Digital Security Is Built On Physical Security

In a world where critical business tasks happen virtually, it’s easy to forget that even “virtual” data must be stored in a physical location. As you may have heard it said, “the cloud is just someone else’s computer,” and most often that computer is a server in a data center that sits miles away from the work being done.

The security of the location where those servers operate is arguably the first and most important layer of data security. Virtual or cyber-security is built on the integrity of physical security, because without trustworthy physical security, cyber-security is worthless.

Data centers are often categorized in four tiers, according to criteria such as uptime, redundancy, and utility support. Although the numbers may not appear radically different between each tier, rest assured that the cost required to achieve each tier differs dramatically. And while it might feel nice to have a Tier 3 data center for your small business, the expense is unlikely to justify itself. Also, looking only at the four tiers can obscure the sheer complexity associated with it. It’s beneficial look for a partner that can help you lay out a data center security plan that is both effective, and cost-efficient.

• Small business
• 99.671% uptime
• 28.8 hours downtime per year
• No redundancy

• Medium-size business
• 99.749% uptime
• 22 hours downtime per year
• Partial redundancy in power and cooling

• Large business
• 99.982.% uptime
• 1.6 hours downtime per year
• N+1 fault tolerant
• 72 hour power outage protection

• Enterprise corporations
• 99.995% uptime
• 26.3 minutes of downtime per year
• 2N+1 fully redundant
• 96 hour power outage protection

If you think of your data as a treasure (which it is) that you need to protect (which you do), it’s useful to expand the simile to that of a castle with distinct layers of protection and control. At the very center is the treasure, locked away from anyone who lacks authorization. At the outermost layer you have a wall that rebuffs the majority of un-sophisticated attacks. The closer you get to the data, the more precise and strict the security measures.

In a sense, the real estate of your data center is a form of perimeter control. The further the building sits from roads or other buildings, the easier it is to keep people away. However, you may not have the option to pick an isolated spot, so the perimeter you can control should have a single point of entry and exit, maybe a second for delivery access (every additional gate or checkpoint adds complexity and room for human error). Look for ways to make the landscaping and building forgettable, uninteresting, and difficult to penetrate. Fencing, barbed-wire, car-proof barriers, and berms can all create a sense of isolation and protection around the building.

Human checkpoints, RFID checkpoints, keyed doors, and even the architecture of the building itself are tools you should use to create a data center that is functional, and compartmentalized so that workers with varying access levels can accomplish their jobs without unnecessary friction. This is especially important when considering utility and maintenance access.

Each server room should also have clear points of entry and exit, with fire doors designed for “exit-only.” Consider using multiple layers of authentication, such as RFID badging and biometrics the closer that people get to the “treasure.” This prevents the “fox-in-the-chickenhouse” problem where once a malicious actor has penetrated the outer perimeter, they have unrestricted access to everything inside.

This is the innermost layer of your castle. Once an employee or contractor opens the cabinet where the server lives, the system is at its most vulnerable. Depending on how your servers are arranged and dedicated to certain operations, you may have varying levels of “sensitivity.” For the most critical or sensitive servers, you may want to require two-key access (where two employees have unique keys) to provide extra accountability for whoever is unlocking the cabinet.

By thoughtfully designing the physical layout and operating dynamics for your data center, you’re creating a layers of security that work 24/7. However, there are other processes and protocols that you need to establish so the entire operation can function smoothly.

Just like when you go to a popular night club and the bouncer checks to see if your name is on the guest list, you need lists that record who all has access to the data center and how deep their authorization allows them to go. You will need separate lists for employees, partners, vendors, and municipal authorities.

Security cameras may not stop unauthorized intruders, but they’re essential for creating visibility throughout the data center. That way you can quickly access where an intrusion or problem is happening and respond appropriately, including possible lockdowns or crisis protocols. A security command center is an excellent way to centralize the various systems in your data center, including video surveillance, HVAC, server cooling, and utilities.

The advent of RFID stickers allows for fast and accurate inventory or asset control. Although it may not seem like an obvious security risk, the reality is that everytime a human being needs to open up the system and interact with equipment they raise the risk of an accident and possible failure. Thus a simple, fast, accurate asset management system gives you the granular visibility you need, and protects the reliability and profitability of your data center.

Even if you have a robust HR process for evaluating and hiring qualified and trustworthy candidates, it’s still important to run regular checks and validate that everyone, including vendors, contractors, and clients, requesting access to the data center pass the minimum requirements.

The ISO/IEC 27000 family of information security standards provides a robust method for verifying that your data center adheres to industry best practices. It also provides reassurance to clients that your operation has the proper policies, procedures, and accountability to handle sensitive data. Although you can run informal audits according to the ISO 27000 standard, the only way to receive a certification is by hiring an authorized auditor to perform the audit.

It seems like every heist movie relies on getting into the HVAC for some reason or another, it could be to gain un-authorized access to the innermost rooms or simply to falsely trigger the emergency response system. While theft-by-HVAC may not be your chief concern, the reality is that HVAC systems are out-of-sight and out-of-mind until something goes wrong, so it’s important to design the system to be as secure and reliable as possible. Data centers generate an immense amount of heat and having an air-conditioner fail could allow server temperatures to fluctuate outside the normal operating range, leading to unexpected equipment failure or other downstream complications.

Any fire is catastrophic if left unaddressed, but conventional fire suppression systems that rely on fusible links and water dispersal could be just as catastrophic to the electronics that comprise your data center. It’s best to install systems that can contain and suppress the fire without compromising the equipment. It’s also critical that all staff understand the procedures around fire and how to evacuate quickly and safely (in a castle of locked doors and no windows, you don’t want anybody getting trapped in an emergency).

i.e.Smart Systems is a Houston, TX based technology integration partner that specializes in design and installation of audio/visual technology and structured cabling. For more than three decades, our team of in-house experts has partnered with business owners, architectural firms, general contractors, construction managers, real estate developers, and designers in the Houston market, to deliver reliable, scalable solutions that align with their unique goals.