[ISN] 19 Ways to Build Physical Security into a Data Center
InfoSec News
isn at c4i.org
Wed Nov 16 02:15:16 EST 2005
http://www.csoonline.com/read/110105/datacenter.html
By Sarah D. Scalet
CSO Magazine
November 2005
At information-intensive companies, data centers don't just hold the
crown jewels; they are the crown jewels. Protecting them is a job for
whiz-bang technologists, of course. But just as important, it's a job
for those with expertise in physical security and business continuity.
That's because all the encryption and live backups in the world are a
waste of money if someone can walk right into the data center with a
pocket knife, a camera phone and bad intentions.
There are plenty of complicated documents that can guide companies
through the process of designing a secure data centerfrom the
gold-standard specs used by the federal government to build sensitive
facilities like embassies, to infrastructure standards published by
industry groups like the Telecommunications Industry Association, to
safety requirements from the likes of the National Fire Protection
Association. But what should be the CSO's high-level goals for making
sure that security for the new data center is built into the designs,
instead of being an expensive or ineffectual afterthought?
Read below to find out how a fictional data center is designed to
withstand everything from corporate espionage artists to terrorists to
natural disasters. Sure, the extra precautions can be expensive. But
they're simply part of the cost of building a secure facility that
also can keep humming through disasters.
1.) Build on the right spot. Be sure the building is some distance
from headquarters (20 miles is typical) and at least 100 feet from the
main road. Bad neighbors: airports, chemical facilities, power plants.
Bad news: earthquake fault lines and (as we've seen all too clearly
this year) areas prone to hurricanes and floods. And scrap the "data
center" sign.
2.) Have redundant utilities. Data centers need two sources for
utilities, such as electricity, water, voice and data. Trace
electricity sources back to two separate substations and water back to
two different main lines. Lines should be underground and should come
into different areas of the building, with water separate from other
utilities. Use the data center's anticipated power usage as leverage
for getting the electric company to accommodate the building's special
needs.
3.) Pay attention to walls. Foot-thick concrete is a cheap and
effective barrier against the elements and explosive devices. For
extra security, use walls lined with Kevlar.
4.) Avoid windows. Think warehouse, not office building. If you must
have windows, limit them to the break room or administrative area, and
use bomb-resistant laminated glass.
5.) Use landscaping for protection. Trees, boulders and gulleys can
hide the building from passing cars, obscure security devices (like
fences), and also help keep vehicles from getting too close. Oh, and
they look nice too.
6.) Keep a 100-foot buffer zone around the site. Where landscaping
does not protect the building from vehicles, use crash-proof barriers
instead. Bollard planters are less conspicuous and more attractive
than other devices.
7.) Use retractable crash barriers at vehicle entry points. Control
access to the parking lot and loading dock with a staffed guard
station that operates the retractable bollards. Use a raised gate and
a green light as visual cues that the bollards are down and the driver
can go forward. In situations when extra security is needed, have the
barriers left up by default, and lowered only when someone has
permission to pass through.
8.) Plan for bomb detection. For data centers that are especially
sensitive or likely targets, have guards use mirrors to check
underneath vehicles for explosives, or provide portable bomb-sniffing
devices. You can respond to a raised threat by increasing the number
of vehicles you checkperhaps by checking employee vehicles as well as
visitors and delivery trucks.
9.) Limit entry points. Control access to the building by establishing
one main entrance, plus a back one for the loading dock. This keeps
costs down too.
10.) Make fire doors exit only. For exits required by fire codes,
install doors that don't have handles on the outside. When any of
these doors is opened, a loud alarm should sound and trigger a
response from the security command center.
11.) Use plenty of cameras. Surveillance cameras should be installed
around the perimeter of the building, at all entrances and exits, and
at every access point throughout the building. A combination of
motion-detection devices, low-light cameras, pan-tilt-zoom cameras and
standard fixed cameras is ideal. Footage should be digitally recorded
and stored offsite.
12.) Protect the building's machinery. Keep the mechanical area of the
building, which houses environmental systems and uninterruptible power
supplies, strictly off limits. If generators are outside, use concrete
walls to secure the area. For both areas, make sure all contractors
and repair crews are accompanied by an employee at all times.
13.) Plan for secure air handling. Make sure the heating, ventilating
and air-conditioning systems can be set to recirculate air rather than
drawing in air from the outside. This could help protect people and
equipment if there were some kind of biological or chemical attack or
heavy smoke spreading from a nearby fire. For added security, put
devices in place to monitor the air for chemical, biological or
radiological contaminant.
14.) Ensure nothing can hide in the walls and ceilings. In secure
areas of the data center, make sure internal walls run from the slab
ceiling all the way to subflooring where wiring is typically housed.
Also make sure drop-down ceilings don't provide hidden access points.
15.) Use two-factor authentication. Biometric identification is
becoming standard for access to sensitive areas of data centers, with
hand geometry or fingerprint scanners usually considered less invasive
than retinal scanning. In other areas, you may be able to get away
with less-expensive access cards.
16.) Harden the core with security layers. Anyone entering the most
secure part of the data center will have been authenticated at least
three times, including:
a. At the outer door. Don't forget you'll need a way for visitors to
buzz the front desk.
b. At the inner door. Separates visitor area from general employee
area.
c. At the entrance to the "data" part of the data center. Typically,
this is the layer that has the strictest "positive control," meaning
no piggybacking allowed. For implementation, you have two options:
(1) A floor-to-ceiling turnstile. If someone tries to sneak in behind
an authenticated user, the door gently revolves in the reverse
direction. (In case of a fire, the walls of the turnstile flatten
to allow quick egress.)
(2) A "mantrap." Provides alternate access for equipment and for
persons with disabilities. This consists of two separate doors
with an airlock in between. Only one door can be opened at a time,
and authentication is needed for both doors.
d. At the door to an individual computer processing room. This is for
the room where actual servers, mainframes or other critical IT
equipment is located. Provide access only on an as-needed basis, and
segment these rooms as much as possible in order to control and track
access.
17.) Watch the exits too. Monitor entrance and exitnot only for the
main facility but for more sensitive areas of the facility as well.
It'll help you keep track of who was where when. It also helps with
building evacuation if there's a fire.
18.) Prohibit food in the computer rooms. Provide a common area where
people can eat without getting food on computer equipment.
19.) Install visitor rest rooms. Make sure to include bathrooms for
use by visitors and delivery people who don't have access to the
secure parts of the building.
E-mail Senior Editor Sarah D. Scalet at sscalet @ cxo.com.
More information about the ISN
mailing list