Free educational articles for physical security professionals.
Data centers are essential to modern digital business. While we often don’t think about their existence regularly, their importance becomes evident when one of them suffers an outage. Mission-critical apps and websites depend on data centers, and downtime can have a massive impact on customers, business revenues, and reputation.
Cybersecurity and disaster recovery typically come to mind in discussions about data center uptime. However, physical security is as critical. IBM Security’s 2024 ‘Cost of Data Breach’ report indicated nearly 1 in 10 data breaches are due to physical security compromise. There have been documented instances of armed robberies worth millions of dollars from data centers and fires destroying data center facilities, causing several hours of downtime and affecting hundreds of thousands of users. These examples demonstrate that, data center physical security is essential to reducing business risk and maintaining system uptime.
This article will explore data center physical security in detail, including data center infrastructure, threats to physical security, critical aspects of data center physical security, and best practices.
The table below summarizes four key data center physical security concepts this article will explore in detail.
Concept | Description |
---|---|
Data center infrastructure | A data center is a collection of computing and storage equipment and a sophisticated system consisting of electrical, HVAC, fire protection, security, and communication systems. |
Data center physical security threat examples | From fire to robberies, several actual incidents highlight the impact of lapses in data center physical security. |
Essential aspects of data center physical security | Location identification, perimeter security, access controls, visitor management, equipment disposal, and environmental protection are crucial aspects of the data center’s physical security. |
Best practices for data center physical security | Adhering to compliance, maintaining a well-trained staff, and having adequate redundancies ensure robust data center physical security. |
By definition, a data center is a collection of servers, storage systems, and networking equipment. A typical data center server would reside on raised floors to route power distribution units and chilled air ducts underneath. Servers and networking infrastructure can produce significant heat, and cooling is vital for reliable operations. The servers are typically arranged in racks or cabinets and these are surrounded by a metal mesh known as the cage. This cage is often the last line of defense between the server equipment and an unauthorized hacker in its vicinity. Typically, the ceiling area is composed of fiber optic cables and fire prevention systems.
A modern data center is designed for scalability, reliability, efficiency, and high availability and has a complex architecture optimized for performance and adaptability. In addition to servers and networking equipment, data centers include electrical, HVAC, security, fire protection, and communication systems.
Depending on the availability requirements and application, data centers are categorized into four tiers, as shown in the image below:
Description of the four data center tiers. (Source)
A data center’s redundancy configuration can range from none to 2N+1 redundancy. The redundancy nomenclature is expressed below:
The higher the uptime requirements for a data center, the more critical physical security is to meet those requirements. Even less than an hour of downtime caused by a small fire or power fluctuation can cause a breach of service level agreements (SLAs).
From harsh weather to hackers to malicious insiders, the list of threats to a data center is long. And there are real-life incidents that showcase the criticality of these threats.
In March 2011, hundreds of thousands of Vodafone customers in the United Kingdom lost service after thieves broke into their exchange center at Basingstoke and stole switch equipment. While not exactly a data center, an exchange center is a physical infrastructure through which Internet Service Providers (ISPs), content delivery networks (CDNs), and other networks interconnect to exchange Internet traffic.
On December 6, 2007, intruders dressed as police officers broke into Verizon’s London data center and stole equipment worth more than $4 million. Another armed robbery was reported in 2005 in Chicago’s colocation center operated by CI Host, and equipment worth $15,000 was stolen.
On March 10, 2021, a fire completely destroyed one of OVHCloud’s data centers in France and partially destroyed another. Another fire at the AT&T data center in Texas in October 2018 led to 12 hours of downtime. On October 15, 2021, a fire at the SK C&C data center in Pangyo, South Korea, impacted two tech companies, Kakao Corporation and Naver Corporation. Naver swiftly restored its servers, but Kakao experienced extended outages, causing disruptions to its messaging services, payment apps, and rideshare platforms for several hours.
The above are just a few examples highlighting the damage that lapses in the data center’s physical security can cause. The impact can create millions of dollars in loss and damages.
The sections below explain the six essential aspects of modern data center physical security.
The data center’s location is vital to the physical security of the data center infrastructure. The following geographical factors should be considered when selecting the right site for the data center:
Perimeter is the first line of defense at the site. It typically involves the following components:
All systems eventually reach their end-of-life, and they need to be disposed of according to proper procedure. The data should be erased in all memory devices that support it. Memory devices that don’t should be destroyed by shredding, pulverization, incineration, or any other means that make data extraction from the device impossible. The media sanitization process should be compliant with NIST-800-88.
The facility should be equipped with automatic fire detection, alarm, and suppression systems. The facility should have an efficient drainage system to avoid the risk of flooding. HVAC system maintenance should be carried out periodically because overheating is a significant risk in data centers. A comprehensive incident response plan should be created, and an emergency response team should be identified and trained to deal with environmental incidents.
Typically, the specifics of physical security will be driven by the details of a site, risk appetite, available resources, and compliance requirements. However, there are foundational best practices that most organizations can follow. The sections below detail four essential data center physical security best practices that can help guide specific implementations.
Here’s the list of common compliance standards for data centers, especially those operating in the USA:
Additionally, several other standards may apply to your data center, depending on the geography within which it operates or the region whose data is processed. These may include E.U.’s General Data Protection Regulation (GDPR), Australia’s Infosec Registered Assessor’s Program (IRAP), Singapore’s Multi-Tier Cloud Security (MTCS), India’s Digital Personal Data Protection Act (DPDPA), etc. You can get a substantially comprehensive list of standards applicable to data centers by looking at the standards that Microsoft Azure complies with.
It is essential to identify the standards applicable to your data center and comply with those standards. The standards are updated periodically, and it helps to keep yourself up-to-date with the latest requirements. Most of the standards also specify the frequency and SOP of regular audits. Organizations should perform regular audits to avoid disruptions in their data center operations.
The personnel securing the data center should be periodically trained to know the latest regulations and the upgraded security equipment being used. Mock drills should be conducted from time to time to ensure the readiness of the personnel. Ideally, there should also be a separation of concerns: the security personnel should not be able to sign in to the data center systems. Otherwise, there is a risk of insider threats.
Depending on the data center’s tier, sufficient redundancy should be provided for utilities like electricity, HVAC equipment, and water. These redundancies should be distributed to avoid common-mode failure. Redundancies ensure high system availability, which is essential for data centers.
Depending on the data center’s location, if there is even a slight risk of earthquakes, then the design of the data center can be made earthquake-resistant. This could include usage of newer seismic racks, and selection of earthquake-resistant construction materials.
Within the facility, temperature and humidity control should be monitored regularly and any deviations from the acceptable range should be immediately escalated.
The physical hardware’s integrity should also be monitored from time to time. There should be tamper detection protocols in place to identify any meddling with the hardware, and the affected hardware should be immediately replaced.
Access to the facility and all sections within the facility should be strictly controlled using access cards and biometrics.
The following characteristics are essential when it comes to physical access controls:
The data center has visitors from time to time. The purpose of their visit can range from maintenance to audit. Managing visitors’ access to the data center forms an essential aspect of its physical security.
Key visitor management concepts to consider:
Physical security is important for protecting data center information and ensuring seamless operation. Lapses in physical security can lead to damages ranging from a few hours of downtime to millions of lost dollars. Physical security consists of several aspects, from identifying the data center’s location to perimeter security, access management, visitor management, standard equipment disposal procedures, and environmental controls. Complying with applicable standards, keeping the staff well-trained and ready for emergency response, and ensuring adequate redundancy can keep the physical security of your data center in good health.