Man traps.
Some experts argue every data center should have man traps installed. Others
argue they’re effective if staffed and used properly but are not necessary for
every data center. Regardless, a man trap offers a low-tech method of
authorizing those entering the facility, as it uses two doors separating a
contained space. By only allowing one person to enter the man trap at a time,
personnel can more easily authenticate every individual seeking entry.
Electronic locks and authentication. Electronic access control systems, preferably installed at every
point of entry, are staples of physical data center security. Beyond, say,
mandating the use of access cards, experts strongly recommend requiring that individuals
provide another form of access point identification to prevent such
possibilities as one employee simply passing an access card to another
employee. Additional authentication can include requiring the use of a PIN or
passcode and/or some form of biometric security, such as a fingerprint reader
or retina scanner. Two-factor authentication is considered especially important
in preventing “tailgating” or “piggybacking” incidents in which unauthorized
visitors gain access by tagging along with authorized users. Examples include
vendors, maintenance providers, visitors, and even employees.
Electronic
access control systems, preferably installed at every point of entry, are
staples of physical data center security
Human risks.
When it comes to granting permission to enter the data center, Maertz says,
“you need to have 100% confidence in anyone that you give access to, as these
people suddenly have access to your organization’s most vital resource: its
data.” She advises granting access on an as-needed basis only. “If employee A
needs access Monday through Friday, 9 a.m. to 5 p.m., only give them access
during those hours. If employee B needs access 24/7/365, then grant him access
at all times,” she says. Data center managers should review access policies
frequently, she says. Info-Tech recommends companies review policy annually, at
minimum, and on an ad hoc basis with personnel changes. “If an employee’s job
description changes, change her access privileges,” Maertz says.
Electronic
access control systems, preferably installed at every point of entry, are
staples of physical data center security
Social engineering. Social engineering is another risk that essentially involves an
employee being manipulated into giving out an authentication code. Maertz says
it “can happen to anyone, so you need to be creative with your authentication
questions.” Can you search the Web and find the authentication answer? “If so,”
Maertz says, “your data is at risk.” Ultimately, she adds, “education is first
and foremost. Train and educate your employees on how to detect a potential
threat. Trusting employees might unwittingly give out information without
giving it a second thought unless you alert them to the possibility of
threats.” Suggestions for handling visitors including vendors, maintenance
personnel, and other third parties is requiring and documenting current forms
of ID, distributing temporary badges, requiring appointments or pre-arranged
notice for entry, and allowing no exceptions to any established access rules.
Video surveillance. Use of video surveillance or closed-circuit cameras at all access
points inside and outside of the data center rates highly with most experts.
“Even with access cards and biometrics, you can’t always stop that additional
employee that sneaks in with an authorized employee,” Maertz says. “The
authorized employee has approval to enter the data center, but her guest does
not, and this presents the opportunity for a huge security breach unless you
can catch it.” Various features of surveillance systems include support for
motion detection; pan, tilt, and zoom abilities; and IP-based systems that
enable remote monitoring via the Internet.
Use
of video surveillance or closed-circuit cameras at all access points inside and
outside of the data center rates highly with most experts
Cabinets and racks. The length a data center goes to securing cabinets and racks can
depend heavily on the level of risk it’s willing to live with. While server
cages, manual key access, card access, and biometric systems are available at
this physical level, Maertz says that for Info-Tech customers, rack and
cabinet-level security is rarely the norm. “Once you’ve restricted access to
the data center as a whole, it becomes less essential that you restrict access
at the rack level,” he says.
Training is key
Ultimately, for the physical security
measures a company puts in place to work, staff members have to be
knowledgeable and on board. To that end, physical security must be an ongoing,
everyday concern that all data center employees participate in through
awareness of security policies and procedures for executing those policies,
whether it involves knowing how to respond to an intruder, verifying a
visitor’s authentication, or monitoring an alarm system.
