Data centers contain valuable, sensitive and proprietary information that must be safeguarded. Cybersecurity is a major focus of data center operations, and rightly so. However, there is another side to data center security that is just as critical – physical security. While a data center should be protected from cyberattacks, it must also be protected from physical threats. According to the 2022 Cost of a Data Breach Report, researched by the Ponemon Institute and published by IBM Security, 10% of data breaches were caused by a physical security compromise, at an average cost of $3.96 million.
The best way to secure a data center is to think about it in distinct layers. Then, by using the right blend of dedicated personnel, up-to-date procedures and useful technology to complement these layers, data center providers can create a robust security posture.
In this blog, we explore the multiple layers of physical security that are needed to protect a data center facility.
People Are the Foundation of Physical Security
Physical security starts with people. A data center must be protected 24×7×365 by security personnel, patrolling externally and within the building. An experienced, well-trained and certified security team is vital.
But security is not just the responsibility of the trained security personnel – all employees working at the facility must be regularly trained on the latest security measures. CoreSite data center operations technicians receive rigorous security training and must pass a security qualification as part of their initial company training. That’s just the start of a constant process we’ve developed as part of cultivating a culture of security. All employees keep security in their mind as they conduct their everyday duties at the site. You don’t have to be a trained security guard to follow safe and secure policies.
Securing the Data Center Perimeter
Physical infrastructure is a key factor in data center security. Whenever possible, a sturdy and tall fence or wall around the perimeter of the facility should be installed. This can be augmented by crash-proof barriers, berms, landscaping designed to facilitate security and video surveillance with 24/7 monitoring. For example, CoreSite colocation facilities are secured by eight-foot perimeter fencing and 360-degree view high-resolution exterior cameras.
Controlling Access to the Data Center
Even with a secure perimeter, personnel will be entering the building frequently, and that is why access control is so important. Whenever possible, the facility should have a single entry point that is monitored 24 hours a day, employing features to prevent more than one person at a time from entering (a tactic called tailgating or piggybacking). One such feature, a mantrap, is a small, secured entry space between the exterior and interior of the building, making it more difficult for an intruder to follow behind an authorized person
An access control system is a priority. Through this system, personnel should be authenticated via an ID card or badge. Biometric scanning is also an effective option, verifying a person’s identity by physical characteristics such fingerprints or facial recognition. Visitors should only be admitted with pre-approved access requests, limited time permissions and temporary access badges. In addition, access for both staff and visitors should be limited to the specific areas required to complete their duties.
Access should be monitored and logged to help prevent incidents in real time, and to maintain accurate records of who is entering the data center, when, where and why.
Server Room Controls: Another Line of Defense
Server rooms are the heart of the data center and must be isolated from anyone who is not authorized to access them. According to an article on IBM's Security Intelligence blog, “A bad actor could enter the server room and take control of your networks by setting up remote access or downloading malware directly onto the server.”
To thwart these types of attacks, server rooms should be monitored in real time with strategically placed cameras. In addition, the access control system should alert the security team of any time someone enters, exits, holds the door open or attempts to forcibly enter.
Finally, cabinets and server cages should be locked. CoreSite offers customers the option to add card readers and biometric scanners to protect their colocated servers.
Making the Commitment to Physical Security
Compliance with procedures is the key to maintaining security standards. Regular audits and tests should be conducted to ensure the integrity of security systems and protocols.
Compliance with industry security standards adds an additional level of reliability. For example, CoreSite complies with the world’s most respected standards including ISO 27001, SOC 1 Type 2, SOC 2 Type 2, NIST 800-53, HIPAA and PCI DSS.
The bottom line is that data center physical security requires a steadfast and ongoing commitment, and a dedicated budget – and many organizations lack the resources needed to address the physical risks that data centers face.