Data centers: Security without compromise
Editor / Provider: Tevin Wang, a&s International | Updated: 9/19/2013 | Article type: Commercial Markets
Digital information is becoming ubiquitous while connected devices proliferate with ever-faster transmission speeds. These factors continue to influence rising demand for data centers. Cisco forecasts global data center traffic to grow fourfold and reach a total of 6.6 zettabytes annually by 2016 and global cloud traffic to grow sixfold with a 44 percent combined annual growth rate (CAGR), to reach 4.3 zettabytes by 2016. The growth does not stop at data traffic.
According to IDC Research, the size of US data centers will increase significantly, growing from 611.4 million square feet this year to more than 700 million square feet in 2016. Data center security has become one of the highest network priorities. Companies that operate their own data centers will spend an average of US$17 million on security products in 2013, according to Infonetics Research.
The main concerns of a data center are the intentional acquisition of personal or corporate data by unauthorized people, according to Kenneth Mara, President and CEO at World Wide Security. Sabotage, theft, and uncontrolled access to a data center's assets pose the most immediate risks.
Patrick Lim, Director of Sales and Marketing at Ademco Far East (an Ademco Security Group Company) agreed. “The main concern is the amount and variety of people that access the data center. In an Internet Data Center (IDC), there are many different customers, each with their own staffs accessing the data center and racks. To make matters more complex, some of these data centers have their own contractors for equipment and technical support. All these varieties of activities and visitors create massive access control challenges.”
Another primary concern for a data center is the upstream and downstream fiber, which must be protected as well as the protection of the environmental systems which support the data center such as power, backup power, heating and cooling systems, added Jeff Slotnick, CSO at OR3M.
The primary goals of the outer layer of data center protection, perimeter security, are the three D's: deter, detect, and delay. As an example, a perimeter fence equipped with sensors can serve as the first detection point for intrusion. This perimeter fence detection system can be integrated with intrusion alarms, limited access control points, high-definition video surveillance, and motion-activated security lighting. Security personnel will then be able to pinpoint an intrusion and immediately access the network's security system.
Vehicle and personnel barriers are adopted to prevent physical access to the data center while personnel barriers can be used to prevent unauthorized entry, including tailgating, added Benjamin Butchko, President and CEO at Butchko Security Solutions. For instance, retractable crash barriers can be used at vehicle entry points. In situations when extra security is needed, barriers can be left up by default, and lowered only when someone has permission to pass through.
Besides site-hardening strategies, a perimeter video surveillance system can also be used to detect potential threats and intruders. Cameras can be installed around the perimeter of the data center, at all entrances and exits, and at every access point throughout the building. Motion detection technology, for instance, can trigger alarms, while video content analytics can identify objects left behind to quickly spot potential threats. These technologies make the surveillance system more proactive to detect potential security breaches. Furthermore, video footage should be digitally recorded and stored offsite.
Security inside Data Centers
Although data centers house the data, applications, and access critical to many businesses, the layout of most large data centers is similar. “There is a security/reception area that the user enters to gain access to their system. Upon check-in, they go to the lobby. From there, they go through a sally port to get into the secure common area,” said Emily Flink, Marketing Manager, Biometrics, Ingersoll Rand Security Technologies. “What this means is that, at the end of the lobby, they must be identified as authorized to enter the sally port room. Upon entering it, the door is closed. At the end of the sally port room, there is another identification authorization performed before they can go through that door to the secure common area. At this point, they can go to their own cage or vault, where they will again be identified as authorized before going through.”
If a breach has occurred at the perimeter or from inside, the layer of protection for facility control is created to prevent further access, “Data centers typically have a large number of infrequent users. This is especially true of independent data centers which have large numbers of customer users who only occasionally visit the site. Therefore, the system has to be easy to use but cannot rely on cards which can be easily transferred from person to person,” added Flink.
