Data Center Security

Physical controls are a crucial part of creating a secure environment

To maximize the use of personnel in the lobby reception area, the security control room and its operation — including the employee ID badging station — are usually located within the same area behind the bullet-resistant glass. This will enable security staff to perform multiple functions without leaving the secured environment. The heart of a data center’s security system will consist of computer workstations, video monitors and communications equipment. An effective design and layout will ensure that the system’s monitoring components are not visible from the reception area. A wall or partition should be used to segregate the control room from the badging station. A biometric enrollment device with a computer workstation, a digital video camera and a badge printer will be required to support employee ID processing.

Loading and Receiving Entrance

Within the facility’s second layer of security, the receiving area or loading dock should be provided with the same level of security as the main entrance and lobby reception area. To that effect, a loading dock security sub-station equipped with monitoring, control and communications components should be part of well-planned data center design. Through its windows, the sub-station should provide security staff members the ability to view all activity on the loading dock.

The entrance to the loading dock should be controlled with a card reader. Through the use of a video intercom, outside delivery personnel, vendors and contractors can be subjected to further screening before being allowed to enter the dock area. To ensure that overhead dock door doors are opened by authorized staff members only, the door controllers should be integrated with card readers.

A large mantrap will facilitate the movement of bulky equipment and supplies from the loading dock into the data center’s secure operations area. From within the sub-station, security staff will be able to monitor and control the flow of traffic through the mantrap. Biometric card readers will provide the means for authorized staff members to pass through this mantrap without the intervention of security staff. Third-party maintenance personnel and contractors — including their equipment — would be processed at the sub-station before being escorted into the operations area.

Fixed and dynamic video cameras are an important combination of a secure loading dock operation. Cameras strategically located will afford a good overview of all exterior and interior loading dock activity, and dynamic cameras give security staff members the ability to follow the movement of staff and equipment between the truck cargo holds, the loading dock and operations area. All camera activity should be recorded.

Operations and Inner Security Layer

Ensuring 99.995-percent fault-tolerant availability for a Tier 4-type of facility will require that critical systems such as power, cooling and communications be provided with full redundancy. Mirrored data halls are a typical part of an enterprise-class facility design. To maintain this high level of operation, different user groups and support staff and, in some cases, vendor and third-party groups, will be working within areas of this inner layer of security. Use of card readers creates multiple levels of security to physically separate these groups and provide the important audit trail of their access transactions.

Proximity card readers are the preferred technology to control access to the various electrical and mechanical spaces, such as the UPS, battery and generator rooms, chiller plants as well as other support areas. Equipment staging areas, storage, third-party rooms and vendor storage, and, in some instances, offices, are also provided with proximity card reader control. Cooling tower yards are typically located behind block walls and are only accessible from within the operations area. Doors that are used for maintenance and moving of large equipment should be card reader-controlled and the area monitored with video cameras.

To provide a higher level of security for such areas as the tape vault, the carrier rooms and chilled water plant, the proximity readers may be combined with a pin pad or biometric technology. The highest level of access is applied to the command center and data halls where the “crown jewels” are located. Mantrap portals controlled with biometric technology card readers provide the means for authorized personnel to enter and exit the area. Oversize or overhead doors may be required for moving large bulky equipment in and out of the data hall; and their operation is typically confined to select individuals requiring the two-man-rule feature of card access control (where at least two people must be present). Video cameras should be provided in the mantraps, the data hall areas and all common corridors.