1. CurbtoCore:
BestPracticesforData
CenterPhysicalSecurity
Put simply, data drives our economy.
From healthcare to higher education,
from finance to bioscience, data is
critical to the success of organizations in
every industry. What we do and how we
support the functions of data collection,
storage and the absolute need to keep
that information secure grows more
critical every day.
Keeping that data secure is not a one-
size-fits-all proposition. That’s why
it’s necessary to thoughtfully assess
your current and future needs before
you allocate your budget and deploy
a program to secure critical assets. To
maximize the investment in physical
security, consider each section of
the facility from the perimeter of the
property to the center of the facility
where the server racks are housed. This
“curb to core” approach demonstrates
effective physical security measures that
complement the fundamental business
operations of the data center.
In this constantly evolving market,
facility managers need to be aware of
new physical security options and best
practices for securing data and data
facilities. Whether you’re a company
looking to evaluate a data center, or a
data company looking to upgrade and
improve their security, we’ll discuss some
of the codes and requirements from
major organizations along with important
considerations for each facility layer, from
curb to core.
Protecting Different Types
of Data Centers
As a facility manager, you know that most
data centers fit into one of three broad
categories.
The enterprise data center essentially
serves as the backbone of the corporation.
Sites for these types of data centers are
generally selected based on cost factors;
they tend to be located where land and
connectivity are the cheapest or where
existing business operations can provide
the needed space and infrastructure.
Most of these sites have existing physical
security measures and practices in place
that can offer a starting point to “bolt on”
the needs of the data center space.
The second type is the co-location or
“colo” data center. These facilities provide
a range of data management services for
their clients or tenants. When it comes
to security, the co-location facility can be
particularly challenging in that competing
entities could very well find themselves
storing important data across the hall,
in the cage adjacent to, or even within
the same cage as one another. Keeping
each client’s needs represented and
fundamentally separate is demonstrated
by the need and value of security all the
way to the server rack cabinet.
The third type, known as a blended or
distributed model, is most common
among large corporations. True to
its name, the “distributed model” is
characterized by the use of space owned
or leased by the entity that needs it.
By Chris Hobbs
2. Oftentimes, the rental of external space
can be a short-term solution as the
company constructs additional buildings
of its own, at which point the storage is
brought back under the corporate roof.
Obviously, the blended model responds
to the ever-changing needs of rapidly
expanding online companies, utility or
infrastructure providers. The fact that
data is being stored in different facilities
requires a more thorough approach to
physical security.
Standards and Codes
Depending on the industry of the data
center user, the access control solution
must satisfy thorough and specific
compliance requirements. Three
important examples of these regulations
are outlined below.
Health Insurance Portability and
Accountability Act of 1996 (HIPAA):
HIPAA Title II includes an administrative
simplification section that deals with
the standardization of health care
information systems. In the information
and communications technology
(ICT) industries, this section is what
most people mean when they refer
to HIPAA. The Act seeks to establish
standardized mechanisms for electronic
data interchange security and the
confidentiality of all health care data.
HIPAA mandates standardized formats
for:
• All patient health, administrative and
financial data.
• Unique identifiers (ID numbers for each
health care entity, including individuals,
employers, health plans and health
care providers).
• Security mechanisms to ensure
confidentiality and data integrity for
any information that identifies an
individual.
Payment Card Industry Data Security
Standard (PCI DSS): The PCI DSS is
a widely accepted set of policies and
procedures intended to optimize the
security of credit, debit and cash card
transactions and protect cardholders
against misuse of their personal
information. It requires that access to
system information and operations
be restricted and controlled and that
cardholder data is protected physically
and electronically.
North American Electric Reliability
Corporation (NERC): Five of NERC’s nine
mandatory CIP (Critical Infrastructure
Protection) standards are important
to consider when managing your data
center security:
CIP-003: Requires that responsible
entities have minimum-security
management controls in place to protect
Critical Cyber Assets;
CIP-004: Requires that personnel with
authorized cyber or unescorted physical
access to Critical Cyber Assets, including
contractors and service vendors, have
an appropriate level of personnel risk
assessment, training, and security
awareness;
CIP-005: Requires the identification and
protection of the Electronic Security
Perimeters inside which all Critical Cyber
Assets reside, as well as all access points
on the perimeter;
CIP-006: Addresses implementation
of a physical security program for the
protection of Critical Cyber Assets;
CIP-007: Requires responsible entities
to define methods, processes, and
procedures for securing those systems
determined to be Critical Cyber Assets,
as well as the other (non-critical) Cyber
Assets within the Electronic Security
Perimeters.
The common thread across all these
regulatory requirements is the need
for proper security (both physical and
electronic) to ensure the safety of data.
While the various regulations mandate
data protection, they do not prescribe
CurbtoCore: BestPracticesforDataCenterPhysicalSecurity-continued
“What we do and how we
support the functions of
data collection, storage
and the absolute need
to keep that information
secure grows more
critical every day.”
3. the path to achieve this goal. As a result,
it is critical for data center professionals
to have a thorough understanding of
applicable compliance requirements so
they can identify the best solutions and
policies for their organizations.
