According to The Data Economy Report, by 2025, in the UK alone data centres will be responsible for storing data worth circa £103 billion pounds annually. Globally the IDC report, ‘Data Age 2025’ estimates that the volume of data generated will have grown by 378% by 2025, compared to 2018 (33 Zettabytes to 125 Zettabytes).
The theft of information assets has serious consequences; in the UK according to IBM research the average cost of a data breach to a business has grown to nearly £2.7 million. As well as causing economic loss a data breach can also cause significant reputational damage due to loss of confidence from customers.
With such economic value at stake for businesses, the physical security of data centres must not be an afterthought but rather an integral part of how these facilities are designed, developed and built.
Often positioned in anonymous-looking buildings, these facilities are responsible for the protection, storage and transfer of information which enables multiple critical systems to function around the world, including for example financial, healthcare and defence.
All of the above has the potential to make these facilities a potential target for malicious attack, resulting in serious and far reaching consequences.
By ensuring that the physical security element is considered as an integral part of the data centre there is opportunity to create a holistic layered approach which will effectively delay and disrupt any attempted attack.
With this in mind, below are two of the main physical security threats faced by data centres today and how these threats can be overcome.
Restricting vehicles
Vehicles can cause extreme damage to data centres if the right security measures are not in place. Having breached the outer security perimeter, the vehicle could then proceed to damage the building itself if secondary physical protection was not installed.
In 2007, the physical impact of a travelling truck was the cause of a data breach for a large US data centre operator. The vehicle was driven into a power transformer cutting the power to the company’s Dallas facility. Whilst the data centre did have a back-up generator, two of the chillers within the centre failed to re-start causing the business to take customer servers offline for a period of time.
This event demonstrated the damage posed by hostile vehicles to data centres, even if at times it is an unintentional accident. The company consequently had to restrict their services and deal with reputational damage, all because a vehicle was able to enter an area which should have been better protected.
As well causing damage externally, the movement of the vehicle within a protected area, could be a pre-cursor to physical entry into the building by un-authorised personnel. Even more worryingly, without the right security measures in place vehicles can be rammed into the building to intentionally cause damage and then launch an attack within the data centre facility.
How can vehicles be restricted?
When considering the restriction of vehicles, a layered approach is a tried and tested methodology that is used on many different types of building. This can include measures such as HVM rated gates and bollards, perimeter fencing, associated gates, turn styles, security rated cages and external/internal doors implemented around the facility.
The first level of protection would come from the perimeter fencing and gates with the second layer of protection being provided by bollards which can be either fixed or retractable depending on specific requirements.
Perimeter fencing and gates provide the initial layer of security to prevent unauthorised access. There are fencing solutions available that have anti-climb features incorporated within their design through mesh composition which can also offer strong visibility for CCTV and security patrols. Introducing properly tested fencing and gate solutions around data centres will not only prevent physical damage to the building through a vehicle impact but can also stop unauthorised visitors being able to get closer to the main entrance.
Tested and certified bollards can then be used to provide the next line of defence, with retractable bollards providing a flexible security approach. When these are operated by security personnel, a warning light system can be used once access is assessed and granted but can also be immediately prevented. In this scenario, the bollards can be left up and the appropriate action can be taken. Dynamic bollards and road blockers can also be used to enforce a ‘tiger-trap’ stop-and-search function for all vehicles entering a site.
These solutions provide a multi-layered security approach which when combined with various access control and detection systems monitored by the on-site security teams give the data centre a complete robust physical protection.
Why does access need to be controlled within the facility?
In addition to perimeter security, installing measures within the entrance area of a building is essential. This helps complete the layered security approach which has commenced at the physical outer perimeter making it difficult for unauthorised personnel to gain access to restricted areas.
The importance of monitoring access to a data centre building was a problem for a national telecom’s provider back in 2011 when unauthorised personnel were able to force access, stealing computer equipment and network hardware. This caused immediate disruption to the phone provider’s customers who experienced the loss of SMS, internet and phone calling services.
This highlights the importance of installing comprehensive security at each and every ingress and egress point. By making it difficult for unauthorised personnel to enter a site, data centre security managers can increase the length of time that security professionals have to react to a threat, and most importantly, reduce the risk damage to the building asset and the services being provided.
How can access by foot be regulated?
In order to achieve this, a range of authentication points and ‘air lock’ doors should be installed. Implementing this multi-layer system can help to restrict access and also identify whether the individual trying to gain access is authorised to do so.
Having a visitor buzzer followed by an inner door can be used to grant access but also keep visitors separated from the general employee area. This allows for rigorous identification and enables security operators to establish who works for the data centre operator and who is an external, and potentially unwarranted, visitor.
Similarly, installing a floor-to-ceiling turn stile door at each entrance point can reduce the chance of an individual tail gating an authenticated user. This measure can be backed up by a ‘mantrap’ door. These doors are separated by an ‘air lock’ where one door can only be opened once the first one is closed. If an unauthenticated user does attempt to tailgate a data centre employee as they legitimately access the building, these doors allow security personnel to stop the second door being opened and can deal with the situation accordingly.
For many years, the Critical National Infrastructure sectors have been building, refurbishing and hardening its infrastructure to ensure that apparatus in data centres and access points around a facility, are protected against all levels of trespass, malicious damage and terrorism. Whilst data centre managers will be looking to meet the legislated security standard of the Loss Prevention Certification Board LPS 1175, it is essential for a range of measures to be implemented that not only meet these standards, but help to physically protect and monitor the ongoing physical security risks at these sites.
Within data centres, a multi layered approach should be deployed to make sure that protection at each layer is robust. There is potential for vehicles to be used to force access, as well as individuals walking into the main building if the appropriate physical measures are not in place.
Most importantly, attacks can be carefully prepared, and if ill-intentioned individuals know the internal location of key assets, then a coordinated attack using a vehicle and individuals on foot could cause extreme damage to a business and its customers.
That’s why a holistic approach, to physical security, which considers each perimeter layer both externally and internally all the way up to the key assets, will provide the most robust, security solution.