What are Data Center physical security controls?

 As we saw earlier that a Data Center is a highly secured place where lots of high end servers, switches and other IT devices are deployed to process, store and send large amount of digital data to outside world, hence physical security of a Data Center premises is of high importance. Any unwanted physical intrusion can bring down the whole Data Center or part of its services. So, how a Data Center infrastructure is secured physically at multiple layers.

It all starts with choosing a secured location for the building of the Data Center. Location chosen should not be in seismic zone and preferably away from much of air pollution hence better away from high traffic areas or factories producing lots of smoke and harmful gases. Polluted air is a risk for high end IT equipment running 24 X 7. 

Within building the Data Center room/hall should be at such a place that any one entering the building has to pass through manned security guard for physical verification. It should not happen that some visitor has parked his/her vehicle in building basement and took the elevator and directly reached at Data Center door, without intervention of physical security at building's main entrance.

No name plate on Data Center entry door is preferred as any visitor passing by that room will easily know that where is the Data Center entrance. The entry doors of all rooms in the building should look similar to avoid any chance of doubt to come in any visitor's mind that any particular room is somewhat critical unless he is escorted by any authorized person inside Data Center for some official purpose.

If any outside visitor is approved to visit inside Data Center for any official purpose, his/her identity shall be verified by any of the government issued identity card before allowing to enter inside Data Center with authorized personnel. Another check can be applied by verifying visitor's mobile number by OTP sent by system at reception. 

Next comes a solid concrete wall which makes a large room/hall for the Data Center. Walls should always be opaque preferably concrete, no glass partitions are preferred which allows any passer by to peep inside the room. There are preferably two doors in the room. One is for normal entry and exit and the other door is for emergency exit only. Such emergencies can be any fire incident inside data center or building or earth quake like situation etc., where human life is on threat.

The entry door is secured by manned security guard to verify correct person to be allowed. Security guard also has to scan every one via a metal detector to check if any unwanted material, arms or explosives, USB drives, external hard drives etc are not taken inside the Data Center by any person. Only authorized members of data center management team are allowed to take tools and any other device inside the data center room. Such physical security check can also be implemented at main entrance of building or campus too.

Access Control System:

Now comes the entry process from main entry door of Data Center. The main entry door is secured using "Access Control System(ACS)" that can be via RFID card or finger print reader or even organizations can opt for retina scan, as the security is needed and depending on how much company can spend on security controls. RFID cards are the simplest authentication method for secured entry in any area. Access is allowed on authorized member's RFID cards who can scan their card at the RFID reader at entrance door which is validated over network from BMS (Building Monitoring System) and if the card is authorized then the door is automatically release for few seconds allowing the member to enter. After few seconds again the door is locked by the electromagnets This prevents any other person to tail gate with the authorized person. But the challenge here is, if some one has lost his/her card or left somewhere and any one picks it up, he/she can go and enter the Data Center, which is a threat. 

To over come this problem, "Dual Factor Authentication" method has been adopted wherein the authorized card holder is given a secrete PIN from BMS team. The authorized member has to scan his/her card first and then need to enter the secrete PIN through the PIN pad and need to press '#' key to get the door released. So, even if some one gets the card lying somewhere, he/she will not be knowing the PIN, hence cannot misuse the card. Since here we need two authentications process to enter, one is authorized card and second is PIN allocated for that card, hence it is known as "Dual Factor Authentication". Every authorized member will have different access cards (RFID cards) along with unique PIN associated with that card. To further strengthen the security, the PIN is changed on regular basis by BMS team and shared to respective users on one-o-one email. This change frequency can be monthly or quarterly. This prevents any unauthorized person to get to know the PIN by shoulder surfing any authorized person entering the Data Center.

Now again, some authorized member may misuse the access card by sharing his/her access card & PIN to any colleague who has missed to bring the card on particular day. To overcome this there is another option for finger print reader with dual factor authentication. It has both options i.e. Card reader + PIN or bio metric + PIN and Card reader + Bio-metric. Card reader + PIN function is same as we saw above. And if the finger print option has been enabled, then authorized member has to swipe his/her finger on reader and then enter secured PIN to have the door released. This prevent any type of sharing of access controls within team members.

To exit from Data Center simple card reader can be deployed inside room, once user scan the card, the door will be released for few seconds to come out. 

Another control is very much required at door i.e. DOTL (Door Open Too Long) alarm. Its a kind of small buzzer placed near door which starts beeping if the door is not shut properly or is open for more than 30 seconds. As doors are magnetically locked, hence the lock may malfunction some time or the mechanical door closure may not work properly or user has kept the door open for long due to some reason, in all such scenarios this buzzer indicates there is something wrong which has to be attended immediately. 

Coming to emergency exit door, this door is not operated as main door. It mostly has a push bar to release the door in case of emergency and move out. In such case if someone has moved out from emergency door and left the door open the security guard sitting near main door will hear same buzzer alarm fitted at emergency exit door hence can take appropriate action.

CCTV Surveillance:

Other than manned security and access control system, we have next control i.e. through CCTV cameras. Any movement inside data center has to be recorded and monitored over CCTV camera and recording shall be recording to be retained for minimum 30 days for forensic investigation required after any critical outage/incident happens inside Data Center. 

Adequate number of cameras are installed inside data center to cover every part of it not leaving any unattended area, also known as "blind spot". To attain this multiple cameras are deployed at different angles to cover every corner of Data Center room. 

As we retain the recording for minimum 30 days for any investigation, hence it is highly recommended to go for motion sensing camera where the recording of videos starts only if there is any movement inside room. In case if there is no movement inside Data Center, recording stops. Else it will unnecessarily consume storage to keep recording video of standing racks which are of no use and will take additional storage cost. Time to time the focus and alignment of cameras are also to be verified so that clear video is recorded, else it will be of no use in case we do investigation with poor quality recorded video.

Go to Content List