Scott Walters is Director of Security for INetU.
One of the most critical aspects of designing a data center is the physical security infrastructure system. Here are five best practices for ensuring that it is effective and compliant:
View Physical Security in Layers
Physical security is much like information security in that it should be viewed in layers. For example, access control systems act as the primary keys to the castle and should use methods that cannot be shared, such as biometric access. Coupling a key card with biometrics requires the user to match the access card and the biometric such as fingerprint or retinal recognition.
I’ve been to data center facilities where an employee who had forgotten his access card borrowed one from another employee in order to enter the data center. Sharing access is a strict no-no. Adding a third form on top of this, such as a pin code, is a best practice as is installing video surveillance that covers all access points, both for real-time surveillance and for diagnosing past events.
Keeping access lists up to date on a real-time basis is also critical. Only those with a true business need should be able to access the data center or secure area. For example, if job roles change and access is not truly needed in the new role, access should be revoked. While revoking access due to a job role change may not be easily received by the employee, it is in the best interest of the business.
Be Aware of Surroundings
It is a good practice not to build data centers against outside walls whenever possible. This provides an additional layer of protection against a variety of threats. Additionally, it is important to be mindful of what is above and/or below the data center. This is most commonly a threat in multi-floor facilities.
Each environment needs to be evaluated separately for its unique risks. For example, a data center in a multi-floor building in Manhattan will have far different risks than a data center in Quincy, Washington. Physical barriers need to be evaluated room to room. Physical security is broken into two pieces: the physical elements such as cameras, access control systems and locks; and the operational processes such as visitor and contractor policies and general awareness training. If both elements are not addressed, neither will be 100 percent effective.
Be Diligent Against the Biggest Threat: People
Whether it is intentional sabotage, social engineering, carelessness or lack of following a defined policy, people working in the facility can be the biggest risk. For example, social engineering is a common threat because most people by nature want to be helpful. It’s important to train people to stick to the security policy and require them to be 100 percent accountable for their access.
Provide Proper Training
Creating a sound physical security policy can be relatively straight forward for an experienced operations professional, but proper training to verify that all of the people who determine the success or failure of the policy is often more challenging.
Perform Regular Internal Audits
Many data centers have some level of compliance requirements and, therefore, are audited on a regular basis. Even if external audits are performed, they do not replace the need to perform internal audits and checks regularly. Internal assessments include using an outside firm to assess the facility with a fresh set of eyes.
By following these best practices when designing a data center, managers can reduce many of the common design pitfalls and avoid future physical security infrastructure system headaches.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.