Issue link: https://cp.revolio.com/i/359333
10 | THE DATA CENTER JOURNAL www.datacenterjournal.com hanced monitoring, detection, conditional alerts and potentially better post-event analysis documentation," according to Cober. Access control is only as good as the authorization lists it enforces. "Keeping access lists up to date on a real-time basis is critical. Only those with a true business need should be able to access the data center or secure area," said Ratushny. As employees join or leave the company and as job roles change, management must update the access-control lists accordingly. MANAGING THE BIGGEST THREAT Unlike cooling systems, which can fail through no malicious intent, the sole threat in the context of security is people— whether employees or individuals outside the company. In the case of colocation data centers, the problem is compounded because the facility may be hosting equip- ment from numerous (possibly competing) customers. And some of these customers may visit the facility regularly. Ratushny notes, "Whether it is intentional sabotage, social engineering, carelessness or lack of following defined policy, people working in the facility can be our biggest risk. For example, social engineering is a common threat because most people by nature want to be helpful." To address this issue, several policy factors come into play: training, account- ability and improvement. Proper training of personnel to carefully follow security procedures not only protects the company, but it also protects employees. But this aspect of security is the linchpin to an otherwise strong policy. "Creating a sound physical security policy can be relatively straightforward for an experienced opera- tions professional, but proper training to verify that all of the people who determine the success or failure of the policy is oen more challenging," Ratushny said. Accountability is naturally another important aspect. If security policies go unenforced, they become worthless. Of course, the response to security infractions need not always be draconian (such as terminating a security guard who lets pass a long-time employee who happened to forget an ID badge), but it should be pro- portional to the incident. For instance, in a colocation data center, a representative of a customer who is caught snooping on other customers' equipment or tries to bypass other security measures might be banned from the facility. Security policies should also take into account others who might enter certain parts of the facility: visitors, for instance. Questions like what areas visitors may ac- cess and how they should do so (e.g., with a visitor badge issued from the security desk) are matters that require forethought in light of the purpose and layout of the facility. In some cases, the wisest approach may simply be not to allow visitors, or to only allow them in minimal-security areas. In the case of contractors, however, the situation is more difficult, as these individuals may require access to the most secure areas of the data center. Careful screening of potential contracting com- panies is critical, and contractors should obviously be aware of and closely follow security policies in the facility. OTHER CONSIDERATIONS In addition to managing access, data center security should have a healthy focus on proper isolation. Again, the required measures will depend on the type of facility and its location. For instance, if a data center is in a multistory building, the company must consider "vertical" threats. "It is important to be mindful of what is above or below the data center," said Ratushny. "For example, a data center in a multi-floor building in Manhattan will have far different risks than a data center in Quincy, Washington. Physical barriers needs need to be evaluated room to room." In addition, Ratushny notes that the com- puter room should avoid being adjacent to an outside wall. Beyond providing a buffer for personnel access, keeping the computer room further inside the building can also help protect it from other threats, such as natural disasters (like hurricanes) and even accidents (like a truck running into the wall). In addition, physical network re- sources require protection as well. Cober recommends "taking appropriate precau- tions to secure the network pathways and duct banks. is may not always be pos- sible on the carrier's side of the network, but it should be considered once it's within facility control or influence. Concrete-en- cased duct banks reduce potential physical damage, especially beyond secured fence boundaries or on adjacent properties." Furthermore, service entrances, such as for power and network connectivity, should be sealed. Spaces le for cabling can poten- tially enable an intruder to either enter the building or move from a lower-security area to a higher-security one. Not to be ignored is the critical task of preventative maintenance and testing. Like any system, physical security can fail if insufficient care is provided over time. Surveillance cameras, for instance, can fail randomly or be tampered with, neces- sitating regular checks. Cober adds, "e entire complement of security systems needs to be designed with the same level of operational attention to reliability as any other critical system. is includes an overall balanced physical security design solution, regular preventive maintenance on equipment and commissioning of all the interrelated systems." Ratushny offers a similar sentiment: "Many data centers have some level of compliance requirements and therefore are audited on a regular basis. Even if external audits are performed, they do not replace the need to perform internal audits and checks regularly. Internal as- sessments include using an outside firm to assess the facility with a fresh set of eyes." CONCLUSIONS Physical security may be less glamor- ous than network security today, but it is equally critical. A philosophy of reliable physical security must take a layered ap- proach that balances the need to control access to certain areas with the need for isolation. In addition, maintaining adequate security—like any system in the data center—requires preventive mainte- nance, testing and training of employees in a well-developed security policy. e particular details of a given security imple- mentation will depend largely on the loca- tion, purpose and design of the data center. us, for instance, some features that are critical in one facility will be superfluous in another. e overarching philosophy of reliable security design, however, is the same. n