The exponential growth of data usage has led to data centres being a prime target of attacks
But what exactly is involved in securing data centres?
The global spread of technology plays an increasingly crucial role in modern society and data centres are at the heart of it all, storing and processing the hundreds of thousands of terabytes of data. Indeed, data centres are predicted to be consuming over 20% of the world’s power by 2025, demonstrating the integral role they will continue to play and also the importance of effective data centre security measures. Securing data centres from physical security threats will only become more crucial as time goes on.
The recent controversy around cyber-crime and intellectual property (IP) protection has highlighted more than ever the importance of data centre protection, but physically securing data centres against threat has its own host of potential challenges. After all, the most secure firewall is irrelevant if the building itself can be breached. A breach will ultimately cost the data centres vested party (companies, organisations or government) well into the millions of pounds in damage, not to mention the indirect, yet ultimately inevitable damage to reputation.
Due to the sheer amount of data processing, data centres must be environmentally controlled through air conditioning to keep the heat and humidity constant. The power provision, often determined by the size of the site in Watts per square foot, along with the communications infrastructure must also be considered when securing. Building a data centre from scratch is an exceptionally expensive project due to the unique requirements each data centre has, but it is generally understood that the higher the Tier category – Tier 1 being a server room and Tier 4 hosting mission-critical data and systems – the more extensive the data centre security measures required.
Download our guide on how to assess which security rating you need
Designed to ensure business continuity in many cases, data centres are generally purpose-built buildings with clearly visible intruder deterrent measures in place; there is little risk of an opportunist threat in this type of application. As data centres are almost never in or around crowded areas or population centres, the primary concern here is to secure the property rather than to protect people.
The biggest threat when considering the physical security is likely to be a premeditated and professional attack, either motivated by a corporate competitor or state-sponsored sabotage. The purpose of the attack will vary, but the intention is more likely to be destructive, so protecting the core of the building is the primary concern.
There are numerous ways a determined intruder could damage a data centre. One of the most significant risks is Hostile Vehicles, whereby the attackers will use a vehicle to either gain entry or intend to ram the building to cause irreparable damage to the servers. Blast also poses a significant if the data centres is mission-critical Tier 4 (highly unlikely as there are only a few in the UK though not impossible) or has a specialist threat level due to the location.
For lower-profile data centres, Bodily Force and Power Tools are relevant considerations, though specified products are required to mitigate this risk. Another important factor to consider when looking at data centre security as an overview is that due to the sensitive nature of the data, there will always be a certain threat level from internal personnel.
Common challenges when securing data centres
Data centres are unique from a physical security viewpoint. Their sole purpose is to house and protect data racks, as opposed to most buildings where the protection of people is a priority. This has several implications; being that there is no requirement for windows, the only access points to the data centre are doors and shutters. The rest of the enclosure can be secured with security cladding, significantly reducing the risk of intrusion.
Zero visibility into the data centre removes the risk of potential attackers gaining insights into the layout and security measures in place in the interior. On the other hand, it is a complex and possible expensive project to protect the whole property from HVM, Ballistic or Blast threat as there are less particular hotspots highlighted as weaknesses (ie windows to be reinforced with ballistic glazing) but rather the entire building need reinforcing.
It is standard industry practice for extensive vetting procedures, but the process when hiring staff may not always be conclusive. Returning to the importance of a layering physical security measure to create an integrated solution, the ‘top’ layers (automated detection, access codes etc) could easily be bypassed if the procedure is already known.
Where data centres are located is dependent on the priority category. Focusing on Tier 3 and above, top level data centres require a separate geographic location from the main facility. From here, perimeter security is a key consideration as there will be an additional opportunity to deter and delay intruders through intelligent use of fencing, lighting and other perimeter security measures before they reach the building itself. If the data centre is categorised as Tier 1 or 2, is it normally an enclosed part of one larger building or site, such as an office block. The physical security considerations here differ; all access points from the building into the data centre would need to be considered, with security rated doors and restrictive access control a key requirement.
The ideal solution in this environment would be to prevent intruders ever reaching the data centre’s perimeter, and whilst this is somewhat optimistic against a truly determined criminal, effective implementation of security measures through-out the entire building will effective reduce all other threats.