A solid visitor management system compliments and is a precursor to the physical access control system. “Visitor management includes all workers and visitors being issued badges that have
built in access codes for various doors and areas on each badge. This prevents accidental access to areas,” Mara said. “It is very important to have those working in the facility pass background checks prior to employment.”
Mere access control is not enough. Indoor surveillance for identification and monitoring, as well as multiple ID verification methods are a must. Surveillance deployment and integration with access control can inhibit illicit activities and provide an extra layer of security. An integrated system can rapidly verify tripped alarms, which allows for a speedier response. “Integrated video is a standard demand now for data centers,” Lim said. For example, video surveillance can verify the identity of a person entering an unmanned access control point by capturing video as the person swipes his access card. It can also account for instances of tailgating.
Computer Room and Cabinet Control
While the physical security layering makes unwanted entry from “outside” a data center facility more and more difficult, inner layers are often ignored. “Personnel security programs are generally not robust in private industry for employees or contractors. Gaining data center insider access is a fundamental strategy for industrial espionage attacks,” Butchko said.
The insider threat is huge, especially in areas such as government or corporate espionage. A survey by Cyber-Ark showed some stunning numbers:
* 85 percent of employees admit to knowing that downloading corporate information from their employer is illegal.
* 25 percent of employees say they would take the data anyway, regardless of penalties.
* 41 percent of employees admit to having taken sensitive data with them to a new position.
* 26 percent of employees say they would pass on company information if it proved useful in getting friends or family a job.
Although the insider threat can be the most elusive, security within the inner layers of data centers, such as the computer room and cabinet controls, can help secure the core of data. This starts with people recruiting. “Good internal security starts with hiring the right people. This requires a strong Human Resources program working in conjunction with the Chief Security Officer to insure proper and complete background checks are accomplished on all employees, contractors, and laborers which have access to sensitive areas of the facility. In my opinion, a good upfront background check, in most cases, will prevent a majority of internal breaches,” Slotnick said.
“Another area of consideration when dealing with the internal threat is how the Human Resources Department and the Security Department work together to insure terminations with dignity to prevent workplace violence or a malicious system attack. Part of the process for a quality access control program is to know which employees, contractors, and service personnel are no longer employed so their access permissions can be removed or modified. This includes the return of all access control and identification cards. In my opinion, this is a significant communications gap in most organizations where someone's status has changed and the security personnel have not been informed or kept in the loop.”
Enhanced Security with Multi-Factor Authentication
Inadequate authentication methods lead to sensitive information being compromised. Ultimately, the primary concern of core data center security is access control to the server farms. “The large halls which contain the servers need to be closely monitored to ensure only authorized individuals are permitted entrance and then only at authorized times” Slotnick said. “This requires a
complex system of easy-to-use access control features.”
“At data centers, assured authentication begins by accepting the reality that no one single form of authentication by itself is 100 percent. Even biometrics (including DNA matching) is not perfect,” said Phil Scarfo, VP of Worldwide Sales & Marketing at Lumidigm. “Statistical error rates, however, are substantially reduced when multiple forms of authentication are employed. The use of biometrics as an additional tool or second factor greatly enhances the ability to get closer to 100 percent in the continuum to assured authentication. The reason for selecting biometrics as one of the two factors is clear. Knowing ‘who' is the goal of assured authentication and biometrics is the only form of authentication that is focused on the identification of the individual, not something they have or something they know.”
Preventing a fire is crucial in a data center. “There should always be a business contingency plan for emergencies. Advanced fire systems, which detect heat and smoke, long before a fire breaks out should be part of a company's fire safety plan. These advanced warning systems can reduce the overall cost of repairs and downtime,” Mara said. “Backup servers off-site at multiple locations will help to protect against a fire which could not only pose a threat to overall operations but also to an operational shut down for periods of time.”
Technological advancements in security devices, such as surveillance cameras, video management and recording platforms, and intelligent access control hardware and software have enhanced the possibility of a totally secure data center. However, successful implementations of a central management system rely not just on subsystem integration, but also on effective communication throughout an organization.