17-04-2012 - John Hatcher
The frequent warnings of terror attack threatening our national security along with the recent spate of rioting in our cities serves clearly highlights why data centres need to up the ante on security by implementing the most sophisticated and rigorous physical security and access control measures possible. After all, a data centre’s primary purpose is to ensure secure and continuous 24/7 IT service delivery and should be fit for purpose. Its ability to prevent unauthorised access – physical or virtual – and thwart or withstand malicious attack including acts of terror is therefore an imperative.
Apart from the chaos that is inevitably caused from either direct or secondary exposure to attack and the implications on business continuity, there are the SLAs and costly financial penalties to consider if the data centre’s security and access controls are found to be inadequate.
Securing the physical environment to reduce the risk of accidental or deliberate ingress is a huge task and cannot be underestimated. While it may be cost-prohibitive to retrospectively upgrade an older facility’s security to the level of the latest generation of data centres, there are measures that one and all should subscribe to.
As far as possible make the building is as invisible as possible removing all signs that might advertise its function. Landscape the area to ensure visitors and their vehicles enter the compound via a manned and gated (preferably air-locked) security checkpoint before passing into parking areas sited as far away from the building as possible. Limit ingress points to a single main entrance and a loading bay and keep windows to an absolute minimum. Ideally these should feature bomb-proof glass.
Securing the compound effectively from attack or unauthorised access means prison grade perimeter fences, CCTV and speed intrusion prevention systems (IPS) are pre-requisites. These should be reinforced by anti-ram defences placed at strategic points around the building, especially entrance points. For new-builds it also best practice to specify double or triple skin reinforced concrete walls.
All security and operations personnel must be subjected to stringent cross-checks on their identity, place of residence and previous work history. A security officer supported by a team of trained security guards should be authorised and responsible for all aspects of the data centre’s security. They will ensure all personnel and visitors are subjected to at least a two-factor authentication procedure such as biometric authentication and an access code.
Clearly the more physical access is restricted to personnel who really need to be on-site the better, but for those people that are essential, deploy access controls that increase the closer they need to be to the data floor or mission critical systems. Such measures should include photographic, PIN and card combination entry requiring not only an authorised user’s access card but also the matching unique code.
Consider too the security implications surrounding external supplies of power, water and communications. On the power front, a direct connection to a nearby sub-station will increase control over supply in the event of attack on the Supergrid. On-site carrier interconnects will offer a degree of security over malicious or accidental damage to communications but also instigate a direct POP connection to an alternate carrier fibre network that is independent of London, therefore mitigating communications security risks further.
The convenience of keeping facilities in close proximity to corporate headquarters and concerns over distance on latency have led to the majority of UK data centres being located in or around large metropolitan areas, most notably the London area. From a physical security perspective this presents a higher risk potential for attack or breach. With the availability of low cost high speed fibre links and sophisticated remote diagnostics, consider whether it is still absolutely mission critical to have your data centre remain in the metro area .
If planning a new-build project, evaluating a move into a third party facility or requiring a back up facility, it is good practice to also consider more naturally secure rural locations well away from city centres, large populations and airports and the inherent security risks these present.