Physical Access Control is Essential to Uptime

If you’ve ever made an in-person visit to your well-protected server or other device in a colocation facility or data center, then you know firsthand about security. The hand scanners, the thumbprint readers, the man-traps, the security guards, the metal cages — all the security features that make data centers feel like a secure prison. But the difference between a data center and a prison, of course, is that data centers are trying to keep people out — not in. Even so, it can feel a bit confining once you’ve passed all the security points and you’re sitting in your cage, your laptop connected to your equipment. You start wondering when the prison guard will come by with your dinner. But all of this physical protection is essential to ensure uptime or availability.

Lack of Accessibility = Uptime

It goes without saying, you must have special access to enter the bowels of a data center. You can’t just stroll in and say, “Oh, do you mind if I see my server today?” It doesn’t work that way – at least it shouldn’t! Data centers that care about security will require that their customers send and regularly update a list of those personnel who should be granted physical access to their equipment. If you’re not on the list, you don’t get in. If a vendor or contractor needs special access for a certain number of days, that can be arranged by putting them on the list temporarily. But that’s all done in advance. A point person or manager at the company is responsible for updating the list kept by data center security.

You may have millions of dollars worth of equipment in your facility, but you don’t want to advertise it to the world.

There are other important aspects to the physical security of a data center. The Datacenter Journal has posted “A Guide to Physical Security for Data Centers”. The author David Barker runs through a list of basic principles. It starts with the recommendation that a data center should have a “low-key appearance”. You may have millions of dollars worth of equipment in your facility, but you don’t want to advertise it to the world. He goes on to say that you should avoid windows and limit entry points. And you should have plenty of cameras.

At Total Uptime, we have our global presence in dozens of data centers. One of our biggest pet peeves is signage, which David addresses in his article. Facilities like CoreSite, QTS, CyrusOne and others – as impressive as they might be – will never be on our vendor radar because of this obvious and unacceptable flaw that has serious potential to impact uptime. Just search Google Images for one of these facilities and you’ll quickly find professional exterior photographs proudly bearing their logo – or target, if you will.

One interesting component of data center security is called the man-trap. Wikipedia uses the synonyms “air lock” and “access control vestibule”.  But man-traps in data centers are about restricting access, not air. The way it works is that once the security guard verifies your authority to enter, he opens the first door and you go through. Next, the first door is closed. And there you are, standing, waiting. Eventually the second door opens — but only after the first one is completely closed. Then you are free to enter the data center proper.

What’ s interesting about these man-traps are the design. Some look like small hallways. But some are much smaller and almost look like a portal where you might be dematerialized and transported up to a spaceship. One of the purposes of this design is to prevent “tailgating”. That’s where someone walks closely behind you and grabs an open door and lets themselves in. That’s less likely with a dual-door system.

Hollywood Break-Ins

Now, it may be a little interesting to consider the ways characters in Hollywood films have tried to breach some of these kinds of security barriers — particularly the biometric ones. Tom Cruise’s character in the movie Minority Report had his eyeballs surgically replaced by a black market doctor so that he could physically access a secure area using a retinal scan.  The TV hero MacGyver somehow used a thin layer of plaster dust to fake a hand print and fool an electronic hand scanner. And you’ve probably seen shows where they’ve used a severed finger (yuck!) from an authorized person to open a door.

The Uptime Institute tells us that the physical data center can be hacked — just not in the way you might think.

We should clue you in here. That’s all fiction. That stuff doesn’t really happen much. Actually we haven’t heard of such things happening at all in real life. But the Uptime Institute tells us that the physical data center can be hacked — just not in the way you might think. You can read more in their article “Hacking the Physical Data Center – Not just for Hollywood Movies”.

Since many of the controls of the data center are now accessible through the internet, clever hackers are finding ways to “break in” online. Imagine a hacker logging in somewhere remotely and turning off the data center’s air conditioning, or unlocking doors, or looking at security camera video. That’s not really physical access, but it’s the next best thing to being there and we all know that any such malicious act could severely impact uptime.

Covering All the Bases

An article from Sarah D. Scalet at CSO tells us that there is lot to physical security. It’s not just the access policy and the door security that are important. The data center itself needs to be a strong fortress. Scalet talks about building strong walls. “Foot-thick concrete is a cheap and effective barrier against the elements and explosive devices,” she says. And then she adds, “For extra security, use walls lined with Kevlar.”

All this might seem a bit much. It’s not Fort Knox, right? But when you consider the number of financial transactions and the amount of critical data running through the average data center, you realize that such information is really a treasure to be protected. Very few organizations consider application uptime to be more than redundant network components. It all starts with physical access.

What else can you do to keep people out of a data center? How about landscaping? Nice trees and boulders can obscure the building from curious eyes, according to Scalet. And gulleys can separate the property from nearby roads. Use crash barriers on drives and parking lots. Take the handles off the outside of fire exit doors. Use layered security. There are many possibilities. We like the way she thinks!

Conclusion

Data centers are not like other buildings. High availability of the equipment inside starts with high security. You can’t let just anyone in, and those who do enter should be carefully monitored. They should go to their own equipment only, and not wander around in curiosity. Access rosters should be regularly updated and policies should be strictly enforced. In real life, a data center should be so secure that not even a MacGyver could break in. The physical security of a data center is serious business.

Prevent your next outage now!

TRY IT FREE

Other articles you might like to read: