Layer 6 - Security to the IT Racks and Cabinets
The rack space is a very sensitive area, potentially giving access to personal data belonging either to the datacentre owner or that of their customers, and as such, is vulnerable to insider attacks and espionage. Besides ensuring that racks and cabinets are sufficiently anonymised to prevent those with possible malicious intents from being able to identify specific data, there should be controls in places to ensure racks and cabinets are always locked and regularly inspected for attempted intrusion or damage.
Common security system technologies associated with the rack space include:
Just like access to the data hall generally, access to specific cages, racks and cabinets needs to be restricted to authorised personnel only, who have been permitted to carry out work in that particular area. Once again this will include multi-factor authentication (such as biometrics, card access and pin authentication) and is very important where organisations share cages or cabinets. Entry and exit searches may also be in place to ensure that only equipment consistent with the work being carried out is taken in and brought out. Intelligence from deep learning analytics can also help recognise unauthorised access attempts to neighbouring racks, raising alarm to the local Security Operations Centre (SOC) and the customer’s IT team through their Datacentre Infrastructure Management (DCIM) system if required.
CCTV monitors those entering and leaving the rack areas and if the technology allows, rack access can be linked to workflows and authenticate sign-on to IT equipment being worked on. The CCTV systems can provide verification of those working in front of the racks with video images creating an audit trail of work undertaken. If the monitoring system is linked to access control systems it may also enable further personnel, for example by automatically moving and tilting cameras based on which cabinet doors are opened. With the additional use of sensors, AI and deep learning, video surveillance may also be able to identify abnormalities in this area such as unfamiliar intruders or unusual behaviour.
Policies and procedures:
As for the data hall, access to and work undertaken within the racking area is strongly government by policies, procedures and prior approval. Entry is restricted to authorised personnel only, often detailing which specific areas or racks they are allowed to access, with associated timescales allowed to perform that work. These should be accompanied by an approved Statement of Works (SoW) or Method Statement detailing the work to be carried out, with any deviations from this resulting in access being declined.
The key to successful security in this area is the integration of data centre systems, specifically between those determining rack/cabinet access and/or the Data Centre Infrastructure Management (DCIM) and the datacentre building security systems. This will ensure that any unauthorised events or alarms activated at the rack are monitored and reported to the Security Operations Centre (SOC) immediately, so that security personnel are able to act upon any breaches of security and procedural malpractice.
This series of blogs has detailed how a holistic, multi-layered approach to physical security can ensure that datacentres are protected against untoward events, intentional or otherwise. The systems and equipment detailed in the previous blogs have outlined how legislative and other requirements (including fire safety and health and safety) can be met, and how data and other assets (including intellectual property) can be protected against theft, loss and damage. Such provisions also ensure that business continuity can be maintained and datacentres see a good return on their investment in physical security.