Ensuring physical security in uncertain times

Recent events have heightened concerns around physical security for many data center operators, and with good reason: the pandemic means many data centers may still be short-staffed, less time may have been available for review of and training on routine procedures, and vendor substitutes may be more common than under non-pandemic conditions. Add the usual “unusuals” that affect operations (e.g., severe storms causing staff absences and increasing the likelihood of utility failures), and normal precautions may fall by the wayside.

For most data centers, much of physical security starts at site selection and design. The typical layered (“box inside a box”) security strategy adopted by most facilities handles many concerns. If a data center has vulnerabilities (e.g., dark fiber wells beyond the perimeter), they’re generally known and provisions have been made to monitor them. Routine security standards are in place, emergency procedures are established, and all employees are trained.

But what keeps data center operators up at night is the unexpected. The recent bombing in Nashville, Tennessee (US), which disrupted internet and wireless services, and new threats to Amazon Web Services facilities as a result of their decision to suspend hosting the social media platform Parler are a stark reminder that extreme events can occur.

A December 2019 report from Uptime Institute summed it up best, by stating that IT security is one of the big issues of the information age. Billions of dollars are spent protecting the integrity and availability of data against the actions of malign agents. But while cybersecurity is a high-profile issue, all information lives in a physical data center somewhere, and much of it needs the highest order of protection. Data center owners/operators employ a wide range of tactics to maintain a perimeter against intruders and to regulate the activities of clients and visitors inside the data center. The full report assesses operator security spending, concerns, management and best practices.

Key Findings from December 2019 report:
• Spending on physical security is commonly around 5% of the operations budget but in extremecases can be as high as 30%.
• Data centers employ a range of common technologies and techniques to control access to the facility, but there is no “one size fits all” solution to physical security: each organization must tailor their approach to fit their circumstances.
• Neither cloud-based data replication nor the threat of cybersecurity to both IT systems and facilities equipment have significantly diminished the need for physical security.
• Most data center owners and operators consider unauthorized activity in the data center to be the greatest physical threat to IT.
• Access to the data center property is governed by policies that reflect the business requirements of the organization and establish the techniques and technologies used to ensure the physical security of the facility. These policies should be reviewed regularly and benchmarked against those of similar organizations.
• Data centers commonly employ third-party security services to enforce physical security policies.
• Attempts at unwarranted entry do occur. In a recent study, about one in five data centers experienced some form of attempted access in a 5-year period.
• Drones, infrared cameras, thermal scanners and video analytics are promising new technologies.
• Biometric recognition is still viewed skeptically by many operators.

Now is the time to review your security plans and emergency operations procedures and to brief staff. Ensure they know the organization’s strategies and expectations. If your facility is in an area where many data centers are clustered together, consider collaborating with them to develop a regional plan.