The 'six degrees of separation' needed to protect Data Centres
Written as an exclusive for the Data Centre Alliance Winter 2022 magazine.
When buying or building a house, making sure that physical security arrangements are the best that they can be is something many of us look for.
From front gates to deter burglars; locking doors and windows to testing smoke and carbon monoxide alarms, we take all of these steps to ensure that our property and contents are safe. Doing the same for Data Centres shouldn’t be any different.
When I am asked to provide a risk assessment for Data Centre customers, one of the first things I talk about is ‘The Six Degrees of Separation' idea. It boils down to an integrated six layered approach to protecting the facility and data.
This approach combines operational expertise, technology-enabled security and life safety system capabilities, alongside guarding, monitoring and response services. We couple this with effective cybersecurity, to manage risks and threats.
Layer One: Perimeter Intruder Detection
The perimeter or fence line is usually the first line of defence against an external attack, so the primary goal is to achieve the three D’s of security: Deter, Detect and Delay.
A good security system should offer high deterrence and increase the time and effort required to breach it.
Linking perimeter security systems with video monitoring, intruder detection or access control means alarms can be immediately validated and a response instigated before a situation escalates. In addition, unusual motion or activity can be identified for investigation before a breach to ensure a proactive approach is taken.
The exact type of security employed by a Data Centre will also depend upon the nature, size and location, and in particular, any physical constraints that need to be considered. Some of these solutions might include:
- Physical security - Such as heavy-duty fencing or anti-ram barriers.
- Mobile security - consisting of foot patrols or in vehicles to provide random or scheduled inspections and/or incident response.
- Perimeter surveillance - Which can extend beyond the fence line to the local area or airspace, using drone detection or satellite solutions.
- ANPR access controls - These monitor vehicle access including the ability to admit only pre-approved vehicles, using automatic number plate recognition (ANPR).
- Intruder protection - Triggering preventative actions, such as lighting, loudspeaker messages, or alarm sirens.
- Canine security - For particularly high-security sites, an officer and canine can provide a visual deterrent.
Layer Two: Clear Space and Receptions
The second layer is the clear space between the perimeter and the building entrance. It enhances the opportunity to delay access should a breach occur at the perimeter.
It can include car parks, external storage yards and fallow areas.
At this stage a Data Centre would use a Visitor Management System (VMS) to protect their facilities, people and assets, as well as enhance the visitor experience. Features might include:
- Pre-visit information and registration;
- Check-in and check-out facilities, including issuing passes and photo capture;
- Visitor screening (watchlists and blocklists);
- Statement of Work Approvals including rights of access approvals;
- Data recording and monitoring of visitor activity;
Layer Three: Common & circulation areas and introduction to the Security Operations Centre (SOC)
Located after the reception/visitors area, but before the plant and computer rooms, are the common and circulatory areas.
This layer aims to further qualify access through multiple forms of verification and monitoring. Different security products and processes can be used, including:
- Access Controls via a card or ID token with a PIN. To enhance security, they may include biometrics details such as fingerprint and iris scanning or facial and voice recognition.
- Video surveillance to follow individuals throughout their journey.
The SOC is the heart of a Data Centre for physical security. It is the Command and Control for all security technologies and management of the officers deployed at the facility.
The SOC may include cyber security teams who monitor, detect, analyse and respond to cybersecurity incidents. They aim to identify and thwart cyber threats as quickly as possible, respond and plan so that similar occurrences do not occur.
Layer Four: Plant Room Security
This layer gives access to the Network Critical Physical Infrastructure - often called the grey space. It usually houses the plant, equipment rooms, generators and Uninterruptible Power Supply (UPS) that support the critical power, cooling and network equipment.
Data Centres consume considerable amounts of electricity, some equivalent to a small village from just one building. One computer rack often consumes more power than a domestic oven. Therefore it’s vital to detect and extinguish fires in the vicinity of high powered electrical and electronic equipment, taking account of the potential for extensive damage and serious business interruption.
Equipment must be kept within a safe operating temperature range. To achieve this, large airflows are required to supply cold air to cool equipment and to exhaust hot waste heat.
Further specialist gas detection systems may also be required around Battery systems, with Li-Ion off-gas detection currently top of mind in new installations.
As well as standard smoke detectors, Very Early Smoke Detection Alarm apparatus (VESDA), or High Sensitivity Smoke Detection (HSSD) in the form of Aspirating Smoke Detectors (ASD), sampling air in and around the equipment are installed. This offers an advanced alarm for a potential event, but also a secondary verification prior to the release of material to extinguish the fire.
The security solutions in this layer follow through to the Data Centre floor in Layer five.
Layer Five: The Data Centre Floor
Controlled strictly for technicians and engineers on a “need only” basis, the Data Centre Floor - or ‘White Space’ - is the most critical layer.
Security for the ‘White Space’ is the same as Layers Three and Four, but I advise customers that a strong mix of policies and procedures are needed to ensure that security systems are adhered to and alerts are raised with the SOC.
For lone workers, monitoring is especially important to ensure procedures are followed and for their health and safety, especially during “out-of-hours”. Security systems can be used to monitor them in real-time and provide alerts when certain parameters are not met.
Layer Six: The IT Rack
At its heart, and the final layer, is the protection of the IT racks and cabinets.
This is a very sensitive area, potentially holding personal data and is therefore vulnerable to insider attacks and espionage.
Racks and cabinets should be anonymised to prevent those with malicious intents from being able to identify specific data, and controls must be in place to ensure they are always locked and regularly inspected to spot attempted intrusion or damage.
Like the previous Layers, this must include sophisticated Access Control and video monitoring, as well as following policies and procedures - which should be accompanied by an approved Statement of Works or Method Statement detailing the work to be carried out, with deviations resulting in denying access.
Integration, Integration, Integration:
In summary, a holistic, multi-layered approach to physical security can ensure that Data Centres are protected.
The systems and equipment outlined show how legislative and other requirements (including fire safety and health and safety) can be met, and how data and other assets (including intellectual property) can be protected against theft, loss and damage. Simplifying the supply chain by integrating as many of the technology solutions across the layers through one provider creates greater accountability, ongoing support and reduces the number of engineers visiting the site, therefore significantly improving the carbon footprint.
No one Layer can fully protect the data alone. The integration of all provisions ensures business continuity is maintained and Data Centres see a good return on their investment in physical security.
A detailed blog of each of the six layers is available on the G4S website.