The coronavirus pandemic that swept around the world in 2020 has changed the way that we live and work in a fundamental manner. It has also changed our view about the digital infrastructure backbone that supports both our ability to continue working remotely as well as the growing influence that digital media has on our home lives.
Data centre operators support the entire global digital economy in a myriad of ways, and this was recognised early in the pandemic. The UK and California both added telecommunications and digital infrastructure to their plans, exempting them from COVID 19 restrictions. In March, the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) announced that functioning critical infrastructure was imperative during the response to the COVID-19 emergency for both public health and safety as well as community well-being.
Jeremy Terry, CEO, Meesons explains that awareness in the importance of data centres and digital infrastructure is growing, and that recognition has been accelerated by the pandemic. “Cybersecurity often grabs the headlines with damaging high-profile attacks,” he says. “Physical security cannot be overlooked as a breach could be equally damaging, if not more widespread, with multiple organisations being affected. With many more data centres implementing a multi-layered approach to increase the delay and defence in depth, they are breaking this down into an increasing number of layers.”
Like all high-risk sites, data centres are a growing focus for criminals and terrorists and are becoming more vulnerable with more sophisticated attacks and tools available. Criminals are prepared to go further in their attempts to access sites. As data centres play a bigger part in our critical infrastructure the threat will increase from burglars, criminals, terrorists, activists, or protestors.
When IT executives talk about security, it often revolves around defence against cyberattacks using clever technology. However, cybersecurity is just part of the equation; physical security – keeping the bad guys from physically accessing servers – is also essential. Within the data centre community there is a layered approach to physical security with operators adopting a six, seven or even eight-layer strategy that allows their customers to tailor solutions within data centres for enhanced levels as required. These layers include elements such as perimeter, clear zones, building entry, service corridors, data halls and data cabinet security.
Entry should be managed with strict procedures to monitor and control visitor access both into and within the data centre. Not only is the physical security stopping criminals getting in, but it is also there to delay their chances of success.
Comfort in standards
Colocation providers are seeking new ways to strengthen and protect their infrastructure to differentiate themselves and promote how secure their data centre is. To achieve this standard many data centres look to standards and regulations such as ISO 27001, which references physical security, along with documents such as the CESG’s guidance for security of telecoms and information infrastructure and referenced in the Security Procedures Telecommunications Systems and Services Document.
An important security standard is the Loss Prevention Standard LPS1175 that covers the ‘Requirements and Testing Procedures for the LPCB Approval and Listing of Intruder Resistant Building Components, Strongpoints, Security Enclosures and Free-Standing Barriers’. Products tested and approved to this standard are widely recognised by government agencies, local authorities, banks, insurance companies and many other large organisations as being an effective means of protecting people and assets; thus, reducing the risks of loss to crime or terrorism. A rigorous technical evaluation and audit process is carried out using different attack times and tools, depending on their designated security rating. This aligns with the CESG guidance that says that normal entry doorsets accessing critical areas should be certified to LPS1175: Issue 7, security rating 3 (now Issue 8).
“It is in the interests of some data centres to promote that they meet the high levels of physical security demanded to cater for government customers,” Terry adds. “Over the years we have seen clients requesting bullet resistant and attack resistant glazing. We are seeing several clients who do recognise the importance of standards such as LPS1175 and who are asking for third party approved security. When you study operators’ websites there are a few that highlight they meet the high levels of physical security required to cater for government customers and other high security customers. Otherwise, operators only reference they have anti-tailgating portals or mantraps, there are limited details of standards like LPS1175 despite their relevance.”
Trouble with tailgating
When talking about physical security, people naturally think of forced attack, but there are other concerns. “Traceability of personnel and tailgating are a threat,” Terry continues. “Whilst data centres are vulnerable to forced entry, criminals will focus on the weakest part of the building, if tailgating detection is not present, this is a weak point.”
A tailgating event occurs when an unauthorised person follows a verified user through a controlled door into a building or area. Tailgaters may be doing so maliciously to bypass security measures or innocently, for example, by letting somebody else in. “Tailgating detection reduces the need for manned guarding and can support manned guarding with alerts,” Terry concludes. “It also enables facilities to operate 24/7. Tailgating detection can be present at the perimeter, the façade or building entrance and the data hall.
“Full traceability is also important to know who has accessed the site or data hall. Anti-tailgating detection and traceability can prevent items being removed from the data hall.
“Even though it is accepted within the industry that security is important it must be given a higher priority. If the digital infrastructure that we rely so much in our daily lives is to be protected effectively then physical security needs to be an integral part of the process right from its earliest design stage. The cost of treating security as an afterthought could be highly damaging on both a financial and operation level.”[/et_pb_blurb][/et_pb_column][/et_pb_row][/et_pb_section]