Modern society relies upon technology. If major telecommunications hubs and online networks were to go down for a significant amount of time, people would not only face inconvenience, but serious repercussions. Financial data, personal identification, sensitive emails, and other confidential information could be compromised. Major businesses would be disrupted. Public outcry would demand to know how and why this could happen.
We live in an information-based world where we rely on computers to do so much for us. Data centers allow instant access to dozens of activities we take for granted. With the advent of cloud computing, more and more data centers are needed, which means more and more facilities are being built or converted to house server racks, power sources, cooling systems, and other equipment. No longer languishing in obscurity, data centers are quickly becoming a major component of our economy and societal infrastructure.
A data center outage can also cost hundreds of millions of dollars and impact financial markets worldwide. Because these facilities are so critical, they are ripe targets for terrorist attacks. However, there are several steps you can take in order to mitigate the risk of an attack.
First of all, everyone involved in staffing your data center must be fully aware of the potential of being attacked. This goes for all employees in addition to your security staff. All must understand the importance of constant vigilance, and the potential consequences if anything were to go wrong.
Staff may need to be trained in order to learn to identify suspicious people or vehicles. Security officers will need to perform thorough investigations of all suspicious activity, and all unusual events must be reported and documented with all clarity, detail, and accuracy.
Cultivating an environment of continuous alertness will deter potential attacks. When every aspect of your facility and staff are clearly dedicated to security, attackers will think twice and move on to an easier target.
One of the chief concerns when hiring outside contract security is how disruptive the security services will be. It’s no different for a data center. Every facility fortified by a security program must find that proper balance between safety and unobtrusiveness.
Access control is a major factor in any facility’s security plan, and this is even truer at a data center, which contains much sensitive technology and equipment. Therefore, it’s absolutely imperative to know whom you allow into your facility. You must also verify identification and make sure bags are properly checked, and you may even want to consider escorting visitors throughout the premises. The challenge is to allow visitors to enter your facility without causing such a hindrance that they’re more trouble than they’re worth. There may be times when it simply feels easier to ease up on access procedures simply to expedite the process.
While there may be valid reasons for this attitude, if your top priority is safety and security, then you must remain committed to controlling access to your facility regardless of any inconvenience placed upon visitors, and even regular employees. This applies to entrances as well as various other sections of the entire data center. Visitors must be logged and documented, and you must know where they are at all times.
If you’re constructing a new data center, it’s highly recommended you choose a location conducive to security. Whenever possible, any critical facility should be a specialized site dedicated to one tenant, with minimal public or shared areas. Although many data centers do share building space with other companies in order to save money, this can compromise security. The more people have unregulated access to the building, the more difficult it is to maintain safeguards.
Similarly, difficulties ensue if your data center is planted in the middle of a busy public area surrounded by sidewalks, streets, and parking. High activity can be very challenging to manage even with security cameras and
fences installed. A buffer zone between your data center and all points of access will limit the potential for unlawful infiltration.
While every facility is different and requires its own unique security program, a strong foundation calls for certain fundamental concepts to remain constant. Layered security is important for any property, but for critical facilities such as data centers, the principles are simply essential.
Man-made barriers or natural barriers are the first line of deterrence and defense. Perimeters must be fortified, with sturdy gates to block intruders. Erect some bollards to prevent attackers from easily maneuvering vehicles and crashing into the building. It is also prudent to install video cameras on the exterior of the building.
Then there is the facility’s main entrance, which must be staffed by security personnel, perhaps in a guardhouse or similar structure, with bulletproof glass. Security guards at the entrance are necessary to control access and direct visitors. Entrance guards provide a visible security presence, to display a show of strength to potential attackers. They can also spot suspicious vehicles and individuals from a distance. In general, all perimeters and parking areas must be secured and regularly monitored. The idea is to prevent attacks or, failing that, to see them coming so as to minimize any damage.
Interiors must be fortified as well. Posting stationed guards and roving patrols inside the facility will safeguard employees, visitors, and assets. Install mantraps and electronic access control systems (such as card readers or fingerprint recognition) to limit access to the facility’s different areas. Only employees who need to enter different sections of the facility should be granted access. If you use mechanical access control systems (physical keys), you must have an organized method to account for every single key.
Because data centers house specialized equipment, it is wise make rooms containing server racks, cooling systems, and electrical power storage equipment inaccessible to the public and to most employees. Only those whose duties specifically require them to work with those particular systems should be allowed access. While multiple levels of restriction may seem cumbersome, it is the most effective way to ensure that only authorized individuals can freely enter different areas. Detection systems, camera surveillance systems, and alarm systems are other elements used to fortify facility interiors.
The Importance of Trained Security
However, while these electronic systems can be beneficial, keep in mind that to use them to their maximum potential, security officers must undergo comprehensive and site-specific training. Camera surveillance systems have become more and more sophisticated over the years. In the past, surveillance footage consisted of grainy, choppy video. Modern cameras are able to capture high resolution video, making it easier to identify perpetrators. Depending on the size of your data center and the number of security cameras, multiple security officers may be required on monitor duty.
It may be cheaper to have a stationed guard take some time from a patrol to review camera footage every once in a while, assigning guards to do multiple jobs ends up making them ineffective at both.
Having officers whose sole duty is to monitor cameras will allow the surveillance system to function at peak efficiency. Make sure your security officers are specifically trained to handle their primary job, whether it’s access control, monitor duty, or perimeter patrols.
Back up plans must also be in place. A well-designed data center has built-in redundancies in case of power outages or mechanical failures. Electrical, mechanical, communications, fire and life systems – all must be addressed with contingency plans to address your team’s response approach. Redundant systems can also keep you online in case of an unexpected failure.
Disaster recovery is one more important plan that must be in place. If an attack or natural disaster were to seriously impede the function of your data center, you must have measures to restore operations as soon as possible. The key here is not only to plan, but to train your staff and test your disaster recovery plan before a real disaster strikes. To be ready for disaster, and to evaluate your disaster recovery plan properly, it’s necessary to experience simulated disasters. You must then conduct an autopsy-like analysis to identify areas of improvement.
Testing serves several purposes, including: to ensure the viability of your disaster recovery procedures; to check the response capabilities and competency of staff; to see whether changes in the computing environment are accounted for; and to ensure that backup data centers or alternate power sources perform according to expectations.
Terrorist attacks are a reality that can’t be ignored. Data centers are attractive targets for those who seek to disrupt and damage major business and communications infrastructure. Therefore, security must be taken seriously. Minimize risk and take proactive steps to limit the negative impact of an attack by fostering a culture of alertness and planning strategically.