Securing the Perimeter
Regardless of the type of data center,
physical protection begins at the
perimeter. A berm of dirt or land, for
example, can be created to establish a
physical barrier that prevents vehicles
driving on the property. With permission
of local jurisdictions, the physical security
solution can begin with landscaping,
high-security fencing or a combination
of the two. High security perimeter
solutions from Ameristar include top-
of-the-line steel fencing with anti-ram
barriers, designed to withstand multiple
vehicle threats.
Within the fencing is an ideal spot
for exceptionally sensitive intrusion
detection systems, or IDS. These systems
use a variety of technologies such as
lasers to detect movement across the top
of the fence and then generate an alert
when someone tries to cross, or wire
tension sensors to alert when someone
attempts to scale a fence.
Main Entrance
The next layer is the main entrance to
the facility, which is typically a vestibule
housing the visitor management and
access control functions. In some cases
this includes a mantrap. This space
is a neutral zone where the visitor or
employee is out of the weather but
still needs to be qualified before being
granted access to the building, a step that
requires accompaniment by authorized
personnel or evidence of access rights
such as a credential. Typically a mantrap
includes an electrified deadlatch, such as
the 4300 Steel Hawk from Adams Rite,
which combines mechanical locking
hardware with electrified access control
while working within standard aluminum
entrance door preparation.
Interiors
Next is the interior, where conference
rooms, managerial offices and an array
of general purpose space requires
different types of physical security
measures. Securitron offers a variety
of entry devices, particularly the R100
surface mounted wireless reader and
Aperio hub, which brings access control
to entryways with fully encrypted AES
128 communication and audit trail
capabilities.
These areas are separate from the data
center floor and often house other
large equipment such as batteries and
generators, which are mission-critical to
protect data during power outages. The
openings into these spaces are generally
oversized and therefore require specialty
doorframes and hardware. Ceco offers
an RF shielded door and frame that
prevents outside interference, ensuring
that sensitive and confidential data is
contained. These openings guarantee a
high level of durability, thickness, blast
resistance and gasketing to prevent
fumes from escaping.
Critical Infrastructure Space
The next layer enters the very core of the
building. When it comes to protecting
the servers and the infrastructure that
supports their operation, there must be
a durable, proven access control solution
in place. Often a biometric reader is
employed to identify people based on
their hand geometry, fingerprints or
irises as a method of dual authentication
aside the traditional card access system.
Cages are generally associated with
co-locations. If a client rents a 10-foot-
by-10-foot space, he will almost certainly
expect that space to be physically
separated from the spaces rented by
other clients. The cages offer six-side
CurbtoCore: BestPracticesforDataCenterPhysicalSecurity-continued
4. protection and are usually protected by
a combination of biometrics, Securitron
maglocks, and card access. Client
business models generally drive security
deployment at this level to ensure
regulatory compliance.
Servers
The server cabinets are the last stop. This
is an area with security options ranging
from relatively simple locks to advanced
access control solutions with audit trail
capabilities.
To protect the data held within each
server rack, HES offers the KS100 server
cabinet lock and Aperio hub. If there is
an existing access control system, the
Aperio hub ties in directly, bringing real-
time access control to each cabinet in a
single-card system. This wireless solution
greatly improves the monitoring and
security level of each server cabinet. It
uses existing ID badges so there are no
keys to control or replace and no codes
to secure or remember.
If a hardwired solution is required,
HES offers the KS200 server cabinet
lock that uses Wiegand wiring to
integrate seamlessly with any existing
access control and ID badge system.
Both options support a Small Format
Interchangeable Core (SFIC) key override
and provide robust, cost-effective access
control that meets strict regulatory
compliance and protects data. Both
the KS100 and KS200 have the added
capability of extending their impact to
include three contact points that are
commonly used to monitor the side
panels of the racks, providing a central
point for the communication back to
the access control platform. This not
only extends the value and impact of the
access control device but also lowers the
cost of deployment versus traditional
installations.
There is also the option of enhancing
the KS200 by removing the mechanical
override and replacing it with a
Medeco XT electronic cylinder for a
full accountability solution. Since data
centers are indeed critical, and need
more than what a mechanical solution
can offer, there is also the XT Intelligent
Key System that provides scheduling,
audit and ability to expire keys thereby
increasing accountability and security.
The products selected will depend
in large part on the way the servers
are arranged in the space. With either
an open room with many rows of
server racks or a hot aisle or cold aisle
configuration there are operational
and environmental challenges. In either
scenario, the HES KS100 and KS200, with
a Medeco XT Intelligent Key System as
well as the Securitron R100, are optimal
solutions.
Best Practices
It is important that protocols are in place
not just for data security but also for life
safety and good business practices. In
fact, when procedures are not developed
or deployed, it creates significant
vulnerabilities for the organization.
Like other facets of facility management,
execution is paramount. Several
organizations, including BICSI, the
Federal Emergency Management Agency
and ASIS International, offer guidance in
the development and management of
security protocols.
Regardless of the type of data center
you’re managing, the advances made in
this field make it possible to offer higher
levels of security from the perimeter
through to the server cabinet itself as
a competitive advantage. In nearly any
industry, companies will pay a premium
to protect their critical data.
Chris Hobbs is Business Development
Leader, Data Centers at ASSA ABLOY Door
Security Solutions. He can be reached at
Chris.Hobbs@assaabloy.com.
CurbtoCore: BestPracticesforDataCenterPhysicalSecurity-continued