Data Center Security: When Security Gets Physical
Expect the unexpected: A mantra that I repeat everyday when it comes to the physical security of our data centers. In the world of data center security, you must be aware of any and all potential threats that may harm the integrity of the data center in order to react accordingly. This world is constantly evolving. Perhaps it is my 14 years in law enforcement that always keeps me on guard. If there’s one thing my experience has taught me it’s this: No matter the situation, you are never off duty.
Data Center Security Isn’t Just About Virtual Threats Anymore
In a time when cybersecurity is seen as the one of the biggest threats to businesses, physical security also plays a critical role in protecting data and property from compromise. A breach in the physical security of a facility can result in theft, property destruction and the loss of vital information. It is a costly endeavor if left unaddressed. According to one study, 10% of malicious breaches were caused by a physical security compromise in 2020, which amounted to $4.46 million in damages.1
Recent events continue to shift the mindset related to ensuring security of spaces where data and applications are kept. Just last year, a foiled attempt at bombing a data center caused many data center providers to address physical security in ways they never had to think about before. Even if this targeting was an isolated incident, the attitude of “business as usual” could not carry on. Taking into consideration the global pandemic, events of January 6th, the war in Ukraine and other major events, data center providers must continue to review and adapt their approach to physical security.
Any risk of breach—from a virtual or physical source—should be treated with the highest level of protection and authority.
Physical Security a Key Piece of Defense-in-Depth
Most data centers are somewhat accessible. They are located in cities, are close to other structures and may not have a physical barrier to stop a person from getting close. Today, there have never been more options available when it comes to safeguarding data centers.
A layered approach to physical security ensures that data center providers are using appropriate security measures that protect the facility and the physical assets it houses. This approach includes:
Perimeter security
The outer perimeter is the first line of defense in preventing a physical attack or disaster. Our data centers are secured by perimeter fencing as well as 360-degree view cameras to dissuade potential intruders and provide visibility into activity outside the facility.
Building entry screening
All entrances and locations require the use of a personalized security badge that provides access to only the relevant areas of the data center. To be granted an access badge, visitors must first be properly screened. Items taken into and out of the facility are weighed by on-site security personnel.
Secure corridors
Mantraps at most data centers are located at the front entrance to maintain the flow of people and help prevent tailgating of unauthorized individuals into secure areas.
The next layer of authentication is at the computer room (server room or suite) where entry is only granted upon dual authentication via badge and biometric fingerprint scanner.
Cage or rack level access
The final layer of authentication for many areas within a computer room is at the cage or server rack level which is accessed by key lock or card reader and biometric scanner. Video cameras also monitor on site.
It’s Not “Every Data Center for Itself”
There are a couple unique aspects to our approach. First, every CoreSite Data Center Operations (DCO) Technician is trained and security qualified. These people are the “boots on the ground” so to speak, the eyes and ears, the data center’s first line of defense. A facility’s physical security is nothing without them.
Second, we have developed our own training processes to ensure our teams are equipped and ready to protect against threats. Our training program comprises three levels of qualifications:
- Security Basic Qualification, which trains on the “bread and butter” components of security.
- Security Advanced Qualification, which is primarily for technicians who have an interest in furthering their knowledge of physical security including the technologies, infrastructure and access control system utilized day-to-day.
- Security Subject Matter Expert (SME), which includes a higher lever of knowledge and decision-making. There is typically one SME per site and acts as is the local physical security trainer of the other DCO technicians.
Extensive and ongoing training at every level, mine included, are critical to a data center’s operation and security. A strong understanding of technologies and processes ensures effective and immediate responses from security personnel in the event of an incursion.
In addition to training, we constantly test ourselves. Not only do we utilize a formal audit process, we also perform informal penetration testing, which consists of unannounced visits to see how operations are running. Such visits help expose physical weaknesses and allow us to adapt our practices to address potential areas of vulnerabilities.
The processes and systems we have in place safeguard all our facilities. The system works with all sites and, in the event of a breach, other sites can take over data center functions, so there is no gap in monitoring of alarms and video. For all intents and purposes, all sites back each other up.
Continuing this Security Journey
When it comes to physical security, the stakes are high. The unpredictability in the world can range from natural disasters to criminal attacks—all of which pose significant risk to business operations. Disruptions to businesses, or even worse the loss of data, not only affects the business itself but also customer perception. Physically safeguarding data centers has never been more important. We must work to continually reassess our practices and procedures to address potential threats. Because we are never off duty.
Learn about CoreSite’s physical security and technology for data centers and how we are constantly evolving to bring the most robust prevention and response to security threats.