Planning Data Center Renovations With an Eye on Security
By Robert Klinedinst - May 2006 - Security
What do the words “major renovation” call to mind? A refurbished building façade? A chance to get rid of ancient chillers and boilers in a facility? A gala ribbon-cutting?
In too many cases, security is one thing that doesn’t come to mind at the start of a project. That’s unfortunate because addressing security early in renovation or expansion planning is critical for deploying an effective strategy. Security measures and building systems that were designed a decade or more ago to provide maximum security generally are vulnerable. It is much easier to design a secure facility with intimate knowledge of the comings and goings of staff and visitors and interdepartmental workflows. That way it is possible to establish security zones and design accordingly.
Building occupants, especially security personnel, should be included early in the programming process. Occupants understand what happens in the facility and can identify the most important issues. They know what works and what doesn’t in the existing facility. Occupants come from varied backgrounds, experiences and facilities. Everyone interviewed can share their insights and any lessons they learned at other locations. The result is a much more secure solution for the facility being renovated.
Addressing security early is particularly important when the renovation or expansion will involve a data center. Data centers are the heart of many operations today. Large sums of money are spent every year on security staff, monitoring systems and backup power systems to protect data centers and their contents. Concerns, from protecting customers’ personal information to preparing for terrorist attacks, have led to more emphasis on security in renovation and new construction involving data centers.
While much is done to protect data centers, whether stand-alone or within an existing building, from power outages and other incidents, often it is the smaller incidents that make a facility vulnerable. For example, in a recent project for an addition to a data center, the design team discovered that delivery persons and visitors were able to access areas deep into the building near the secure zone. Clearly, thoughtful space and site design can greatly enhance security.
A systematic approach can establish a security zone hierarchy. In a typical building, public spaces are differentiated from private spaces. Identifying security zones within a building takes that idea one step further. The zoning classifications may include public areas, semi-public areas, sensitive areas and highly protected areas. As each space is categorized, it becomes possible to see how spaces might be grouped together. The result is one or more zoning diagrams for the facility.
Delivery people, couriers, cleaning staff, vendors, consultants, and family and friends of workers all need to be cleared by security personnel before they gain access to the facility. But often, once they sign in and clear the security area, they can get fairly close to sensitive areas.
A better approach is to identify all of the spaces to which these visitors typically need access. The spaces can then be grouped in one area of the building, making them easier to monitor. Conference rooms that are used by consultants and vendors, vending areas that are constantly visited by resupply people and restrooms that are used by any visitors can all be located together in a public zone away from secure areas.
A data center receives numerous deliveries, which may come through mail carriers, private couriers and delivery trucks of private vendors. The result is vulnerability — different people using various entry points to access a building. This was identified as a problem during the programming phase of the data center project. Some deliveries were made directly adjacent to sensitive areas in the data center. The problem was addressed by creating one central delivery area with an adjacent security office where all deliveries enter the building.
Another kind of space to which visitors need access is the bathroom. In the existing facility, all the toilets were located in one area deep in the building. It was not supervised by any security personnel and was right next to one of the most secure spaces in the building. To solve this problem, public toilets were installed within a public zone and other toilets were placed in more secure areas for employees. Although this added square footage and cost to the project, it produced a more secure facility.
An important factor in many interior building designs is adjacencies — making sure that departments that interact frequently are located near each other. Over time, changes in the business often disrupt the original plan for adjacencies, as departments are relocated into available space without consideration of adjacent functions. As a result, groups unrelated to data center operations wind up located near the data center space, creating the potential for security breaches. On this project, one group did not need to be located in the facility — a fact that became obvious only when adjacencies were examined by those establishing security zones.
There are many examples of ways that the final design benefited from an early focus on security. For example, establishing security zones during the design process minimized the number of staffed security check points and the number of security cameras. The result was better security and reduced costs.
During the programming meetings, decisions had to be made about which spaces needed exterior windows to improve security. Some of the security checkpoints within the building had no exterior windows. As a result, additional security cameras were needed. Locating the security stations adjacent to building entrances and providing exterior windows gave security staff better visual control over both internal and external areas.
Well-designed circulation paths through and between different areas can improve security. A facility design that minimizes the total length of all interior circulation, avoids dead-end corridors and blind hallways, and provides a simple layout versus a circuitous network of corridors is much easier to monitor. In addition, it is also more efficient and less costly to operate.
It can be problematic to have a corridor run along the edge of two areas with different security classifications. Interior windows provide visual access into secure areas, doors can be propped open, and dirt and dust from a public area can contaminate a sensitive and highly secure environment. As a result, the expanded data center was laid out so that there were no such corridors that could jeopardize secure spaces. The only penetration between areas of different security levels is doorways.
It is important to understand all of the processes or flows that take place within a building. In the data center, the design process included a series of interviews with building users, a facility and program analysis, and working discussions. As a result, 12 different processes that occur in the building were identified and mapped. Whether it involved the flow of data, people or paper, each step was studied and analyzed. Although this study is not typical of the architectural programming process, it was crucial for developing a security strategy for the building. It also identified places for improvement that will result in reduced operating costs and higher productivity.
Inside and out
Spaces along the exterior of a building are more vulnerable to people and vehicles than those deep in the center. The features of the exterior wall, such as amount and type of glazing and the durability of the wall and veneer material, must be carefully considered during the design phase. In this project, offices with lower security needs were located along the perimeter to take advantage of natural light, while the more secure data center spaces were set in the middle of the building, which also facilitates humidification control.
Because the company is growing, the data center was strategically designed with expansion in mind. As a result, one end of the secure data center is close to an exterior wall. The material used for the walls in this area and the layout of the site were planned to minimize vulnerability along this side of the building.
HVAC and plumbing needs should also be considered early in the programming phase. Data centers have computer equipment that is very sensitive to dirt and airborne dust. Isolating these sensitive areas from any entry point in the building, such as vestibules and loading docks, provides a more secure environment. Water can also have a devastating effect on core areas and equipment in a data center. Leaking pipes or an overflowing toilet can be disastrous. It is prudent to locate space that has plumbing requirements as far away as possible.
Providing additional security has its costs. While the process arguably resulted in a building that uses space more efficiently, some spaces had to be added, even though that meant more square feet. Toilet rooms were added so that visitors wouldn’t have to go into secure areas. Testing spaces were added so that equipment could be unpacked and tested without jeopardizing the more secure environment in the core of the data center. And storage space was added to allow paper to acclimate to the environment in the printing center. Separate HVAC systems for the different security areas and backup electrical power systems added a considerable amount of cost to the project. However, the added costs for redundancy and backup systems were justified when compared to the potential lost business if the data center was offline.
The cost-benefit debate is an ongoing one in this type of building. How much redundancy and how much security is adequate? Although security is important, the added cost can raise eyebrows. Security recommendations that improve overall business efficiency can help convince skeptics that the money is well spent. Proper programming can minimize the cost of a building that is secure and easy to supervise.
Security planning checklist
Security questions that should be asked in the earliest stages of planning include the following:
Early Plan is security gain
Thoughtful space and site design enables sensitive and highly protected areas to be separated from areas that will be accessible to delivery people, cleaning staff, vendors and others.
Robert Klinedinst Jr., AIA, is a principal with Harriman Associates.