Advertisment

Data Security Isn't Enough, Let's Get Physical

author-image
PCQ Bureau
New Update

Physical security of a data center is as important as data security. Even if

you secure your data on the network completely, flaws in its physical structure

can lead an attacker to simply break into your data center and steal equipment

that contains critical data. Some of you might remember a popular case of a data

center in UK, where attackers broke through the fire escape steel door of the

data center and stole a router before local security nabbed them. In this case

it was the alertness of employees that saved the day for the data center. Au

Contraire 'humans' are the weakest link when it comes to physical security of

data centers---in fact a much bigger threat! Two most common threats linked to

people in data centers are social engineering and that notion of 'unhappy

employee' or 'ex-employee.' Someone might convince or trick an authorized data

center personnel to give them access or at times get them critical data from the

facility. While technology can do little to change human tendency, it can

certainly help you in monitoring employees and ensuring that only authorized

personnel have access to the data center. Other than data theft, another major

physical threat to data centers comes from calamities such as fire,

thunderstorms, earthquakes, etc; which might damage the entire data center. In

this article, we look at such critical issues and what can you do to guard

against them.

Advertisment

Data theft



Physical security of data centers starts right from the planning of the data

center. If your data center is present within the premises of the organization,

a good practice is to place it where people movement is less. Also a data center

should have limited entry/exit points. Access criteria should be defined

properly for your employees as well as visitors, e.g if a switch or a router is

having problems and the vendor decides to send a router expert to have a look at

it, then he need not be privy to your data and the location of various servers.

Similarly, if the location of your data center happens to be near a meeting room

or a canteen, a lot of outsiders might find out the location of your company's

data center (through word of mouth).

Fujitsu PalmSecure

Recently, Fujitsu has announced

Pal vein authentication device which can operate with palm in motion.

According to Fujitsu, this new technology only takes one millisecond to

capture an image and can still provide same level of accuracy as of its

previous versions.



Advertisment

Physical access control



Access cards or swipe cards are the most common way to restrict entry to

data centers. But using access cards alone just isn't enough. They can be easily

stolen or cloned, or an attacker can simply use social engineering and convince

an authorized personnel to give him entry. The point is that a physical piece is

alone not enough to identify a person. 'Something you know' and 'something you

are' also form a critical part of security setup. An old yet effective way to

identify personal identity is to have a two-way audio at all or at least

critical entrance and exits of the data center with security personnel

constantly monitoring every movement from a control room. When a person swipes

his access card, he needs to identify himself to security personnel in the

control room through the audio, only then should he be given permission to enter

or exit. Similarly, data centers should deploy an access control solution which

is linked with video surveillance. Biometrics comes under the 'something you

are' category and is being increasingly adopted by data centers, the most

popular form being fingerprint authentication. However, it has its own drawbacks

such as what if a finger catches an injury, or it can be fooled around using

various techniques, for eg, what if somebody cuts the finger of an authorized

person to get access! Data centers are also starting to use retina or vein

biometric authentication, which also looks for lifelines in person when giving

access.

Surveillance



Importance of video surveillance in a data center or within an enterprise is

well known. Depending upon the design and criticality of data present in a data

center, you can choose surveillance from one that is easily visible to the one

that is hidden. The next important factor is storage; some organizations opt for

both remote as well as local storage. When deploying surveillance, make sure

that it's placed at a reasonable distance from the subject, which makes for

easier identification. Lights at the entrance and the exit should be bright

enough or you should use cameras which can capture videos at night. There should

be strict policies around for how long you should maintain captured videos, as

storage space also starts to become an issue after a while.

Piggybacking and Tailgating



Piggybacking is referred to a security breach that takes place when an

authorized personnel uses his legitimate credentials to open a door for an

unauthorized person. Very similar to this is tailgating, in which a person slips

through undetected behind an authorized personnel. To fight against these

threats there are anti-tailgating solutions available. Most of these solutions

build an infrared field across the door and in case more than one person try to

enter, it immediately triggers an alarm. These systems can be integrated with

visitor entry systems when somebody is visiting a facility. Another common way

to protect against these threats is to deploy mantraps.

Advertisment

Fire detection and suppression



Fire is another threat against which data center should prepare right from

the planning stage, as it has the power to bring down entire data center. Simple

things like using alloys or steel instead of wood and other flammable material

can help you limit damages to a data center. Even if a fire breaks in a data

center, its early detection is vital. For early detection, most commonly used

method is to deploy heat and smoke detection system along with a fire

suppression system. A commonly used technique is air sampling smoke detection.

These systems continuously draw air through a network of pipes and use a laser

to identify presence of particles of combustion in air. Other commonly used

systems include spot type detection and linear thermal detection.

NetBotz

NetBotz is a monitoring

appliances from APC which can help you protect against physical as well as

environmental threats. It can integrate with various monitoring devices and

sensors to provide a centralized management. It has support for door

contact, smoke, temperature, humidity, 2 way audio monitoring and video

surveillance.

OComing to fire suppression system, data centers most commonly use water based

suppression systems. In water based fire suppression systems, two commonly used

systems now a days are wet based and pre-action based. In wet based suppression

system water is present in the pipes all the time. The disadvantage of this type

of system is that if there is an accidental discharge or leakage from the pipes,

it can cause unwanted damage to the equipment. On the other hand, in a

pre-action system pipes are dry until the system is activated by a smoke

detector. Recently water mist systems are also gaining popularity. Advantage of

these system are that they discharge fine drops of water, which means water

consumption goes down as compared to older water suppression systems. Other than

water suppression systems, many data center also go for gas suppression systems.

Advertisment

CMC — TC

Rittal's CMC-TC ( Computer Multi

Control — Top Concept ) system can monitor wide range of parameters such as

smoke, vibration, humidity, temperature and access through sensors placed in

the rack as well as in the data center. All of the monitoring functions and

sensors can be freely selected. An economical, target-orientated monitoring

application can be built up with the CMC-TC-System. The Processing unit (PU)

with the network interface is the basis. The sensor units will be connected

to the processing unit. The processing unit is designed to provide a central

power supply for all connected sensor boxes. The detection sensors are

connected to the sensor unit. So the function will be defined. The PU can be

optionally operated by the CMC-TC-Master and provided higher performances.

The whole system is completed by the plug & play concept with automatic

sensor detection and configuration.


.

These system are similar to pre-action system and gas is discharged only upon

detection of fumes. These systems are well suited for locations which are sealed

and airtight. Another advantage is that these systems do not leave any residual

behind but systems might need to be refilled with gas after discharge depending

upon the capacity of storage capacity. Rack specific fire alarm units are

available which can be a good choice for small data centers. These units can

also switch off power to rack upon detection of fumes or smoke.

Other threats



Water leakage from burst pipes can result in damage to equipment, cabling

and floors. When it comes to water leakage detection, there are two commonly

deployed sensors, Spot Detectors and zone or cable type detectors. Spot

detectors can sense water only at a single point and recommended for small

facilities, while cable detectors are used in large data center where you need

to cover entire floor.

Sensors on cable are placed at particular distance -usually between 3-4 feet

which is regarded as their zone. As soon as water comes in contact with sensors,

alarms go off. Another common threat faced by data centers is HVAC failure.

If HVAC unit fails it can result in rise of humidity and temperature to

critical levels, which can cause damage to equipment present in the data center.

Also air conditioning and power failure is the most common problem any data

center faces, which makes environment monitoring a crucial part.

Advertisment