Let’s get physical
05-04-2012 - John Hatcher
In March 2010 the Ponemon Institute revealed that the cost of a data breach had risen for the third consecutive year. It found that the average data breach incident cost UK organisations £1.9 million or £71 per record, an increase of 13 per cent on 2009, and 18 per cent on 2008. We all know how important it is to protect our data. Clearly, customers need to be choosy about who they trust.
When thinking of data security, it’s common for people to think about virtual measures first. Yet physical security is just as important and should always form a central part of any data centre security programme. When I first take a client for a tour around one of our data centres they are sometimes surprised at the level of security they must go through in order to get inside. At the same time, these checks also serve to reassure them. Modern data centres should be designed with the following minimum layers of physical security: perimeter security at the entrance, mantraps into the data centre, access systems into the rooms and secure, locked cabinets and biometrics where required. No one should enter or leave the premises without proof of identity, and all visitors should be checked against customer-defined access lists before being allowed to enter.
It’s crucial to have total control over who can enter your data centre and the type of identification needed to access a data centre should include a biometric system. A biometric system scans the fingerprints, or iris, of the person trying to enter the data centre. Any unauthorised access attempts result in the individual being unable to pass through the data centre’s mantrap. A mantrap has two sets of interlocking doors, and identification, preferably biometric, is required at both points. If the biometric system, activates the security alarm then all doors will lock restricting the individual from accessing the site.
A data centre should also have CCTV systems installed which are able to cover all parts of the data centre from the perimeter to the individual servers. It shouldn’t just rely on CCTV to be its watchful “eyes” though, it should also employ security guards to patrol the data centre, inside and out, on a 24/7 basis. Once inside, all server racks should be locked, with keys held only by the client and the service provider. This means that the service provider’s engineers can only physically access the servers when the client’s representative is there, ensuring complete peace of mind for the customer.
ISO certification plays a key role in giving customers peace of mind. ISO27001 is one of the most rigorous international standards for system and physical security processes. The audit and certification process focuses on every aspect of the business, including physical infrastructure, site security and access management, personnel capabilities, communications and operations, legal compliance criteria, and back-up and disaster recovery systems. The standard was developed to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.
In order to be truly secure data centres should use a comprehensive combination of mantraps, CCTV and biometric scanning, as well as security guards to keep data safe. A data centre has a huge commitment to ensuring that the data it houses is secure. Data centre providers need to be adept at demonstrating to their customers just how secure their data is, as customers need to be confident that their data will never be compromised.