Security ranks highly on any data centre manager’s list of priorities and restricting access to racks and cabinets is vital in order to protect the business critical information stored within them. Mark Hirst, head of T4 Data Centre Solutions with Cannon Technologies, examines the ways technology is being used to protect the data centre infrastructure
Security is an essential element of any data centre operation and anyone who fails to recognise its importance is dicing with disaster. In terms of the physical infrastructure, racks and cabinets are the last line of defence and, therefore, as well as housing a plethora of important active equipment, they also need to protect the sensitive data contained within them.
With any data network there is always a risk that the information that flows through it could be intercepted and used for malicious purposes. However, there are a number of security processes that can significantly reduce the likelihood of this happening, including the physical and organisational security of the core network.
What was once a basic steel housing is now a sophisticated device that is the critical element in delivering the needs of today’s advanced data centres. Therefore, an integrated security approach at the cabinet and rack level is hugely important and, as a growing number of organisations are finding out, not only must they secure these infrastructure components, they must be able to prove the efficacy of their auditing systems to one or more governance bodies.
For companies that have to comply with legislation such as Sarbanes-Oxley, Basel II, PCI-DSS and the FSA, their data centres must adhere to strict asset documentation, configuration and change management, as well as rigorous and transparent documentation policies.
In colocation facilities high levels of security are also required in order to comply with service level agreements (SLAs), as any data breach can prove costly both financially and in terms of reputation – something that could prove impossible to recover from. For example, in the financial sector data protection and corporate responsibility legislation is extremely stringent and even states that a company’s head office and corporate data centre must be sited in separate locations. With such rigorous security requirements it is this industry that is setting the benchmark for how access control and monitoring technology is being deployed.
To underline a commitment to security best practice, some data centre managers are choosing to become certified to ISO 27001. This international standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system. It is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.
Mix and match
While having a permanent manned security presence at a data centre is not at all uncommon, it usually forms part of a multi-layered approach that includes a range of technology that monitors and controls access both into and within the premises. When it comes to restricting access to data, securing the cabinets and racks that house servers and other active equipment is crucial. There are a number of ways that this can be achieved, and perhaps the most obvious is the use of reliable and intelligent locking systems.
Modern locking systems such as swinghandles are highly secure, robust, ergonomic and can be retrofitted. However, to add another layer of protection they can be fitted with an electronic keypad that simply screws to the back of the standard swinghandle, converting it into a remote access solution. The tamper- proof cabling to the lock itself can also be routed through the internal door skin to hide it from view and further increase security. 1
The locking system will usually be used in conjunction with a personal identification number (PIN) or radio frequency identification (RFID) device. When it comes to room, row or cold aisle entry, one reader device may open all the locks in the cabinets in a particular row if required, while locks can also be unlocked in groups or by user privilege settings. The availability of intelligent access control also means that PINs can be issued that expire after a certain period of time and can only be used to gain access to specific cabinets.
In unmanned environments it is necessary to be able to remotely monitor and control access to hardware. Software is now available that provides local and/or remote control of racks, cabinets, hot and cold aisles, cages or outside enclosures.
Based on ‘plug and play’ modules that can be used standalone or daisy chained together into a high security, resilient system, this technology enables remote control from multiple locations concurrently, with full event recording and a rolling 24 hour audit trail. It also ensures only authorised personnel can access the cabinets following a request and authorisation from a central source, which can additionally carry out access code changes remotely.
They can also be configured so that they require two people – for instance, a technician and a security operative – to go through an authentication process before the cabinet will unlock. When in, CCTV cameras can be triggered to record the access session or a simple photograph taken of the person(s) involved. Again, with these systems a full audit trail, including the video footage if taken, is stored for future reference.
Alarms can be generated if unauthorised entry is attempted or an unusual condition or problem is detected, such as if humidity within the facility rises above a pre-defined threshold. This allows designated staff to carry out an investigation that complies with any regulation and SLAs.
An increasingly popular way of ensuring that only authorised personnel have access to cabinets is by using biometric technologies. These automatically measure people’s physiological or behavioural characteristics and examples include automatic fingerprint identification, iris and retina scanning, face recognition and hand geometry. The major advantage that this type of solution has over PINs or RFID cards is that it cannot be lost, transferred or stolen and is completely unique.
The falling costs of technology over the past few years has meant that fingerprint security at the cabinet level has become a cost-effective reality – one that is becoming more and more popular.
The time taken to verify a fingerprint at the scanner is now down to a second. This is because the templates – which can be updated from a centralised server on a regular basis – are maintained locally, and the verification process can take place whether or not a network connection is present. The enrolment process is similarly enhanced with a typical enrol involving three sample fingerprints being taken on a terminal, with the user then able to authenticate themself from that point onwards.
This level of efficiency, cost effectiveness and all round reliability of fingerprint security means that a growing number of end users are now securing their IT resources at the cabinet level and integrating the data feed from the scanner to other forms of security such as video surveillance.
In the event of a security breach, being able to identify the person(s) attempting to gain unauthorised access to a cabinet is extremely useful in bringing them to book. Fortunately, there are a number of tools that can help to achieve this.
Cabinets can have a video recording system installed that can either record constantly or be activated in the event of an access attempt. The system will send the data centre manager an email containing a still image of the person trying to gain access. That person can then remotely access the video system and watch events unfold and, when an audio device is also used, the unauthorised person can be addressed verbally.
The use of video is a tried and tested way of tracking movements in a facility and establishing who was doing what at a particular time. Although this comes with its own independent remote software package, it can also be incorporated into a data centre infrastructure management (DCIM) system. Not only can this be used to monitor, control access and designate user privileges, it can manage elements such as power usage and optimisation, environmental control and fire suppression systems with one single suite of dedicated software.
Although some systems are configured using one network video recorder (NVR) to monitor multiple racks, this can use excessive bandwidth, especially in colocation facilities where there can be many hundreds of individual units. This problem is being alleviated through the use of local digital video recorders (DVRs), which are located within the data centre itself.
One to watch
Being able to keep track of data centre assets is an important piece of the security jigsaw. In recent years a number of RFID-based asset management tags and sensors have become available to use with individual components.
With the intention of eliminating the use of manual spreadsheets for tracking inventory, these technologies can provide instant awareness of where data centre assets are located. Missing just a few moves, adds or changes (MACs) can quickly make a manual asset tracking system obsolete, and tags and sensors enable an accurate, automated, real-time inventory of all IT assets and their locations.
Some of these products also offer a tamper notification that is triggered when tags are removed, replaced, or altered. If the tab is removed or modified in any way the tag immediately and continuously transmits a tamper alert signal, allowing designated personnel to respond.
The threat of data theft and damage to equipment must be taken seriously – those that fail to implement a thorough multi-layered system run the risk of damaging their businesses and reputations. Rather than just being seen as metal boxes, cabinets and racks are, in fact, at the front line in keeping data safe and ensuring that audit trails comply with relevant legislation.