47
WWW.7X24EXCHANGE.ORGMost data centers use a combination
of surveillance, personnel (security
guards), and identification and
access control technologies to
control physical access to perimeters
and facilities.
When it comes to internal security,
such as that within the server room,
one of the more traditional
components of a security system is
the cage that contains server racks.
Intended to deter theft, cages can be
visually intimidating. In the evolving
world of data security, however, this
old-school look is no longer an
advantage. Customers today include
multi-billion dollar companies, where
appearance can make or break a
deal. They expect data centers to
combine sophisticated aesthetics
with modern technology.
In terms of securing the cabinets
within a room, one available option is
end-of-row placement, where one
reader or access control device is
located at the end of a row of
cabinets. In order to gain access to
any cabinet in the row for which the
user is authorized, s/he must use the
reader at the end of row. For each
cabinet, the user must walk back to
the end of the row and present
required credentials again in order to
unlock the specified cabinet. End-of-
row access control is not as
convenient as systems that house
control devices at each cabinet.
Another disadvantage of end-of-row
systems is their inability to provide
auditing at the rack level.
Furthermore, installation is difficult
and labor intensive. Therefore,
moving end-of-row systems to
change the layout of a room or floor
can cause major headaches. The
associated rewiring process is
especially cumbersome.
Whether a data center hosts a single
company, or operates as a colocation
center, it is common for personnel
from one or more organizations to be
in the server room at the same time,
accessing or servicing their own
equipment. Both cages and server
cabinets are frequently left unlocked
and open while various people are
working in the server room.
With such relaxed security practices
in place, who is to say that everyone
in the server room is actually
authorized to be there? Essentially,
servers are vulnerable to anyone
walking through the room. Keys can
be stolen or replicated. Lock
combinations can be compromised.
The potential for data theft,
sabotage, or accidental damage to
hardware is monumental.
WHERE CURRENT SECURITY MEASURES FALL SHORT
With the mounting threat of data
theft, data centers are challenged to
provide physical security systems that
comply with both their clients’ and
the regulatory authorities’
requirements. They have an
obligation to safeguard every bit of
sensitive and confidential data they
store for medical, educational, and
financial industries, to name a few.
Privacy rules and regulations include
PCI DSS, FISMA, SOX, and HIPAA,
among others.
Take for example, The Federal Public
Key Infrastructure (PKI) Policy
Authority’s recent policy update. The
agency now requires that certified
data centers provide a multi-party
control environment. Essentially, the
data center’s physical security system
must operate so that a second
authorized credential must be
presented at the reader to authorize
the action of the first card.
In fact, PKI cyber security experts
often advise customers on the
importance of ensuring multi-party
control to PKI servers and
cryptographic keys. “One of the areas
that often takes a lot of customization
to implement is managing access to
data center racks,” says Mark B.
Cooper, President & Founder of PKI
Solutions. “Data center security
should include a physical security
system at the rack level that makes it
easy to define rules which require
two or more authorized people to
allow access to the rack contents.”
Other looming industry and
governmental regulations will require
data centers to show they can protect
and monitor access to confidential
data, as well as demonstrate they will
be alerted in real time when a breach
occurs. Because risk at the cabinet
level is under increasing scrutiny by
regulatory bodies, data centers also
will be required to provide a data
trail that shows who was accessing
servers, when, where, and for how
long.
If data centers don’t comply with data
protection laws, they face stiff fines
and penalties. While noncompliance,
alone, is costly, consider the cost of a
data breach. Data centers (and their
clients) may face legal fees and a
tarnished reputation, as well as loss
of customer confidence, and loss of
current and potential business.
DATA CENTERS SCURRY TO MEET PRIVACY AND COMPLIANCE DEMANDS
AT THE RACK LEVEL