Dr Graeme Creasy, UK Director of Operations, Interxion, discusses physical data centre security – and the measures needed to keep data safe. Every few months we hear about a new data security breach occurring somewhere. Data is now one of the world’s most valuable commodities – it is quite literally worth its weight in gold.
Indeed, in March 2011 the Ponemon Institute revealed that the cost of a data breach had risen for the third consecutive year, costing UK organisations £1.9 million or £71 per record: a 13 per cent rise on the previous year. It is becoming more important than ever to ensure the security of data, and customers need to be particular about who they trust.
When it comes to data security, many people consider virtual measures before physical security. However, physical security is just as important, and forms a central part of any data centre security programme. When I take a client for a tour around one of our data centres, they are often surprised at the level of security measures in place – and that’s before they have even set foot inside. However, these checks are also reassuring. Modern data centres should be designed with the following layers of physical security at the very least: perimeter security at the entrance, mantraps into the data centre, access systems into the rooms and secure, locked cabinets and biometrics where required. No one should enter or leave the premises without proof of identity, and all visitors should be checked against customer-defined access lists before being allowed to enter.
CCTV also plays a big part in the physical security of a data centre. A CCTV system which covers all parts of the data centre, from the perimeter to individual servers is imperative, and should be coupled with security guards patrolling the data centre on a 24/7 basis. It is this human element that provides the ‘watchful eyes’ of security. Once inside, all server racks should be locked, with keys held only by the client and the service provider. This means that the service provider’s engineers can only physically access the servers when the client’s representative is there, ensuring complete peace of mind for the customer.
Biometrics are a common part of the data centre security infrastructure, as it is crucial to have control over who enters the facility. A biometric system scans the fingerprints, or iris, of the person trying to enter the data centre – an area of technology which has rapidly evolved over the past few years. There are now very sophisticated, highly accurate biometric security systems available which will provide peace of mind. Any unauthorised access attempts result in the individual being unable to pass through the data centre’s mantrap. A mantrap has two sets of interlocking doors and identification, preferably biometric, is required to access the site through them. If the biometric system activates the security alarm then all doors will lock, restricting the individual from accessing the site.
Data centre providers should also consider ISO certification, in order to give customers peace of mind. ISO27001 is one of the most rigorous international standards for system and physical security processes. The audit and certification process focuses on every aspect of the business, including physical infrastructure, site security and access management, personnel capabilities, communications and operations, legal compliance criteria, and back-up and disaster recovery systems. The standard was developed to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.
No doubt as technology progresses, biometric becomes more sophisticated and CCTV improves in both quality and capability, physical data centre security will evolve. Yet it will always remain true that in order to be truly secure, data centres should use a comprehensive combination of mantraps, CCTV and biometric scanning, and security guards to keep data safe. A data centre has a huge commitment to ensuring that the data it houses is secure. Data centre providers need to be skilful at demonstrating to their customers just how secure their data is, just as customers need to be confident that their data will never be compromised.
