Keeping data centres secure
solutions for G4S Secure Integration, talks about the new measures needed to secure the vital data essential for businesses and consumers around the world
In North America, home to the majority of the world’s technology giants, data centres have been a growing market for G4S. We have created a Secure Integration Centre of Excellence for Technology on the west coast of the United States, which specialises in the corporate technology market, including security systems for our clients’ data centres.
We adopt a risk-based approach for data centres, starting with a thorough assessment that first looks at what resources the client wants to protect and what risks they are protecting it from. Understanding the link between resources and risks allows us to develop a solution that helps prevent the risk, or assist in containing and recovering from the risk if it was to occur.
G4S has developed a portfolio of resolutions to assist our clients with managing these risks, from the traditional ‘analogue’ tools of barriers, fencing, signage and security officers, to cutting-edge technology around video analytics, access control, visitor and identity management, and robotics.
Different combinations of solutions come into play for each facility, whether that is one a client uses to store their own data, or a site run by a co-location firm that hosts data for third parties – we never look for an off-the-shelf solution. We leverage best practice from our work at other data centres, but treat each site as an individual entity, because each has its own characteristics.
Layers of security
Securing a data centre often starts with something as basic as signage, to point out that a site is protected. Cameras help to reinforce the message, and ones equipped with video analytics can detect when a person moves into an area of interest. If it’s, for example, a maintenance contractor, then it won’t cause any concern, but if it’s someone that's not approved then an alert is raised. We can then do a ‘voice-down’ message via a speaker to tell the person the facility is monitored around the clock. These messages can be customised to suit the client’s wishes. Essentially, we're trying to dissuade people from attempting to do any harm in the first place.
Inside the centre itself, things can quickly get far more sophisticated. When you walk into a lobby you are greeted by security personnel that are highly trained to work within the data centre industry. He or she can be using a visitor management system, which enables our clients to track who is coming to visit the centre and when. Whether the visitor is pre-registered or being enrolled once they arrive, the software can reference an internal watch list, which will raise a red flag if a person of interest is visiting the centre. This system also has the ability to integrate with third party systems to quickly validate the identification card the visitor is presenting.
Once in the lobby, gaining access to the rest of the facility is restricted with a physical access control system. These systems are quickly moving beyond just issuing an access card to an employee – identity and access management will be the key in the future. Making sure employees have the proper access will help to mitigate risks, and having a system to automate the process of on-boarding and off-boarding employees, while providing auditing capabilities, will help our data centre clients meet some of today's rigorous compliance standards. Simply having an access card is no longer good enough. These days we combine a traditional card with other credentials, such as biometric identifiers, which could be a fingerprint, a face or a retinal scan, or a gait analysis scan, which identifies individuals from the way they walk.
Often it makes sense to take a layered approach, so a person can get into a centre with just a card, but as they move further into the facility they are required to provide more multi-factor authentication.
These solutions enable us to control who is allowed into a data centre and, within that, who can enter specific rooms or cages, or who has access to particular server racks and at what times. Our access control system can set certain rules, so a person can't enter a particular area without the required authorisation, proper training, proper documentation such as a non-disclosure agreement (NDA), or can only do so with another approved person to escort them. Although, G4S does not provide cybersecurity services to protect the servers themselves from cyber attacks, we do advise clients on the best partners to work with for such tasks and work this into our overall solution.
We are also seeing growing opportunities to take advantage of the ease of connecting devices to the web – the ‘internet of things’ – which provides another level of protection. We can install cost-effective sensors to monitor power supplies or environmental data, such as temperature and humidity. These can be used alongside traditional data centre information management systems (DCIM), whether as a redundancy option or in parallel to them.
One of the most exciting areas is robotics, and we’re starting to pilot the use of robotics in North America to provide additional levels of security. We’re using autonomous robots to patrol a data centre’s lobby and greet people in a welcoming manner, enabling them to check themselves into the facility via a screen on the robot. Once checked in, the host is automatically notified that their visitor has arrived.
The autonomous robot can also patrol a data centre floor and look for anomalies. If it finds anything out of the ordinary, such as a door left open, it will stop and send an alert back to the security team so they can check it out. If needed, the robot can stay at the door and provide video coverage so we can track what's going on. It is equipped with around 60 sensors, so it can also monitor environmental factors, such as abnormal temperatures or humidity levels, and, if necessary, issue an alert. The robot is also equipped with a two-way audio and video interactive display that allows virtual access to the security team.
The right mix
What’s most important is to ensure there is the right mix of resolutions for the client. Our risk management approach means we can clearly identify for the client where our technology will be a good fit and where security personnel will be a good fit. Of course, the landscape of risk is constantly shifting, so we also carry out regular reviews to make sure the solution we have in place is the right one.
Businesses are increasingly building their online services based on cloud computing systems, so data centres are becoming more and more important. That is going to mean there is an ever-greater requirement to protect data centres in the future, but doing so will always require a mix of security personnel, technology, and policies and procedures.
Joe Young is the Senior Director of Cloud and Enterprise Solutions for G4S, overseeing technology and innovation for the G4S Secure Integration Managed Services division.