Ensuring data center physical security involves complying with key standards, knowing the threats, and overcoming hurdles. Are you prepared?
Data is precious for people, companies, and countries, so much so that some consider it the "oil of digital economy." Data centers, then, require strong protection. Data center physical security is critical as any breach could result in potentially massive losses to the owners. Data center security standards and compliance with them is more critical now than ever.
But how exactly do you protect a space that holds so many high-value assets? This article explores data center security threats, challenges, and best practices.
What are the major data center physical security threats?
Data centers typically have a considerable number of physical security devices in a small space or area
, which can be challenging for security leaders to manage. Unfortunately, the same priority that a customer may give to sites like office spaces wouldn't be enough for data center protection.
The "set it and forget it" approach
Ryan Schonfeld, Founder & CEO of RAS Watch, explains that many data centers are guilty of adopting a "set it and forget it" mindset when establishing a facility. This gives an appearance of strong security but allows the software to become outdated with no one dedicated to monitoring them.
"As more and more companies shift to remote work and the storage of critical data via the cloud — and consequently, toward these data centers — the need for these facilities is not shrinking, it's growing, which means protecting them becomes even more important," Schonfeld said. "Even more importantly, the focus for these facilities has primarily been on protecting the data stored,
monitoring for outages or abnormal activity, which means physical security programs
have taken a back seat. But arguably, the protection of the facility itself is just as important as ensuring the data is safe from outside threats."
Physical threat through cyber exploits
Jammy DeSousa, Product Manager at Johnson Controls, points out the primary data center security threat now is a cross-stream of physical, logical, and network security. The first attack vector for a physical attack could now be through a cybersecurity attack or a security vulnerability exploit.
Data center protection from insider threats
Another prevalent issue that data center security issue is insider threats, meaning data theft from within. Nigel Waterton, CRO of Arcules, says that they have seen very high-profile thefts of data in recent years as cybersecurity breaches continue to be a threat, involving both internal and external actors.
"Another threat is the location of the facility, whether it's in a highly trafficked, industrial area or in a more remote location without a lot of activity around it — both require a certain level of technical expertise to address threats to physical security in real-time," Waterton added.
Data center security standards to comply
Complying with data center physical security standards is mandatory for regulatory approvals as well as ensuring proper protection. Failure to comply may result in fines that would cost the end customer dearly, and hence it's important to know them well. Some of the essential data center compliance standards are:
The ISO 27001 standard mandates the requirements for information security management system. Complying with this standard allows customers to protect data of any nature. Like all ISO standards, this is not mandatory but will provide a certain level of assurance of the customer of the quality data security.
The ISO 20000-1 regulates IT service management system for a customer. Solutions that comply with this standard will help the customer know that the managed services is of high quality.
SSAE 18 SOC 1 Type II, SOC 2 Type II and SOC 3
The Statement on Standards for Attestation Engagements No 18 (SSAE 18) is an important upgrade to the previous SSAE 16 standard for auditing service organizations. There are different types of SOCs under this standard, and organizations choose the best that fits their business.
HIPAA, PCI DSS, and others
These regulate the security of information within certain domains. HIPAA for instance deals with the security of information in health care. PCI DSS deals with the security of data in the payment card industry. Besides these, there can be other data center standards based on the nature of the information handled. For instance, if the data is of importance to national security, there may be certain standards that the homeland security department would want to enforce.
Best practices for data center security
Ensuring physical security in data centers
requires careful consideration of several factors. Industry experts list a few data center security best practices in this regard.
A multi-layered approach
There is no single-point security solution for data center protection. Waterton suggests a multi-layered approach to applying relevant technology, such as fencing around the perimeter (at a minimum), control points, surveillance cameras, physical barriers inside of the doors, gateways in and out of the building with turnstiles, as well as the ability to control access to various parts of the building.
"All these elements should work seamlessly together to provide protection of physical assets and intellectual property no matter where they're located within the facility," Waterton added.
