Building Your Data Center CASTLES – Security

This is Part Four in a series about selecting the right data center for your needs

I have a selfie of the Queen of England and me.

It was a complete right-place-at-the-right-time situation. On a recent trip to Windsor, my director recommended that if I had the time, I should go up the Long Walk because he said I would enjoy the view. (He was right, and I wholeheartedly recommend going all the way to the Copper Horse if you ever have the chance.)

On the way back, I noticed a few people hanging around the south gate to the castle. Curious, I went up to the iron fence and asked the guard inside, “Is something going on?”

“Her Majesty is on her way back to the castle,” said a cute older woman with a silly hat standing next to me. “She’ll be back within 15 minutes.”

I took a place with the three dozen other people along the edge of the path. “Stand over here,” said a nice lady with a little dog. “She sits on this side and you’ll get a good picture.”

“Her car is the first one,” said her friend, also with another petite dog in a costume. 

Shouldn’t all of this be a national security secret? I thought to myself.

A single officer with a sidearm opened the gate and instructed all of us to clear the driveway. No barriers, no guards with rifles, no other visible security. A few moments later, we saw the lights of the police escort traveling with a variety of dark cars in tow. Sure enough, here she came about 15 feet away from me, and I got just the right angle to snap a picture of my massive head and Queen Elizabeth II waving from the back of her sedan.

When I shared my story to my coworkers on that Monday, I remarked how surprised I was at the minimal protection around her. “Of course,” said one of them, “You know you had a sniper who was aiming at you, right?”

Um, no.

That coworker of mine worked previously in a variety of high-profile government buildings. He recounted how the security forces who protect the royal family routinely have sharpshooters and armed police stationed out of sight to protect them. Most of them go completely unnoticed. Yet, they are everywhere around the castles, palaces, and motorcades.

The reason why the Queen of England could be so accessible is because her security is so effective, ubiquitous, and invisible.

Guarding The Digital Fortress

Likewise, good data center security works when it is woven into every layer of the facility—physical, logical, and human. Critical infrastructure must have sufficient tangible barriers to prevent intrusion and keep electrical and mechanical systems working. Computer systems and networks require firewalls and virtual safeguards stopping hackers and online threats. People need training so they do not compromise the integrity of what they worked so hard to build. All three pieces are necessary to shield and protect the modern-day digital fortresses.

Now, there are thousands of books on these topics and more week-long seminars and conferences than can be counted that plumb the depths of these topics. My goal in this article not to cover all the facets of data center security down to the minutiae, but to counter the myth of a one-size-fits-all perspective for data center security. An audacious and impenetrable data center located in the middle of the desert protected by sharks with laser beams on their heads is impressive, but we should glean the prescriptive elements from it rather than modeling the descriptive nature everywhere. With that, here are three strategies to help your data center goals.

Understand what you need to accomplish. In one colocation facility I have visited, there is a customer with a sealed cage within a cage, protected by two independent access readers, multiple security cameras, bolted-down floor tiles, an access system which will open specific cabinets for specific times, and a security policy that requires two people to be present at all times when the doors are opened. Next to that cage, there is a customer that has a cage with an open top, a Kwikset lock instead of a badge scanner, cabinets that can be opened without a key, and clearly visible labels identifying the names of the equipment. Although the one customer is more fortified than the other, that does not mean that the less-protected client is deficient. It means that each have a specific level of security to address their needs.

When examining your data center security, first look at what you must accomplish. Does your facility need the ability to be audited against SAS70, SSAE16, or SOC1/2/3 standards? Do you have to fulfil SOX, HIPAA, or PCI obligations? Do government clients trust you with Controlled Unclassified or Yankee White level information? Your security standards should reflect who you serve and your facility’s purpose.

Approach with the principles of CIA and Concentric Rings. Confidentiality, Integrity, and Availability form the, “Infosec Triad,” for safeguarding Information Technology systems. Data center security should keep private things private, prevent unauthorized changes, and keep systems working the way they were intended. If anything would violate this, it needs to be addressed.

One of the best strategies to design proper data center security is to follow a principle of having concentric rings of protection. Each ring addresses a specific area and must be crossed before someone can access a more sensitive area. For example, on the physical side of data center security, a facility should start with the larger world and narrow down to people who can lay hands on servers like this:

Location—Avoiding natural disaster zones, population centers, high-risk areas.

Border—Iron fencing, bollards, CCTV, security patrols.

Building—No logos or exterior windows, one main visitor entrance, isolated electrical and cooling plant.

Offices—Visitor bathroom outside private rooms, secured offices and security center.

Raised Floor—Mantrap, badge readers, biometrics.

Suite/Cage—Customer-specific access lists, physical isolation, door monitors.

Cabinet—Technology-specific, vendor-specific, or customer-specific, with locks and logs. 

Ensure checkpoints, auditability, and responsiveness. For each of those concentric rings of data center security, there should be ways of isolating, verifying, and reacting to incidents. Checkpoints at each level are intended to deter unauthorized progress toward inner rings. The regular auditing of logs, video feeds, and tickets will authenticate activities and provide forensic evidence for bad situations. And proactive and reactive responding to issues prepare data centers for when something may go wrong.

The Proof

In case you wanted to see it for yourself, here you go.

Please share your thoughts in the comments section below; when ideas are spread, great things happen.

ABOUT THE AUTHOR:

Christian Pruett helps executives and senior leadership make sense of new data center technologies and maximize their returns in cloud, converged, and content spaces. His ebooks have been downloaded over 300,000 times and he speaks at IT conferences about the latest trends that are shaping the Internet of Things and Digital Utility space.