Layer 5 - Internal Controls White Space/Data Centre Floor
Access to the data hall is strictly controlled providing a further line of defence within the internal zones of a data centre. Therefore, only authorised personnel are permitted to enter this area and, in many instances, further access restrictions may be applied to individual cages or cubes (hot or cold aisle containment areas). Where a datacentre provides colocation services, shared access rights may be to landlords and customer personnel, who may need to enter this space to get to where their equipment is installed.
Access security to the data hall therefore needs to consist of multi-factor authentication (such as biometrics, card access and pin authentication), anti-tailgating detection, and full monitoring and traceability of visitors in and out of this area. Some personnel may need to be escorted to and back out of their work areas and in addition, an approved Statement of Works (SoW) or Method Statement will most likely be required which details access permissions to specified areas and details what works are to be carried out there.
CCTV is crucial not only to monitor who is accessing and leaving the data hall, but to also ensure policies and procedures are being followed within that area. This may include CCTV that covers all aisles, including rack space in both hot and cold aisles (both front and back of racks) to ensure there is no unauthorised attempts to access racks. Also, that any personnel who have been given access are in the correct areas and carrying out work as specified on their SoW.
CCTV can also ensure that critical plant and floor integrity procedures are followed, such as cube doors closed after access; floor tiles replaced promptly after underfloor works (thereby minimising the number of floor tiles lifted at any one time so that critical cooling systems are maintained); and that work in one area does not compromise neighbouring racks.
Fire systems such as VESDA (Very Early Smoke Detection) or ASD (Aspirating Smoke Detection) offer an early detection alarm to the datacentre facilities team to validate an event prior to full extinguishant release (gas or water sprinklers), using a double-knock arrangement which is commonly adopted within the data hall to ensure business continuity. Due to high airflow volumes present in this area to facilitate adequate cooling, BS 6266 (Fire Protection for Electronic Equipment Installations) is the commonly specified standard to protect the IT equipment from fire risk.
VESDA pipework and secondary point detection devices are commonly located in positions following the critical cooling airflow path e.g., supply air plenums underfloor, return air hot aisles, and across the CRAC return air inlet.
Strong Policy and Procedures:
A strong mix of policy and procedures is needed to ensure that the security systems in the data hall are adhered with relevant alert for breaches to the local/SOC (Security Operations Centre). For lone workers, monitoring is especially important not only to ensure that procedures are being followed but to also ensure the health and safety of that individual worker, especially when working “out-of-hours”. Security systems can be employed that can provide live monitoring of a lone worker and provide alerts when certain parameters are not met.
Many of the security solutions considered in this layer follow through to the actual cabinets, cages and racking which house the routers, servers, a/v components, hubs, and switches. This will be the focus of our next blog.