Data centre users really value physical security which they place as their top requirement
Physical intrusion – it can happen
Those with long memories may recall the spate of thefts of Sun Microsystems computer systems across London at the start of the last decade. Those with even longer memories may remember the worldwide shortages of computer DRAM memory in the late 1990s, which led to PCs all over the world being randomly stolen so their memory chips could be stripped out and resold.
At an even higher level, there was the al-Qaida plot to blow up a major Docklands facility and disable the UK internet (foiled by MI5). More recently it's not uncommon to hear of disgruntled technicians walking out of a data centre with their employer's most critical piece of equipment before anyone had realised or could react. Data centre users really need to trust their data centre and they have a right to expect that trust will always be fulfilled.
Can you be trusted to secure a data centre?
So what does a professional data centre need to do to achieve that trust? Infrastructure, certainly, but the most important thing is a real human being – a properly trained professional security squad, on-site 24 hours a day, 365 days a year. A security team must be able to personally assess situations on the ground and make decisions immediately. In these kinds of situations, nothing substitutes for a real, trained person.
The second most important consideration is a safe security office for security staff to work in. They need to have a clear view of all the non-alarmed entrance points to the building by CCTV if necessary, but preferably by direct sight. Their office needs to be at reception, so they can talk to, evaluate and screen all people going in and out of the office facility. The area needs to be strong with tough, glass shields that can be shut fast for maximum protection from intruders. Security guards need to be able to retreat into it for long enough to be able to think, evaluate and ring for assistance, or, in extreme cases, call the police.
Furthermore, security teams need infrastructure to support them, particularly in large data centres where they cannot be everywhere at once. All possible advances to the facility should be either directly visually monitored or coloured (fire escapes, for example, which would never usually be opened). Main entrances should be blocked by magnetic electronically-controlled doors, and no entrance is permitted, except when security makes a positive decision to allow someone to enter or exit.
Security teams need infrastructure to support them, particularly in large data centres where they cannot be everywhere at once.
Roger Keenan, managing director, City Lifeline,
Good access control systems are needed to control entrances to all technical and plant areas. Swipe cards are the norm and are very effective. Doubling-up on access controls has a disproportionate effect on security; even swipe cards supplemented by a simple digilock will greatly increase security effectiveness -- but don't forget to change the digilock codes regularly. Swipe cards plus biometrics (e.g. fingerprint recognition) inside a security-controlled building is very difficult to circumvent and just the existence of such a combination will deter most security violation attempts.
Give yourself more eyes and ears for your data centre's security
CCTV is vitally important in a data centre. All external entrances should be monitored continuously, as should all stairwells and corridors. The monitors should be in the protected security office, and the CCTV control systems need movement detectors and electronic trip-wires to alert security when something untoward happens.
Furthermore, don't forget that something may happen at night when the security guard is doing his rounds, so he needs a way of being alerted when he's not in the security office. All CCTVs should be continuously recovered as experience shows that retrospective security analysis is at least as valuable as real-time alerts.
As with all security systems, presentation and appearance matters. Delivering someone who sizes you up and concludes it's would be too difficult to attack is better than having fought off an attack. Security is not all about equipment (although that does matter too). It's much more about training, attitude and awareness. It's about having security people who are continuously aware of their surroundings, alert to unexpected changes and curious and dynamic enough to respond to change. They must be supported by technical infrastructure, but, more important, they need to be backed up by training, processes and procedures.
Data centre security is all about judgement
The security guard's most important tool is not his CCTV or his swipe cards. It's his access list – the up-to-date list of who has authority to come and go, who may or may not be allowed to make deliveries or authorise equipment removals. The list always needs to be kept up-to-date by the colocation supplier or the data centre manager and also, most importantly, by the customer or data centre user's management. This requires good procedures, cooperation, collaboration and excellent contractor management.
All the security in the world is of no use if a man in a boiler suit carrying a spanner can turn up at the back door, saying he's come to fix the leak on the fourth floor and be let in without question. Delivering process, car park controls, support authorisation and escalation procedures, all need thought and care so that when they are needed, they work the first time.
Time and again surveys show that customers rate physical security as the most important service a colocation facility or a data centre can offer. Security is an attitude; it is not purely about equipment. Any colocation provider or a data centre operator needs to think it through carefully, implement it thoroughly, and more importantly earn his customer's trust.
Roger Keenan is the managing director of service provider City Lifeline, and a contributor to
This was first published in November 2010