Incorporating Physical Security into Data Center Design

The increasingly central role of technology in nearly every facet of life and work has given rise to an astounding proliferation of data. That makes the responsibility of controlling access to that data even more important – and more complex – than ever before.

As the global economy becomes increasingly dependent on data, keeping that information safe and secure has become a top priority — because the cost of not doing so is just too great. According to the 2019 Cost of Data Breach Study (completed by IBM Security and the Ponemon Institute), the average total cost of a data breach to a company was $3.92 million globally and $8.19 million in the U.S. These costs can include: legal, regulatory and technical activities; loss of brand equity; customer turnover; and decreased employee productivity.

Controlling Access at Co-location and Onsite Facilities

If you’re responsible for data security, there are many critical considerations. Security management software can tie visitor management, video, and access control into one cohesive program and streamline everyday use for you and/or your tenants/clients.

In certain industries, the access control solution must enforce what are often thorough and specific compliance requirements. Among these crucial regulations, here are three important examples to be aware of:

1. HIPAA (the United States Health Insurance Portability and Accountability Act of 1996)
HIPAA Title II includes an administrative simplification section that deals with the standardization of healthcare-related information systems; in the IT industries, this section is what most people mean when they refer to HIPAA. The Act seeks to establish standardized mechanisms for electronic data interchange (EDI) security and the confidentiality of all healthcare-related data.

2. Sarbanes-Oxley

The Sarbanes-Oxley Act of 2002 (often shortened to SOX) was designed to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise, as well as to improve the accuracy of corporate disclosures. The ability to comply with SOX rests on having the right security controls in place to ensure the accuracy of financial data.

3. PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information. It requires that access to system information and operations is restricted and controlled, and that cardholder data is protected physically as well as electronically.

The common thread across all these regulatory requirements is the need for proper controls (both physical and electronic) to ensure the safety of data. While the various regulations mandate data protection, they do not prescribe the path to achieve this goal. As a result, it is critical for IT and data center professionals to have a thorough understanding of applicable compliance requirements so they can identify the best solutions and policies for their organizations. Fortunately, technological advances in access control solutions help simplify the process of securing data centers in either a co-location or onsite environment.

Levels of Physical Security

A well-designed security system can be broken down into three levels that address access from a facility’s perimeter down to the server rack level. No two facilities are completely the same so it’s important to understand there is no “one size fits all” approach.

1. Perimeter Security

Perimeter security controls access to a building. The basic components can include fencing, bollards, guard booths and entry barriers to create a system of defense against unauthorized access to the general property. Consider high-security steel fencing that offers excellent strength and an integrated rail design. The heavy steel construction and intimidating profile should act as visual deterrents against intruders as well as provide the physical barriers that establish a secure perimeter.

2. Exterior and Interior Openings

For exterior and interior openings, commercial grade doors, frames and hardware deliver life-safety protection at the building entrance and throughout the facility. In addition to controlling access to the data center, they must be able to overcome hurricane, tornado, emergency egress and other challenges that pose life-safety threats to building occupants. Wind debris missile impacts and drastic pressure fluctuations from powerful hurricanes and tornadoes place incredible stress on doorways. Specialized products are available to maintain pressure, temperature, sound barriers, and RF transmission blocking even in doors and frames on interior openings. While these are not typically considered an IT investment, these are essential considerations for the data center environment, as they play an important role in both energy savings and security.

Fires, power failures and other panic-inducing events can impede emergency exit visibility. You can project against these hazards with doorways designed and tested to overcome extreme conditions. The latest door technologies use visual and audible alerts to overcome panic and confusion and provide a clear pathway to safety. Emergency mitigation and containment play crucial roles in disaster response protocols.

Be sure the most basic tools in access and security architecture such as gates, doors, and door hardware meet your security needs and the operational goals of the organization. Depending on your facility, each opening may need to be rated for the following hazards:

  • Climate control, windstorms, hurricanes (exterior openings);
  • Blast and ballistic;
  • Fire;
  • Radio Frequency (RF) shielded;
  • Sound Transmission Class (STC).

Beyond physical protection against some of the elements discussed above, exterior and interior doors play an important role in controlling who has access to a facility or specific areas within it. Advances in access control technology now make it much easier and more affordable to deliver access control to areas that were previously difficult or logistically impossible to reach. Integrated access control locks combine several discreet access control components into a single lock and are available in a variety of technologies, including PoE, WiFi, and wireless. PoE and WiFi locks connect directly to the access control system using existing IT infrastructure, further reducing costs and providing extra utility from the network. This range of solutions dramatically reduces installation costs and time, making it far easier to increase security throughout a facility. A variety of form factors enables access control at more applications than ever before.

3. Server Cabinets and Racks

The third level of security involves access control at the server cabinet or rack. This additional layer of access control provides the degree of security necessary for the most precious commodity within the data center itself – information. It is the final barrier that protects businesses against the cost of downtime associated with unauthorized access to network equipment. 

The physical access control technology you deploy throughout your facility should be as sophisticated and powerful as what you rely on for the most obvious points of entry and vulnerability. Solutions available today make it possible for you to not only satisfy compliance requirements but also to control access at the server rack.

Server cabinet lock solutions on the market today provide real-time access control to individual cabinet doors. This functionality accomplishes something that would have been unthinkable not long ago: an additional layer of protection for the servers without requiring another system or additional wiring to the access control panel. Innovative products and solutions now on the market also make it possible to administer access control remotely, leverage wireless capabilities to extend control, access audit trails to quickly and accurately determine the cause of an incident, configure alarm settings, and much more.

Access control at the server rack level is especially important in a co-location facility, where current and potential customers will be concerned – and rightly so – that their servers could be adjacent to competitors’ servers and therefore vulnerable to physical manipulation.

Security Protocols

It’s important that security protocols, polices and procedures be in place, not just for the sake of security but also for safety measures and good business practices. In fact, when they are not developed or fully followed, it creates significant vulnerabilities for your organization.

As is true in many other – if not all – facets of business management, execution is almost everything. The implementation of and adherence to the protocols is just as important as having them in the first place. Several organizations offer guidance in the development and management of security protocols including BICSI, FEMA, and ASIS. Best practices are often shared through these groups and their membership on a regular basis through reports, white papers, specification guidelines, and seminars.

Policies and Procedures

Finally, develop a policy that addresses the needs and challenges of your organization and then follow and enforce it. Whether you’re in charge of protecting data that’s stored onsite or a provider of co-location data storage and protection services, the advances made in this field make it the perfect time to offer a new level of security. Regardless of industry, offering your customers the peace of mind that comes with knowing one of their most critical business assets – their data – is fully protected is something for which many of today’s companies are prepared to pay a premium.