Determining the most appropriate method of physically securing data at the rack level depends on the unique security requirements of the data center.
Physical security at the rack level: a necessity
For most data center managers, security is the number-one priority. Accordingly, from the exterior, data centers are some of the most secure facilities in the world. They may be hidden underground, or tucked away in nondescript buildings in industrial parks. The perimeter is protected by security guards, and sometimes, physical barriers that even a heavy truck could not penetrate. Only credentialed personnel may enter these facilities, which may store sensitive government data, financial information or corporate proprietary documentation.
But how secure are the actual racks of data from the numerous individuals who do have clearance to enter these buildings? Even barring malicious tampering, statistically over 40 percent of data breaches occur because of inadvertent use by insiders. Therefore, even if the grounds, lobby and individual server rooms are securely locked, the same level of security should be extended down to the individual racks as well.
Methods of securing racks
In many data centers, key management is a major pain point. Over the years, traditional lock-and-key solutions used to secure server racks have evolved through alternative options, such as mechanical combination locks with multiple key codes; however, keys and codes still present challenges when tracking and monitoring access. Intelligent electromechanical locks are more widely used in data centers today due to the higher level of sophistication they offer, in that they provide remote programming and monitoring. These electronic access solutions generate digital access signatures that can be used for audit trail purposes as required by numerous data regulations for financial, government and healthcare industries. Because of these advantages, intelligent, reliable electronic access systems are preferred by most data center managers.
How to select the right rack-level security solution
Every data center has a unique set of security requirements, and the ability to tailor electronic access solutions to a data center’s existing infrastructure is essential. With so many options and considerations, how does one determine the most appropriate and cost-effective method of physically securing the racks that store valuable information?
Being clear about why electronic locking is desired, and what it is meant to accomplish can help data center managers and their suppliers select the best solution for rack level security. The appropriate solution should only be as complex as needed to achieve the required functionality. In addition, installers should be able to retrofit new devices to integrate with existing cabinets and security systems. Lastly, it goes without saying that any system is only as good as the electronic locks it employs. Therefore, the highest quality electronic locks should always be specified.
The following solutions address the common scenarios that data center managers face when integrating electronic access systems at the rack level.
Scenario #1: A simple solution for adding electronic access is needed, without having to wire into an existing network.
If the main goal is to transition from mechanical locking to electronic locking, a self-contained electronic locking device that incorporates a keypad or RFID access control reader, an electronic lock and a mechanical override into a single, battery-operated unit is often the best choice.
Units like these are generally easy to install and require no software, wiring or networking, making the transition from mechanical to electronic access relatively straightforward. Once the mechanical lock has been removed, this new lock can often be retrofitted into existing panel preps without the need for any cutting or drilling that could release metal dust and damage nearby electronics. Furthermore, self-contained, gear motor-driven units are energy-efficient, produce little heat in comparison with solenoid-driven units, and take up little space – important considerations for the server cabinet, which is often already tightly packed with electronics.
Scenario #2: Rack access needs to be controlled using the same credential readers already being used elsewhere in the facility.
For data centers with serious security needs, such as those housing government or banking information, an intelligent locking system that can be integrated with the facility’s pre-existing security network is critical. For this solution, high-quality intelligent locks are hardwired from each data cabinet into the building’s physical access control (PAC) panel, taking advantage of infrastructure and monitoring systems already in place. The same software that controls access to the building entrance point also controls access to the server cabinet, allowing existing facility access credentials to be used at the rack level. For instance, where it is necessary to employ a pre-existing RFID reader or a fingerprint reader already used for building, these access controllers can be wired to electronic locks to provide a custom, standalone solution.
Integrated systems can be configured to convey very specific information about the status of the lock, to further enhance security. Lock status (locked or unlocked), latch status (handle up or down), or door status (open or closed) can be monitored locally or from a remote location. Other security-enhancing features can be wired in as well, such as a video camera or a mechanism to release the lock for emergency venting if unusually high temperatures are detected. Additionally, digital access records generated by electronic access solutions can be used to satisfy audit trail requirements mandated by industry compliance regulations.
The same RFID card used to gain entry to a building can also be used to access an electronic lock installed within the server cabinet to manage security at the rack level.
Scenario #3: There is a need for a dedicated network access control system that runs separately from building access, and is used only for rack level access control.
In certain situations, a complete, independently networked access control solution that operates separately from the facility wide system is often the most ideal solution. Such a network specifically designed for rack level security comes with its own software and user interface – possibly employing the building access credentials – and its own dedicated access control system used for monitoring and tracking rack access. These independent solutions can be used to manage multiple rack access points from a remote host computer to achieve remote system configuration, access control and monitoring.
Typically, these independent networks are hard-wired, IP-based systems running on an Internet connection and connect to data center infrastructure monitoring (DCIM) systems. These configurations track the most important parameters that data center managers need to monitor for data protection, such as power integrity, temperature and security. Input from all of these resources is wired together into a single, standalone system with its own monitoring apparatus. The flexibility provided by independent networks makes them ideal for even the most unique requirements, allowing access control and remote monitoring at the rack level.
Scenario #4: A wireless, cloud-based solution that can be used to monitor and control access to cabinets is desired.
Wireless solutions that connect with cloud-based systems, like Bluetooth controllers offer a simplified solution for physically securing data center cabinets and equipment. The controller is simply wired to the electronic lock without the need for other discreet components, allowing the data center manager to monitor access without having to connect to separate or existing security networks. If necessary however, Bluetooth solutions can be integrated with existing building security systems to provide facility wide monitoring and access control.
Bluetooth controllers allow individuals to use their smartphone as a “key.” Time based virtual keys are sent wirelessly to a smartphone application via a cloud based web portal. The user then simply opens the app to see any virtual keys they have received, along with the associated locked equipment location, description and period of access time. Clicking the access button then transmits the encrypted Bluetooth signal to the reader which unlocks the lock. Without having to wire outside of the cabinet, data centers can still have full control and monitor access, lowering costs associated with installation and power draw.
For the ultimate protection of data integrity and for regulatory compliance, access control and monitoring capabilities for the cabinets where data is stored are a must. Intelligent electronic access solutions are the most popular choice, providing reliable physical access control and offering solutions for audit trail maintenance, as well as compatibility with existing facility wide security systems and credentialing methodologies. A wide range of rack level security options are available, from basic standalone units to fully IP-based networked solutions that can be integrated with remote access control devices and wireless, cloud-based systems. Retrofitting electronic locks to pre-existing cabinets is standard, but requires appropriate planning for wiring and lock installation. In all cases, the electronic lock itself is the most critical system element and should be selected with systems integration requirements in mind.
 Forrsights Security Survey, Q2 2014