Securing the Physical Safety of Data
In our networked and Internet-dependent world, securing personal and business data from theft, hacking and other forms of cybercrime has become an issue of paramount importance – and the world’s data centers, where data has its physical presence, are key points where multiple layers of security need to be established and sustained.
The risk factors associated with cyber crime are only accelerating:
- Database breaches and cyber crime cost the global economy over $400 billion annually, based on a 2015 industry study
- The FBI has issued a formal warning about the risks posed by disgruntled and former employees, noting several significant investigations where individuals exploited business networks and servers, stealing proprietary software, obtaining customer information and purchasing unauthorized goods and services using customer accounts
- Data from IBM Security Services shows that 55 percent of all attacks were carried out by malicious insiders or inadvertent actors (accidental events)
In addition, there are multiple regulatory and compliance requirements creating additional layers of responsibility for data center managers. There are increasing enforcement requirements of US data protection regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS) and the Federal Information Security Management Act (FISMA) that mandate organizations must limit physical access to information systems, equipment and the respective operating environments to authorized individuals.
Growth in data centers creates vulnerabilities
Two core IT trends are driving the growth of data centers: cloud computing and outsourcing. More specifically, many businesses of a wide range of sizes and industries are finding that maintaining their own enterprise-computing platforms has become time-consuming and increasingly expensive, with factors such as maintaining sufficient power (and backup), environmental cooling and implementing the latest server and router technology.
By turning to a shared data center, that infrastructure is already in place, along with commitments to 100 percent uptime. For companies that aren’t in the IT business this makes the most economic sense. The risk – and thus the data center management’s responsibility – is in making sure that each server rack containing a company’s digital assets, and their public and private networks, is as safe and secure as if it were locked inside their own building.
Current data center security practices
Data center operators make significant investments in cyber security, erecting firewalls and deploying powerful software programs to prevent electronic cybercrimes. Increasingly, they are focusing efforts and investments in controlling the physical security of electronics and telecommunications enclosures as well.
The steady, constant stream of service technicians who need access to the server racks, communications hardware, and electrical and environmental systems for maintenance, upgrade and expansion tasks presents many access control challenges for the data center manager. From a security perspective, inside personnel are just as much of a risk as outside personnel, and need to be managed and secured during their time in the facility.
Many data centers focus security efforts on access control to the grounds, the buildings and the secure areas within:
- Access to the building is often gated, with exterior physical protection elements to secure the entire site and requiring a guard to verify and document entry through the gate.
- Once an individual enters the facility, they typically sign in with a live guard and receive a credential for access to specific areas.
- In some facilities, access to a specific floor or enclosure area is further controlled by a “man trap” with two sets of doors accessed via an electronic badge, either RFID or biometric; the visitor has to be verified at each door, to prevent shadowing or tailgating, where two individuals attempt to enter on one person’s badge.
While this level of security is effective, it’s not complete: There is often minimal physical security in place to prevent unauthorized access to the cabinets that store valuable equipment and data after entering the server room.
The most common form of security control on server cabinet doors (assuming they have doors) is a mechanical key lock, using a physical key to gain access. One common risk associated with this type of basic physical rack security is duplication: While there may be hundreds of racks with key locks or key codes, there may only be a few dozen different keys or key codes for the entire center.
Tracking who accesses which server rack can also be problematic. While most server rooms have cameras mounted in the room to monitor and record activities, it can be difficult to distinguish, in a room with multiple rows of nearly identical server rows and racks, whether one individual is accessing the correct server.
Extending physical security to the rack level
The server rack is the final point of data vulnerability in the data center, so it makes sense to consider implementing the same level of sophisticated physical security and access control monitoring already established at every other level of entry in the data center. Electronic access solutions, like electronic locks and latches, offer a modular security solution designed for simple integration into Data Center Infrastructure Management (DCIM) systems and existing server rack enclosure designs. Integrating electronic access solutions at the rack level offers the maximum level of physical security, providing peace of mind for the data center operator.
Electronic Access Solutions (EAS) typically consist of four main components:
- Electromechanical lock or latch (EML) – The most critical component of any electronic access system, the EML performs the electromechanical locking or unlocking function upon receipt of a valid electronic signal and provides an output of its status to external monitoring systems.
- Access Control Device – Serves as the human interface, allowing the EML to be remotely operated through a variety of options such as digital keypads, biometrics and RFID readers.
- Remote Monitoring – Electronic access solutions have the unique ability to capture an electronic "signature" for each access attempt. This info, together with additional security and environmental data, can be output to a variety of devices from simple indicator lights to networked, software-based remote monitoring systems.
- Manual Override – In some cases, an override system is required to provide access in the event of a system power failure. This override system can be mechanical or electrical with power systems.
