the Apple App Store! This article features two exclusive videos that take an inside look at security operations at QTS’s Atlanta facility and at a Google data center.
Rick Henson is vice president of security for QTS, one of the nation’s largest data center providers. A Certified Protection Professional (CPP), he has more than 20 years of security and emergency management experience in the private sector and with the Federal government.