Physical security of a data center is as important as data security. Even if
you secure your data on the network completely, flaws in its physical structure
can lead an attacker to simply break into your data center and steal equipment
that contains critical data. Some of you might remember a popular case of a data
center in UK, where attackers broke through the fire escape steel door of the
data center and stole a router before local security nabbed them. In this case
it was the alertness of employees that saved the day for the data center. Au
Contraire 'humans' are the weakest link when it comes to physical security of
data centers---in fact a much bigger threat! Two most common threats linked to
people in data centers are social engineering and that notion of 'unhappy
employee' or 'ex-employee.' Someone might convince or trick an authorized data
center personnel to give them access or at times get them critical data from the
facility. While technology can do little to change human tendency, it can
certainly help you in monitoring employees and ensuring that only authorized
personnel have access to the data center. Other than data theft, another major
physical threat to data centers comes from calamities such as fire,
thunderstorms, earthquakes, etc; which might damage the entire data center. In
this article, we look at such critical issues and what can you do to guard
against them.
Data theft
Physical security of data centers starts right from the planning of the data
center. If your data center is present within the premises of the organization,
a good practice is to place it where people movement is less. Also a data center
should have limited entry/exit points. Access criteria should be defined
properly for your employees as well as visitors, e.g if a switch or a router is
having problems and the vendor decides to send a router expert to have a look at
it, then he need not be privy to your data and the location of various servers.
Similarly, if the location of your data center happens to be near a meeting room
or a canteen, a lot of outsiders might find out the location of your company's
data center (through word of mouth).
Fujitsu PalmSecure |
Recently, Fujitsu has announced Pal vein authentication device which can operate with palm in motion. According to Fujitsu, this new technology only takes one millisecond to capture an image and can still provide same level of accuracy as of its previous versions.
|
Physical access control
Access cards or swipe cards are the most common way to restrict entry to
data centers. But using access cards alone just isn't enough. They can be easily
stolen or cloned, or an attacker can simply use social engineering and convince
an authorized personnel to give him entry. The point is that a physical piece is
alone not enough to identify a person. 'Something you know' and 'something you
are' also form a critical part of security setup. An old yet effective way to
identify personal identity is to have a two-way audio at all or at least
critical entrance and exits of the data center with security personnel
constantly monitoring every movement from a control room. When a person swipes
his access card, he needs to identify himself to security personnel in the
control room through the audio, only then should he be given permission to enter
or exit. Similarly, data centers should deploy an access control solution which
is linked with video surveillance. Biometrics comes under the 'something you
are' category and is being increasingly adopted by data centers, the most
popular form being fingerprint authentication. However, it has its own drawbacks
such as what if a finger catches an injury, or it can be fooled around using
various techniques, for eg, what if somebody cuts the finger of an authorized
person to get access! Data centers are also starting to use retina or vein
biometric authentication, which also looks for lifelines in person when giving
access.
Surveillance
Importance of video surveillance in a data center or within an enterprise is
well known. Depending upon the design and criticality of data present in a data
center, you can choose surveillance from one that is easily visible to the one
that is hidden. The next important factor is storage; some organizations opt for
both remote as well as local storage. When deploying surveillance, make sure
that it's placed at a reasonable distance from the subject, which makes for
easier identification. Lights at the entrance and the exit should be bright
enough or you should use cameras which can capture videos at night. There should
be strict policies around for how long you should maintain captured videos, as
storage space also starts to become an issue after a while.
Piggybacking and Tailgating
Piggybacking is referred to a security breach that takes place when an
authorized personnel uses his legitimate credentials to open a door for an
unauthorized person. Very similar to this is tailgating, in which a person slips
through undetected behind an authorized personnel. To fight against these
threats there are anti-tailgating solutions available. Most of these solutions
build an infrared field across the door and in case more than one person try to
enter, it immediately triggers an alarm. These systems can be integrated with
visitor entry systems when somebody is visiting a facility. Another common way
to protect against these threats is to deploy mantraps.
Fire detection and suppression
Fire is another threat against which data center should prepare right from
the planning stage, as it has the power to bring down entire data center. Simple
things like using alloys or steel instead of wood and other flammable material
can help you limit damages to a data center. Even if a fire breaks in a data
center, its early detection is vital. For early detection, most commonly used
method is to deploy heat and smoke detection system along with a fire
suppression system. A commonly used technique is air sampling smoke detection.
These systems continuously draw air through a network of pipes and use a laser
to identify presence of particles of combustion in air. Other commonly used
systems include spot type detection and linear thermal detection.
NetBotz |
NetBotz is a monitoring appliances from APC which can help you protect against physical as well as environmental threats. It can integrate with various monitoring devices and sensors to provide a centralized management. It has support for door contact, smoke, temperature, humidity, 2 way audio monitoring and video surveillance. |
OComing to fire suppression system, data centers most commonly use water based
suppression systems. In water based fire suppression systems, two commonly used
systems now a days are wet based and pre-action based. In wet based suppression
system water is present in the pipes all the time. The disadvantage of this type
of system is that if there is an accidental discharge or leakage from the pipes,
it can cause unwanted damage to the equipment. On the other hand, in a
pre-action system pipes are dry until the system is activated by a smoke
detector. Recently water mist systems are also gaining popularity. Advantage of
these system are that they discharge fine drops of water, which means water
consumption goes down as compared to older water suppression systems. Other than
water suppression systems, many data center also go for gas suppression systems.
CMC — TC |
|
Rittal's CMC-TC ( Computer Multi Control — Top Concept ) system can monitor wide range of parameters such as smoke, vibration, humidity, temperature and access through sensors placed in the rack as well as in the data center. All of the monitoring functions and sensors can be freely selected. An economical, target-orientated monitoring application can be built up with the CMC-TC-System. The Processing unit (PU) with the network interface is the basis. The sensor units will be connected to the processing unit. The processing unit is designed to provide a central power supply for all connected sensor boxes. The detection sensors are connected to the sensor unit. So the function will be defined. The PU can be optionally operated by the CMC-TC-Master and provided higher performances. The whole system is completed by the plug & play concept with automatic sensor detection and configuration. |
. |
These system are similar to pre-action system and gas is discharged only upon
detection of fumes. These systems are well suited for locations which are sealed
and airtight. Another advantage is that these systems do not leave any residual
behind but systems might need to be refilled with gas after discharge depending
upon the capacity of storage capacity. Rack specific fire alarm units are
available which can be a good choice for small data centers. These units can
also switch off power to rack upon detection of fumes or smoke.
Other threats
Water leakage from burst pipes can result in damage to equipment, cabling
and floors. When it comes to water leakage detection, there are two commonly
deployed sensors, Spot Detectors and zone or cable type detectors. Spot
detectors can sense water only at a single point and recommended for small
facilities, while cable detectors are used in large data center where you need
to cover entire floor.
Sensors on cable are placed at particular distance -usually between 3-4 feet
which is regarded as their zone. As soon as water comes in contact with sensors,
alarms go off. Another common threat faced by data centers is HVAC failure.
If HVAC unit fails it can result in rise of humidity and temperature to
critical levels, which can cause damage to equipment present in the data center.
Also air conditioning and power failure is the most common problem any data
center faces, which makes environment monitoring a crucial part.