The key element of effective rack level electronic access systems is the use of intelligent electronic locks that restrict access through the validation of user credentials. Electronic locks can be integrated with a variety of rack level access control devices depending on the requirements of the application. These include digital keypads, RFID card readers, biometric readers and electronic key systems. A recent addition to this class of devices is Bluetooth-enabled, wireless smartphone access, where a technician receives a web-generated electronic key on their smartphone that can be used to access a specific cabinet for a specific time frame. A Bluetooth reader installed inside the cabinet can then receive this digital key and send the signal to the connected electronic lock for access. The smartphone simultaneously sends audit trail data wirelessly to the cloud for audit trail reporting.
These intelligent electronic access solutions can add an additional layer of security by networking with existing data center security systems for access control reporting. Electronic locks receive the appropriate electronic signal to operate and simultaneously provide critical lock status output signals for remotely monitoring the security of the enclosure – automatic verification that the right person accessed the right cabinet in the designated timeframe.
Most importantly, verifying credentials at the rack level can prevent costly data breaches and compliance penalties, especially for co-location centers that house cloud-computing assets and store sensitive data for multiple organizations. This trackable, electronic credentialing – step by step from the front door of the building to the rack level — makes the most sense given the current level of data security.
Integrating rack level EAS into existing data centers
One of the simplest reasons why data center cabinets and server racks continue to use standard mechanical key locks is the numbers: While data centers have relatively few access points to get into the building, there are potentially hundreds of cabinet doors that would need intelligent electronic locks – and usually two are required to accommodate the server rack.
The costs associated with outfitting these cabinets, combined with the complexity of wiring and powering all the locks and connecting them back to the data center’s building access control systems, using traditional building level security systems would be costly and time-consuming. There are also concerns in some data center operations that the process of replacing all the components could generate dust or metal particles that could damage highly expensive server electronics.
There are now complete rack level electronic access solutions available that have been engineered to be modular and easily integrated into existing data center cabinet equipment and DCIM platforms. These solutions cover a range of options and level of complexity. Depending on how the data center plans on approaching an upgrade, electronic access solutions can range from a simple self-contained digital keypad to a more advanced software-based, networked access control system. They include:
- Self-contained solutions that are generally battery-operated and offer simple, drop-in installation and programming to provide integrated access control and electronic locking in a single self-contained device. These devices provide a simplified solution to eliminate key management issues.
- Standalone solutions that offer basic plug-and-play access control without the need for software or network administration, but do not provide remote, networked monitoring and control.
- Integrated solutions that can be combined with building access control and monitoring systems to incorporate cabinet-level access control into existing security systems.
- Independent networked solutions that can be used to monitor and manage rack access across networks from a host computer for remote system configuration, access control and the monitoring of multiple access points. These systems can operate independently of existing building security systems.
Southco’s H3-EM Electronic Locking Swinghandle series supports multiple readers, providing a higher level of security and facilitating the transition to new security technologies used to manage access to keyless entry points at the equipment level.
And while there is a broad range of server cabinet designs by many different manufacturers, suppliers of electronic access solutions have refined their offerings to make mechanical to electronic lock retrofit upgrades simple and cost effective.
From a systems management perspective, the controller platforms for some rack level electronic access systems can be easily integrated into building and floor-level access control components of most DCIM systems. Many of the software hooks are already in place, and managers can essentially add the intelligent electronic locks to the existing set of access control devices already being managed.
From a physical connectivity perspective, some electronic access solutions are now being engineered to support Power over Ethernet (POE) and bus architectures. One network cable can provide the data connectivity and power for the electronic lock. These architectures can be daisy-chained, rather than running separate cables from each door to the rack access controller, to further simplify upgrades to electronic access solutions.
EAS enables “virtual cages”
Data center operators, particularly those running co-location operations with dozens or even hundreds of customers, seek to maximize return on their expensive real estate. However, certain customers needing a higher level of security, such as government agencies and healthcare operations and financial institutions require standalone physical cages separating their servers from others in the data center.
Often, this is literally done by erecting chain-link fencing and securing a gate with a padlock – which eats up valuable floor space and does not provide individual, rack level trackable access control. Electronic access solutions can be used to create “virtual cages” to protect confidential data. A customer’s server technology can be located in selected racks; using credential management, physical access to those cabinets can be granted upon the permissions given to the contractor or data center employee for any given task or assignment.
This offers a much more cost-effective solution than installing fences, and enables the data center operator to use software to change access and reuse the server cabinets if the customer leaves or shifts to another location.
Rack level EAS: the last link in data center security
The entire IT and Data Center industry must continue to apply every tool available to secure personal and corporate data and applications from identity theft, malware, hijacking and other hacking attacks. Using electronic access solutions to secure the server racks is the final component in creating a fully secure data center. Electronic access provides a truly traceable access control solution that can be integrated into existing data center security systems, providing one unified physical security system across the facility.
 “Increase in Insider Threat Cases Highlight Significant Risks to Business Networks and Proprietary Information,” US Department of Homeland Security, September 23, 2014