The Hostway Blog

Data Center Tour Part 3: Physical Security

When we think about data security, and breaches that have made the headlines, the theft of credit card details by hacker Albert Gonzalez from TJX and other major US retailers in 2006, or the loss of Army reservists personal information after the theft of a laptop containing a CD ROM listing their details, tend to come most readily to mind. It’s easy to focus on the physical risks posed by small portable devices, and the vulnerability of high value data pools in data centers to virtual attack.

Information and equipment stored in data centers can be vulnerable to physical theft too, though. They are targeted by thieves for their resale value or, more likely, by criminals who want to exploit the data held on them. Here we take a look at some of the ways data centers have suffered physical losses, and the security measures implemented to counteract them.

Brute Force Attacks

Measures taken to prevent intruders obtaining access to the premises include:

  • Some companies try to keep the locations of their data centers secret, although this is rarely entirely successful. Other measures designed to keep the data center low key are a lack of signage, and placement well back from roads with trees, shrubs and landscaping shielding them from passing traffic.
  • Perimeter fencing with a single point of access manned by security staff. Retractable traffic bollards may also be combined with crash proof barriers to prevent unauthorized access. Many data centers are also built with few windows, resembling warehouses rather than offices to reduce potential areas of weakness. The data center may also be surrounded by an expanse of concrete, making intruder detection easier.
  • Doors and windows may be covered by security cameras programmed to sweep the area in a non-predictable pattern. Fire doors will be designed to open from the inside only and connected to alarms.

Sneak Attacks

With so many power lines, HVAC systems, connecting cables and raised floors, data centers offer potential for a more discreet method of entry, especially where roof access is relatively easy, or the data center is housed with other businesses in a larger building.

Preventative measures include:

  • Ensuring the external walls extend from floor to ceiling and there are no crawl spaces either under raised floors or above dropped ceilings where intruders can hide.
  • Ensuring visitors are monitored at all times, or accompanied by security staff, particularly outside contractors. This includes ensuring people are logged out as well as in, and searched in both directions.
  • Motion detectors, low light cameras and man traps. Man traps are corridors with two sets of secured doors, only one of which will open at a time, and requiring ID verification at each door. They are designed to trap intruders who attempt to ‘piggy back’ access with genuine staff.
  • Provision of visitor restrooms to prevent visitors from ‘social engineering’ access to sensitive areas under false pretenses.
  • Equipment stored in secure lockable cabinets that are routinely kept locked and keys tightly controlled.

The Inside Job

Unfortunately, as the theft of current and retired police officers’ personal information by a civilian employee from a data center in Staten Island, as reported by the New York Post shows, the threat doesn’t always come from outsiders. Actions taken to prevented disgruntled employees abusing their access include:

  • Segmented storage of servers or mainframes with zoned access to different areas for staff, allowing entry only to areas needed to complete their work.
  • Biometric access in the form of thumb of hand print recognition. Retinal scans, since they are perceived as more intrusive, tend to be reserved for the most valuable and sensitive data.
  • Anti-piggy backing measures in addition to man traps could include floor to ceiling turnstiles that revolve in the reverse direction if a second person tries to follow an authenticated employee.
  • Logging who accessed which areas and when makes tracking staff easier, and prevents duplicated IDs from being used.

None of these measures are effective unless staff are trained to maintain a security aware mentality and to challenge unfamiliar faces, though. As John Muir says in Stolen Drives and Servers one security expert testing a client’s data center security was able to “bypass the front reception area and walk around the side of the building while wearing a hat and shirt from any well-known technology company. There he could blend in with the smokers … then simply walk into the facility, enter the computer rooms and brazenly start removing equipment.”

So when choosing a Web hosting company, investigate their attitude not just to virtual security, but to physical security as well.

Read the complete series:
Data Center Tour Part 1: Introduction
Data Center Tour Part 2: Meet the Staff
Data Center Tour Part 3: Physical Security
Data Center Tour Part 4: Redundancy
Data Center Tour Part 5: Servers