Cabinet-Level Controls: The Final Layer of Physical Data Center Security

You've secured your data center perimeter. You've established facility controls to protect entrances. You've locked down server rooms and deployed multiple factors of physical authentication to govern who can access your racks. And you feel confident that you've done everything possible to maintain physical data center security.

Unfortunately, gaps remain in your physical security strategy. You haven't yet addressed risks that arise from what's known as the "fourth layer" of data center security, which centers on securing individual server cabinets. For that reason, you're still prone to threats like malicious insiders.

Related: Rethinking Physical Data Center Security in the Digital Age

No physical data center security strategy is complete without cabinet-level controls. Keep reading for a dive into what cabinet-level security entails as we unpack the fourth  and final layer of data center physical security.

The Four Layers of Data Center Security

To understand where cabinet security fits within data center physical security strategies as a whole, it's useful to adopt the International Society of Automation's concept of four layers of physical data center security. That philosophy breaks down physical security controls as follows:

• Layer 1 — perimeter security: The foundation of data center physical security is protecting your perimeter by discouraging and monitoring unauthorized access to the property where your data center resides. The goal here is to prevent risks like threat actors jumping fences or breaking in through windows.
• Layer 2 — facility controls: Facility controls are measures, such as access cards and biometric authentication devices, that restrict who can pass through a data center's legitimate entrances.
• Layer 3 — server room controls: Layer 3 focuses on protecting access to the room or rooms in the data center that house servers. Since this is the heart of the data center, you should establish a separate set of access controls and monitoring solutions to prevent unauthorized access to any room containing IT equipment.
• Layer 4 — cabinet controls: You don't want to give free rein to threat actors who manage to slip inside server rooms. That's where the fourth and final layer of data center physical security comes into play. It provides a final layer of defense via devices that manage access to individual cabinets of servers.

Related: A Guide to Server Rack Sizes for Data Centers

It's only when you've established rigorous security controls and visibility at each of these layers that you can consider your physical security strategy to be complete.

What Is Cabinet-Level Security?

Understanding security layers one to three is simple enough. Perimeter-level barriers and monitoring systems, as well as card-based or biometric authentication devices that restrict who can open doors and enter rooms, are nothing new.

But cabinet-level security controls tend to be a more novel concept to at least some data center operators. Beyond locking cabinets with keys — a practice that is logistically complicated in situations where multiple people need to access cabinets — it has not traditionally been common to invest in advanced cabinet-level protections.

That's not because such protections don't exist. There are a variety of solutions that can protect cabinets, such as:

• Locks that integrate with the digital, card-based access control systems that govern other parts of data centers, allowing operators to manage access permissions for multiple layers of security using a centralized system.
• Locks that require biometric authentication, such as fingerprint scanning, to open a cabinet. These locks can also integrate with larger authentication systems.
• Camera systems inside security rooms that monitor who is accessing which servers.
• Access control auditing software that connects to digital locks to track access patterns and flag unusual activity (such as access to a server rack at an unusual time of day).

For data center operators, it's simply a matter of taking advantage of protections like these to implement cabinet-level rack security.

The Importance of Cabinet-Level Security

In some respects, cabinet-level security may seem less significant than the other layers of physical data center security. After all, if you establish strong protections to prevent bad guys from getting into your facility in the first place, do you really also need to establish another layer of protection on individual cabinets?

The answer is a strong yes, because there are situations where someone who easily passes through other security controls may turn out to be a threat to individual servers. For example, imagine scenarios such as the following:

• A disgruntled data center technician, who has access to all parts of the data center facility, decides to tamper with equipment to cause harm to the data center operators.
• An employee of one company that operates servers in a colocation facility accesses servers owned by another company in a bid to steal data.
• In the midst of responding to a stressful outage incident, a well-meaning engineer accidentally power cycles servers that are unrelated to the failure because he mistakenly accesses the wrong cabinet.

In each of these cases, someone whose access card or biometric controls allowed them access to the server room is still a threat to the servers housed in individual cabinets, and only rack-level security controls would be sufficient for preventing an incident.

Note, too, that cabinet-level protections are important because cabinets and servers are the place where physical security meets digital security. Once someone is inside your cabinet, the job of preventing unauthorized access passes over to digital protections, such as passwords that restrict access to servers. Cabinet-level physical protections are your last chance to use physical controls — which are much harder to hack because they usually can't be circumvented by exploiting software vulnerabilities — before the bad guys get in.

The Challenges of Data Center Cabinet Protections

While cabinet-level controls deliver clear benefits, they also present some challenges.

The biggest is that they add another layer of authentication that technicians must pass through to do their jobs. Having to scan a card or fingerprint before opening a rack is not especially time-consuming, but cabinet-level controls could present issues in cases where a digital lock malfunctions at a time when staff need to get into a cabinet to address a time-sensitive problem.

Cabinet-level locks also increase the management burden of data center operators because they make it necessary to establish granular access control settings to govern who can access individual cabinets. This is more complex in most cases than managing access rights for entire facilities or server rooms, which are not as granular.

The cost of cabinet-level protections is a factor to consider, too. Relative to other physical security controls, cabinet-level locks are not especially pricey, but they will increase overall physical security budgets.

All of these challenges can be addressed, and none is a reason not to adopt cabinet-level controls. But organizations aiming to extend physical data center security strategies to protect individual cabinets should ensure that they have a plan for mitigating these challenges.

The Final Layer of Physical Data Center Security

No amount of higher-level physical security controls can mitigate certain types of threats that affect individual server cabinets and the IT equipment inside them. That's why taking advantage of modern protections for cabinets inside your data center is an essential component of any data center's physical security strategy. When you restrict who can access each cabinet and you monitor for threats against individual racks of servers, you've closed a critical gap in physical security operations