Douglas Miorandi is Director of Federal Programs, Counterterrorism and Physical Data Security for Metrasens.
Edward Snowden’s name entered the cultural lexicon in 2013 after he leaked thousands of classified National Security Agency documents to journalists. He’s been called a traitor, a patriot, a revolutionary, a dissident and a whistleblower. However you feel, there’s one way to categorize him that no one can dispute: He’s a thief.
The scary truth is that Snowden is not the only employee to attempt to smuggle secrets out of a building – and we must learn from his success to prevent it from happening again.
Since the dawn of the digital age, we’ve fought cyber pirates with tools like firewalls, encryption, strong passwords, antivirus software and white-hat hackers. But with so much attention on protecting against cyber risks, we sometimes forget about the other side of the coin: the risk that data will be physically removed from the building.
Data centers are a particularly vulnerable target given the vast amount of valuable data they contain. Research has shown that accidental and malicious unauthorized access from within data centers accounts for between 9 percent and 18 percent of total data breaches, costing the global industry more than $400 billion annually.
Given the constant risk of data breaches, the need for an efficient physical security system in data centers becomes critical.
With that in mind, here are four main risks to physical data security:
Risk One: The Insider Threat
People steal data from their workplaces because they see an opportunity, whether it’s to expose something damaging due to a personal vendetta, or because they can sell the information. This can happen to private companies as well as government agencies. Remember that Snowden was a contractor working for the NSA.
Risk Two: The Outsider Threat
In addition to worrying about their own employees, companies and government agencies need to be wary of threats from outsiders.
Outside threats can come in the form of the corporate spy – someone hired to pose as a legitimate employee or private contractor in order to extract information; or the opportunistic thief – a contractor working in sensitive areas who sees their chance and takes it. Either one could cause equal damage to sensitive data.
Risk Three: The Seemingly Innocent Personal Item
There are two types of personal items that can be used to steal data: the commercially available off-the-shelf (COTS) variety, and the intentionally disguised variety.
COTS devices include SD cards, external hard drives, audio recorders and even cell/smart phones, any of which can be used to transport audio, video and computer data in and out of a building.
Intentionally disguised devices could be a recording device that looks like a car-key fob, or a coffee mug with a USB drive hidden in a false bottom.
The difference between COTS and disguised devices is that if someone is caught with a COTS device, security will recognize and confiscate it. The disguised device might not be recognizable and anyone could carry it into the workplace, making it especially devious.
Risk Four: Poor or Nonexistent Screening
Even data centers with strict cyber security protocols fall short when it comes to physically screening people for data transfer and recording mediums. This is a huge mistake, and the consequences can be dire.
Years ago, it was much harder for the average Joe to figure out where they could sell stolen data. Now, with the Deep Web, anyone with the Tor browser can access forums requesting specific information from competing spy agencies, greatly increasing the likelihood people will try it.
The good news is that all of these threats are avoidable with the right measures.
Combating the Physical Risks to Data Security
Not long ago, the building/physical security department and the IT/cybersecurity department were considered two completely separate entities of an organization with little interaction. Now data centers are realizing that they must take a holistic approach to data security.
Physical data security and cyber security must be considered unanimously for an airtight policy that protects sensitive, confidential assets from attack.
One of the most effective means of physical detection is a ferromagnetic detection system (FMDS). It’s non-invasive and senses magnetic disturbances in the Earth’s magnetic field, which can detect anything with a magnetic signature – including hard drives, cell phones, SD cards and recording devices.
FMDS is the most reliable method of finding small electronics (as well as other ferrous metal objects, like weapons), and should be part of the “trust, but verify” model, in which companies assume the best of their employees and anyone else entering the building, but still take necessary precautions.
Opinions expressed in the article above do not necessarily reflect the opinions of Data Center Knowledge and Informa.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating.