The physical security of many data centers in the region is put to the litmus test by this expert.
Many data centers around the world are still failing to observe numerous Threat and Vulnerability Risk Assessment (TVRA) requirements comprehensively, paying lip service to rules and regulations but failing to recognize fundamental breach points in their approaches to security.
In Asia, this is particularly crucial as business-critical data are being exposed to unique threats. First, terrorist attacks are far more common here than in Europe or North America. Second, certain countries in Asia face higher levels of economic corruption, making corporate or state espionage and the theft and sale of sensitive digital data much more likely threats.
Lastly, Asia is highly-vulnerable to floods and storms, making up 44% of all disaster events worldwide, leading to large-scale damage across multiple businesses in data center history.
So, when selecting the right data center, what should companies in Asia look for? Doing a comprehensive risk assessment of the region first ensures that any data center built will have the best possible security level and top tier facilities. From here, it is down to the eight essential layers of physical security to protect your business-critical data.
- Perimeter security
This is the first, outermost line of defense, providing protection before the visitor even enters the facility. It must be able to withstand every possible type of attack and natural disaster; that means high density, fire resistant walls, bullet proof windows and limited entry points at a minimum. It must also be ringed by CCTV – a common feature of all eight layers – and manned by extensively-trained personnel and continuously rotated in terms of their physical positions within the facility.
- Perimeter guardhouse
The second layer is the guard house at the fence. Any visitor must pre-register their visit at least 48 hours before, allowing for prior screening of every individual entering the facility. If they are bringing a car, their pre-registration must include their license plate and a pre-booked car park, otherwise they should be turned away. A two-doored ‘car trap’ designed according to TVRA standards will be in place to stop crash-through scenarios.
There should be no such thing as VIPs or special treatment when it comes to a secure data center. Even routine maintenance staff movements must be closely monitored to ensure unauthorized human access does not occur, deliberately or otherwise.
- Building entry
The third layer is the guardhouse at the entry to the data center building. Visitors should be required to answer a list of security questions and provide full identification of themselves and any parts they carry. They will then pass through metal detector and any possessions they carry will be passed through industrial x-rays. They will then go to a seated area to await their sponsor, who will subsequently escort them through the premises.
- Personal access to secure zone
When the visitor finally reaches reception, they should go into a secure area and be given an upgraded card if they have been approved.
After receiving a specific-colored card, the visitor should then be sent into a small air-locked room—the human trap—where they are weighed. The human trap uses smart technology to register every visitor and compares their weight upon departure. If they weigh more on departure, the doors will automatically lock and security guards will arrive to uncover the root cause of the discrepancy and decide whether the situation needs to be escalated.
- Lift access control
For high-rise data center buildings, visitors will move from the airlock through to the lift access control. Every visitor is only permitted to use their designated lifts. From there, their specific colored card will only give them access to certain floors. If they are not entitled to a certain floor, they will not be able to access it via the lifts, even if it is within their colour zone.
Personnel allowed near the racks must have already read the data center’s rules and regulations and undergone a certain level of training. There must be at least five days of advance warning issued before sending in a new individual to access the data racks.
- Data hall secure corridor
A no-tailgating policy is essential to enable the Network Operations Centre (NOC) to monitor every individual entering the data hall and beyond. Upon anyone’s entry, the system will immediately ping the NOC team for verification.
A secure data center should never allow visitors to follow behind the person escorting them. All data centers should abide strictly by a ‘one person, one card’ rule and make tailing impossible via smart sensors and CCTV. This is dually important as it ensures the accuracy of all visitor data which would be required in the event of an incident at the data center.
- Data center vault
There will be no escort for each visitor so that the human error an escort may potentially bring is down to zero. A secure data center will have comprehensive CCTV surveillance throughout the entire space so the NOC team can see where every visitor is at all times. At any point in time, a data center must know exactly who is in the vault, where they are and what they are doing. If there are more people in there then there should be an alert that will go off.
- Rack-level access
The final frontier is the rack, the highest security layer of all eight. Only a very specific, pre-assessed, pre-approved selection of people can reach this level. Here, the visitor will require a pin code or biometric key such as a fingerprint to obtain very controlled access.
These are things that cannot be physically stolen or appropriated. On top of this, many customers will have their own rack surveillance, which may include additional technology like face detectors, as per their specific needs. A good data center will easily facilitate the layering of additional security technology.
Beyond physical security
On top of the points above, the entire data center campus should have 24/7 onsite security personnel patrolling and site-wide 24/7 CCTV surveillance with digital recording and storage that can be used for data analytics and digital forensics. All staff working onsite should be continuously trained in security processes and all systems should be regularly tested and updated.
The data center should also have 24/7 remote monitoring, oversight and control from an offsite NOC. Any emergency that hampers data flow will be detected there, alerting cybersecurity experts to potential malware, DDoS and advanced persistent threats.
A secure data center will also have a smart backup system to engage auto lockdown in the case of an emergency. It will also maintain historical access logs and requests for future forensics.
Finally, the best data center must also be future ready and hyperscalable to stay ahead of the threat landscape and grow with its customers. They are likely to evolve into touchless operations as a result of lessons from the pandemic.
Ultimately, if a data center does not subscribe to Murphy’s Law, you should not be entrusting them with the security of your data.