Employee background checks
Mitigating insider/outsider threats is the next major step. This could be someone that is employed by either a state-sponsored intelligence agency or corporate espionage bad actor.
"These people are not the "Mission Impossible" master spy persona, but have been rather innocuous, low-key people that fly under the radar," Waterton points out. "It is critical for security leaders to consider the individuals employed within the data center facility. Methods for mitigating the risks associated with insider threats include background checks, security audits, and robust policies and procedures to maintain the protection of data and assets."
Data center access control and identity management
Controlling access and identity management of the people authorized to enter the data center is crucial. To Schonfeld, so much of it is applying the same types of countermeasures that you would in electronic security, such as multi-factor authentication, anomaly detection, identity management versus credential management, and the monitoring and actioning of real-time events from physical security devices.
"If some of the same protocols used in establishing cybersecurity measures were used across physical security, these facilities would be better prepared to protect physical assets from outside (or insider) threats," Schonfeld added.
Robust data center security architecture
Finally, successful data center protection requires a security architecture that meets all the standards. According to DeSousa, this means planning for security from the beginning and thinking about cybersecurity design as well as physical security design considerations. Using design consultants or someone who has experience with data center protection would be the first essential measure to protect against threats.
Challenges limiting data center protection measures
Probably the biggest challenge to ensuring data center security is corporate adoption. Traditionally, IT and physical security protection have not worked together toward common goals or a solid corporate adoption plan mandating cross-functional collaboration, creating a unified strategy.
"There's a significant amount of risks associated with data centers, and being able to recognize those risks is essential to implementing proper security in these locations," Waterton explains. "When there are hundreds of millions of dollars poured into building and developing the new generation of high-efficiency facilities, it's critical to acknowledge the risk outside (and inside) threats can bring."
Another factor is the cost, according to Schonfeld. Many organizations underestimate the importance of data center physical security, often missing the big picture and how it ties into cybersecurity. The idea that you can slap up some surveillance cameras and put some card readers on the doors and call it a security program is not feasible in these kinds of facilities.
Data center security tips for systems integrators
For systems integrators (SI), understanding data center business is a crucial part of establishing the right plan for protecting the facility, whether it's private, public, on-site, or co-located. Rather than having a "rinse and repeat" spec for data centers overall, it's important to design and implement a plan that drives the business since all data centers are not created equal.
Managed security services
An important factor is the ability to offer more of a managed services approach for data center protection, with continuous oversight into the physical security landscape, according to Schonfeld.
"Offering data centers this option is a good way to elevate their protection to the level that these facilities are placing on cybersecurity initiatives and may help address the challenges of the cost that plague businesses, in general, these days," Schonfeld explains. "Breaches can cost a company upwards of hundreds of thousands to millions of dollars, so the ability to reach decision-makers on the ROI of ongoing oversight might be a huge selling point for offering these services."
Cyber and physical security expertise
A common problem that DeSousa finds in physical security SIs is the lack of knowledge of cybersecurity. Unfortunately, most SIs are playing catch up when it comes to cyberthreats, which becomes a problem when protecting sites like data centers.
"They have to be well balanced these days, not only in terms of their knowledge of the physical security domain but also the IT domain," DeSousa added. "They should make sure that not only do they have people certified in low voltage electronics but also know about the convergence of physical and logical security layers and the network, as well as the tools and best practices."
Educating the end customer
It's also essential for SIs to work with the customer to ensure they know data center physical security requirements and what to prioritize.
"If integrators cannot educate the customer on why they need to implement the necessary protections, they shouldn't be working within the data center space," Waterton says. "To be truly successful in this market, SIs must understand the needs of the market and facilities as it relates to not only physical security but the customer's complete business strategy."
Data center physical security: are you prepared?
Data center security is a mix of physical and cyber protection measures. Compliance with data center security standards is essential, along with in-depth knowledge of the threats, challenges, and best practices. For SIs, expertise in cyber-physical convergence, managed services, and the willingness to educate end customers is vital to do well in this sector.