Mark Hirst, product manager for Cannon Technologies’ T4 Data Centre Solutions, is a Data Center design expert with a background in electronic control systems and industrial networks.
As well as housing a plethora of important active equipment, cabinets and racks also need to protect the sensitive data contained within them. In this post, I will explain why sophisticated security, access control and monitoring technology are essential components of any modern containment solution.
Security ranks highly on any data center manager’s list of priorities and it’s not difficult to understand why, especially when you consider the devastating impact that downtime or data theft can have on a business.
With any data network, there is always a risk that the information that flows through it could be intercepted and used for malicious purposes. However, there are a number of security processes that can significantly reduce the likelihood of this happening, including the physical and organizational security of the core network.
At the cabinet and rack level, what was once a straightforward steel structure is now a sophisticated device that is the critical element in delivering the needs of today’s advanced data centers. Therefore, an integrated security approach at this level is hugely important and, as a growing number of organizations are finding out, not only must they secure these infrastructure components, they must be able to prove the efficacy of their auditing systems to one or more governance bodies.
For companies that have to comply with legislation such as Sarbanes-Oxley, Basel II, PCI-DSS and the FSA, their data centers must adhere to strict asset documentation, configuration and change management, as well as rigorous and transparent documentation policies. In colocation facilities, high levels of security are also required in order to comply with service level agreements (SLAs), as any data breach can prove costly both financially and in terms of reputation – something that would make recovery a nearly impossible challenge.
In the financial sector, data protection and corporate responsibility legislation is extremely stringent and even states that a company’s head office and corporate data center must be sited in separate locations. With such rigorous security requirements, it is this industry that is setting the benchmark for how access control and monitoring technology is being deployed.
Many and Varied
While having a permanent staffed security presence at a data center is not at all uncommon, it usually forms part of a multi-layered approach which includes a range of technology that monitors and controls access both into and within the premises. When it comes to restricting access to data, securing the cabinets and racks that house servers and other active equipment is crucial. There are a number of ways that this can be achieved, and perhaps the most obvious is the use of reliable and intelligent locking systems.
Modern locking systems such as swing-handles are highly secure, robust, ergonomic and can be retrofitted. However, to add another layer of protection they can be fitted with an electronic keypad that simply screws to the back of the standard swing-handle, converting it into a remote access solution. The tamper proof cabling to the lock itself can also be routed through the internal door skin to hide it from view and further increase security.
The locking system will usually be used in conjunction with a personal identification number (PIN) or radio frequency identification (RFID) device. When it comes to room, row or cold-aisle entry, one reader device may open all the locks in the cabinets in a particular row if required, while locks can also be unlocked in groups or by user privilege settings. The availability of intelligent access control also means that PINs can be issued that expire after a certain period of time and can only be used to gain access to specific cabinets.
In unstaffed environments, it is necessary to be able to remotely monitor and control access to hardware. Software is now available that provides local and/or remote control of racks, cabinets, hot and cold aisles, cages, data rooms or outside enclosures. Based on 'plug and play' modules that can be used stand alone or daisy chained together into a high security, resilient system, this technology enables remote control from multiple locations concurrently, with full event recording and a rolling 24-hour audit trail.
This also ensures only authorized personnel can access the cabinets following a request and authorization from a central source, which can additionally carry out access code changes remotely.
They can also be configured so that they require two people – for instance, a technician and a security operative – to go through an authentication process before the cabinet will unlock. When in, CCTV cameras can be triggered to record the access session or a simple photograph taken of the person(s) involved. Again, with these systems a full audit trail, including the video footage if taken, is stored for future reference.
Alarms can be generated if unauthorized entry is attempted or an unusual condition or problem is detected, such as if humidity levels within the facility rises above a pre-defined threshold. This allows designated staff to carry out an investigation that complies with any regulation and SLAs.
Finger on the Pulse
An increasingly popular way of ensuring that only authorized personnel have access to cabinets is by using biometric technologies. These automatically measure people’s physiological or behavioral characteristics and examples include automatic fingerprint identification, iris and retina scanning, face recognition and hand geometry. The major advantage that this type of solution has over PINs or RFID cards is that it cannot be lost, transferred or stolen and is completely unique.
Although previously considered too expensive for most data center based installations, the falling costs of technology over the last few years has meant that fingerprint security at the cabinet level has become a cost effective reality – one that is becoming more and more popular.
The time taken to verify a fingerprint at the scanner is now down to a second. This is because the templates – which can be updated / polled to / from a centralized server on a regular basis – are maintained locally, and the verification process can take place whether or not a network connection is present. The enrollment process is similarly enhanced with a typical enroll involving three sample fingerprints being taken on a terminal, with the user then able to authenticate themselves from that point onwards.
This level of efficiency, cost effectiveness and all round reliability of fingerprint security means that a growing number of clients are now securing their IT resources at the cabinet level and integrating the data feed from the scanner to other forms of security such as video surveillance.
Seeing is Believing
In the event of a security breach, being able to identify the person(s) attempting to gain unauthorized access to a cabinet is extremely useful in bringing them to book. Fortunately, there are a number of tools that can help to achieve this.
Cabinets can have a video recording system installed that can either record constantly or be activated in the event of an access attempt. The system will send the data center manager an email containing a still image of the person trying to gain access. That person can then remotely access the video system and watch events unfold and, when an audio device is also used, the unauthorized person can be addressed verbally. State-of-the-art systems also allow recording devices from eight cabinets to use one network video recorder (NVR), which also makes this method of monitoring cost effective.
The use of video is a tried and tested way of tracking movements in a facility and establishing who was doing what at a particular time. Although this comes with its own independent remote software package, it can also be incorporated into a data center infrastructure management (DCIM) system. Not only can this be used to monitor, control access and designate user privileges, it can manage elements such as power usage and optimization, environmental control and fire suppression systems with one single suite of dedicated software. Some leading solutions secure password and role permissions on users to ensure the remote systems are as secure as the sites.
The threat of data theft and damage to equipment must be taken seriously – those that fail to implement a thorough multi-layered system run the risk of damaging their businesses and reputations. Rather than just being seen as metal boxes, cabinets and racks are in fact at the front line in keeping data safe and ensuring that audit trails comply with relevant legislation.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.