Data Center Security – Can a Data Center Ever Be 100% Secure?
No data center can ever be 100% secure, but steps can be taken to bolster physical and logical security, and take precautions taken to mitigate human error.
No matter where a data center is located – in a bunker under a mountain or in the middle of a busy urban hub – security is critical. And there are concrete steps that should always be taken to ensure client data and IT infrastructure are as secure as possible.
Types of Security
Every company strives to ensure that its network and data are secure. And data centers need to do everything they can to support these efforts on the part of their tenants. There are two additional dimensions of security that data center operators in particular need to lock down: physical security and logical security.
Physical security refers to the protection of the actual premises, ensuring no one enters the facility that isn’t supposed to, and includes protecting all assets from physical damage, be it caused by natural disasters, corporate espionage or terrorist attacks.
Logical security ensures that only authorized individuals are able to access information or take actions in a network or a workstation. Not everyone who is authorized to be inside the data center should have the same level of access to information and systems. Logical security focuses on controlling and managing that access.
First and foremost, the physical security of a data center should be layered. This means having multiple levels of protection that a malicious actor would have to breach in order to successfully cause any damage. Some layers are simple, such as a secure fence around the facility. Others are quite complex, such as biometric scanners. Adding to the deterrent effect, each layer should serve as an authentication checkpoint, requiring an authorized individual to produce different forms of credentials in order to pass through.
Security also requires monitoring and surveillance. Security cameras should be installed throughout the building in a way that consistently captures the activity of all occupants and visitors while on the property. Access points should have some form of turnstile to prevent “tailgating,” the act of following a badged individual through access-controlled doors without following proper registration and authorization procedures. Visitors need to sign in and show government-issued photo I.D. as they enter the building. Visitors should also receive visitor badges, which must remain visible at all times. Finally, visitors should never be allowed in “meet-me rooms” unless escorted by authorized personnel.
It’s far more likely that a security threat to the data center will come from an employee who is authorized to be there, rather than from an outside malicious actor. Insider threats are far more difficult to combat, because insiders have access to sensitive information and often know exactly how the information is protected. Even if no one on the inside has ill intent, insiders are still a considerable security risk because security breaches are often unintentional and the result of human error. An employee could open an email containing malware, attach the wrong file to an email, accidentally share something on social media they are not supposed to, lose a device or USB drive, or any number of accidental things that compromise security.
Logical security is crucial for protecting against insider threats, intentional or not. Passwords and user profiles are absolutely necessary when it comes to restricting access to key systems and servers. Detailed access lists – lists of permissions to control who is allowed contact with what type of asset or information – should be kept on all employees and clients. Assets can include buildings and/or rooms within them, physical machines and servers, or sensitive files and data.
Access is granted based on a person’s role within an organization, certification with certain technologies, security clearance, or a combination of these. However, access lists are only as good as their most recent update. Access lists must be continually refined and updated, and electronic access solutions that generate digital signatures should be used for controlling and monitoring access time and tracking for audit trail purposes. These records can be especially valuable for monitoring potential security threats.
Employees should also undergo regular security training. Every employee should be aware of procedures and policies regarding devices, network access, and best security practices. By proactively training employees in security protocols and best practices, organizations can seriously mitigate security risks from both outsider and insider threats.
As Secure As Possible
No data center can never be 100% secure. Even without any malicious intent, humans make mistakes (even if they work in a bunker under a mountain). That being said, the proper combination of physical and logical security will make it very difficult for the wrong people to access your data center and the sensitive information it contains. It will also serve to mitigate human error to the best extent possible.
Netrality is not only responsible for protecting our own property, but also the physical property of our clients. We therefore require that all visitors, including employees, guests, contractors, and vendors adhere to these rules and standards while performing any work or associated activities on the premises. At Netrality, in addition to supporting the security measures undertaken by our tenants and customers, we are committed to ensuring the highest degree of physical access control at our data centers. For more information about Netrality’s secure colocation data centers, contact us.