47

WWW.7X24EXCHANGE.ORG

Most data centers use a combination

of surveillance, personnel (security

guards), and identification and

access control technologies to

control physical access to perimeters

and facilities.

When it comes to internal security,

such as that within the server room,

one of the more traditional

components of a security system is

the cage that contains server racks.

Intended to deter theft, cages can be

visually intimidating. In the evolving

world of data security, however, this

old-school look is no longer an

advantage. Customers today include

multi-billion dollar companies, where

appearance can make or break a

deal. They expect data centers to

combine sophisticated aesthetics

with modern technology.

In terms of securing the cabinets

within a room, one available option is

end-of-row placement, where one

reader or access control device is

located at the end of a row of

cabinets. In order to gain access to

any cabinet in the row for which the

user is authorized, s/he must use the

reader at the end of row. For each

cabinet, the user must walk back to

the end of the row and present

required credentials again in order to

unlock the specified cabinet. End-of-

row access control is not as

convenient as systems that house

control devices at each cabinet.

Another disadvantage of end-of-row

systems is their inability to provide

auditing at the rack level.

Furthermore, installation is difficult

and labor intensive. Therefore,

moving end-of-row systems to

change the layout of a room or floor

can cause major headaches. The

associated rewiring process is

especially cumbersome.

Whether a data center hosts a single

company, or operates as a colocation

center, it is common for personnel

from one or more organizations to be

in the server room at the same time,

accessing or servicing their own

equipment. Both cages and server

cabinets are frequently left unlocked

and open while various people are

working in the server room.

With such relaxed security practices

in place, who is to say that everyone

in the server room is actually

authorized to be there? Essentially,

servers are vulnerable to anyone

walking through the room. Keys can

be stolen or replicated. Lock

combinations can be compromised.

The potential for data theft,

sabotage, or accidental damage to

hardware is monumental.

WHERE CURRENT SECURITY MEASURES FALL SHORT

With the mounting threat of data

theft, data centers are challenged to

provide physical security systems that

comply with both their clients’ and

the regulatory authorities’

requirements. They have an

obligation to safeguard every bit of

sensitive and confidential data they

store for medical, educational, and

financial industries, to name a few.

Privacy rules and regulations include

PCI DSS, FISMA, SOX, and HIPAA,

among others.

Take for example, The Federal Public

Key Infrastructure (PKI) Policy

Authority’s recent policy update. The

agency now requires that certified

data centers provide a multi-party

control environment. Essentially, the

data center’s physical security system

must operate so that a second

authorized credential must be

presented at the reader to authorize

the action of the first card.

In fact, PKI cyber security experts

often advise customers on the

importance of ensuring multi-party

control to PKI servers and

cryptographic keys. “One of the areas

that often takes a lot of customization

to implement is managing access to

data center racks,” says Mark B.

Cooper, President & Founder of PKI

Solutions. “Data center security

should include a physical security

system at the rack level that makes it

easy to define rules which require

two or more authorized people to

allow access to the rack contents.”

Other looming industry and

governmental regulations will require

data centers to show they can protect

and monitor access to confidential

data, as well as demonstrate they will

be alerted in real time when a breach

occurs. Because risk at the cabinet

level is under increasing scrutiny by

regulatory bodies, data centers also

will be required to provide a data

trail that shows who was accessing

servers, when, where, and for how

long.

If data centers don’t comply with data

protection laws, they face stiff fines

and penalties. While noncompliance,

alone, is costly, consider the cost of a

data breach. Data centers (and their

clients) may face legal fees and a

tarnished reputation, as well as loss

of customer confidence, and loss of

current and potential business.

DATA CENTERS SCURRY TO MEET PRIVACY AND COMPLIANCE DEMANDS

AT THE RACK LEVEL