Here are some other areas to focus on to ensure that a data center is secure.
• Look for vulnerabilities beyond the data center's property line. If a telephone cabinet near a busy intersection is instrumental to a facility data center's operation, then it is important to "harden that infrastructure" with a barrier. Moving toward the building, "fiber optic cable comes from the ground and can be easily identified," says Ahrens. Someone who wanted to do damage need not even enter the building, he says, so those cables need to be secured or hidden.
• Consider the use of "compartmentalization" to protect assets. Compartmentalization involves different levels of access throughout the facility, says Ferrantelli. Check points begin at the entrance and progress through offices, control rooms, corridors, and so forth. An intruder would have to successfully breach a number of "zones" to get to the target area.
Compartmentalization deters some people entirely, and even a determined aggressor is delayed, says Ahrens. That's good news from a security perspective. "The longer it takes an aggressor to get in, the more easily you can detect that person," Ferrantelli says.
• Make sure everyone is vigilant. It is important for front-line security people to be alert to preventing unauthorized personnel from entering the building. Enhanced security awareness involves not only checking identification at the building's portal, but also doing patrols, including video patrols, and questioning people and asking for identification if they are found in the halls or other areas of the building.
"Security and staff have to be trained to recognize and challenge people," Ferrantelli says. "If they see someone who doesn't look right, they must ask for a badge or alert security.
Non-security personnel are an important deterrent as well. Ahrens has tested revolving doors that made a loud noise when he, an unauthorized employee, went through, but no one challenged him. "They did not contact security because I was just someone who ‘forgot his card,'" he says. Ahrens emphasized that employees need to be trained to pick up the phone and tell security that someone they did not recognize went through a door, or to put it more simply, "if you see something say something."
One reason vigilance is important is that potential intruders can use many methods to gain entry. "Social engineering" — or using a pretext to get into a building or relying on people's innocence or reluctance to show suspicion toward a stranger — is the first weapon in an intruder's toolkit. In testing a building's security, Ahrens and his team once claimed that they were with "internal audit" and got access to the data center without even showing identification. "Being friendly and sociable and looking like we belonged got us access to the main telecommunications room," he says.
Another tactic an intruder might use is "tailgaiting," which involves opening a door for an employee and following him or her in or coming in behind someone through a revolving door. A data center can prevent such break-ins with a turnstyle that senses two people and backs the second person out, says Ahrens. At the same time, it is important to secure loading docks or outside doors.
• Make effective use of technology. With regard to gaining access to the inner area of a data center, facility managers must ensure that they use "robust credentialing," says Ahrens. This can include access control cards with pin numbers, biometrics, and video systems that document everything. Moreover, 12-foot-high cameras "simply identify people who need Rogaine," Ahrens jokes. "Bring the cameras down to 8 feet so they are right in your face. They need to be direct and obtrusive," he says.
Security guards also need to be properly trained on security technology and how to use the security functions that are available. This is a problem because of the high turnover rate among security personnel because they often make only minimum wage or a little higher. Ferrantelli recommends offering better salaries and benefits and showing employees that they are valued.
• Pay attention to people. While employees that work for an organization's data center are subject to background checks, outsourced IT personnel may not have been investigated, says Ahrens, and that is an area facility managers can overlook. It's also important to remember that employees may be approached for access to a file or a piece of a file in exchange for money. "There is no better predictor of future behavior than looking at past behavior," says Ahrens, which can be done through credit monitoring, drug tests, and background investigations. It is also wise to fairly compensate employees for the work they do.
Once a break-in or incident is detected, security people in data centers, like those in any other type of facility, must notify the police immediately, and policy and procedures should be in place which govern their actions before the police arrive. This includes ensuring that nobody leaves the facility, that no one tampers with evidence, and that all possible information is made ready for the police, says Ferrantelli. An emergency plan in the event of a break-in also includes an overview of computer systems to assess damage or to validate that nothing foreign was introduced, says Ahrens.
Data Center Security Design
Common Security Risks for Data Centers
Fire Safety and Prevention in Data Centers