Mission-Critical Safety and Security
Part 1: Data Center Security Design
Data Center Security Design
By Maryellen Lo Bosco - January 2011 - Data Centers
When it comes to data center uptime, facility managers start talking a new language. They speak of Tier 3 or Tier 4 data centers, of N+1 or 2N designs, and of the "nines." For those in the know, those terms convey important information about the availability and design redundancy of the data center. But not all data center concerns have a place in that language. Safety and security, for example, are major issues for facility managers, but how often does anyone talk about a 2N security system or bring up fire safety when the discussion turns to whether a data center needs to be up and available 99.99 percent of the time?
Nevertheless, the risks of a fire or security breach should be of constant concern to facility managers responsible for data centers. To start with, fire safety and security should be important criteria throughout the building design process. When one company builds a series of data centers, it can get into the habit of using the same design over and over again, which may be good for consistency but bad for fire safety, says Ralph Transue, senior consultant for the RJA Group. Local conditions can create greater exposure to fire from a neighbor, for example, and this may be missed if analysis is not done.
Security considerations should also pervade the design process. That starts with the perimeter, according to Jordan Ferrantelli, security consultant at Aon Security Consulting. "You want to protect the building from being rammed," he says. A retaining wall will be more aesthetically pleasing than a fence, he says, and will also provide security.
Some data centers are designed with force protection systems to minimize blast damage, says Sean Ahrens, project manager for security consulting and design services at Aon. He says that a setback could prevent vehicle access, along with cable-beam barriers that go around the perimeter of the building.
Proper location and hardening of doors are also important factors. "A $10,000 card reader that is not hardened will defeat its purpose," says Ferrantelli. Frames should be reinforced, and the facility managers and security experts should work with architects to determine the location of doors. If a building is undergoing a renovation, it will be important to harden doors and walls and limit access.
If the data center in a building is behind glass, then the glass should be reinforced. "Why put a $4,000 lock on a wall that is primarily glass?" says Ahrens. The data center should also have floor to ceiling walls, and the raised floor must end at the data center or incorporate intrusion detection. Ahrens says he has seen situations where it would be possible to gain access to the data center through either the raised floor or by popping a ceiling tile and going over through the roof.
Low-Tech Threats to High-Tech Spaces
It's a high-profile worry in the digital age: the risk that employee records, credit card information or other sensitive data will be hacked from a remote location. But an equivalent danger comes from internal and external aggressors who can gain access to data centers for the purpose of stealing information or destroying digital assets.
According to Jordan Ferrantelli, security consultant at Aon Security Consulting, under federal law, any company that keeps credit-card information can be liable for a security breach if they have not taken the necessary measures to protect their data. Such companies must not only pay out to card holders but also pay penalties to the government on a per-card basis.
"It is easier to break into a system once you are in a facility and have crossed into their logistical zone. It is easier to log in and get information," Ferrantelli says. While such break-ins may not be common, they can cost a company millions of dollars, he says.
The kind of information that is being stored will dictate, to a large degree, the kind of security that is required, says Ferrantelli. Another important question is how many people will have access to the facility and whether it is a public building or not. Of course, only a select number of people should have access to the data center.
Most data centers do not have a high volume of people coming in and out, so everyone should come in through one primary door or portal that closes behind them, says Ferrantelli.
Two major causes of data tampering are greed (financial benefit) or malice (sabotage), according to Sean Ahrens, project manager for security consulting and design services at Aon. A recent example of corporate espionage occurred in a large hospital in Chicago, in the form of identity theft, he says. As we move toward a paperless society, business and expansion plans and trade secrets, among other assets, will become more vulnerable.
Sabotage may be committed by a disgruntled employee who didn't get a raise and then spitefully introduces a virus directly onto a server, Ahrens says. "He could start a fire; maybe he disconnects the cables." It is not even necessary to destroy equipment, Ahrens says. If an intruder just cut all the cords that run from servers, a data center would be down for a while. "An intruder could get out pretty quickly and cause a lot of damage," he says.
—Maryellen Lo Bosco