Data Center Physical Security Recommendations with Auditor Insights
by Mike Wise / May 17th, 2018
Why is Data Center Physical Security Important?
As we see more and more headlines of breaches, the focus on intruders accessing critical data has been heightened. What is the goal of those intruders? To access critical data stored by organizations.
This brings data centers into focus because the ultimate nexus of that critical data is in the data center. One of the top responsibility areas for data centers falls into that of physical security. Even with the shift to cloud-based infrastructure, data centers are still the critical physical bastion protecting critical data from physical theft.
Take video surveillance, for example. The video surveillance system is often seen as a “set it and forget it” system, but when something goes wrong, the first thing that pops into people’s minds is “check the cameras” so they can physically see what happened. Video surveillance is an integral part of data centers’ physical security posture, but it often gets neglected. Common issues are cloudy or obstructed cameras, clocks that are not accurate, systems running on end-of-life operating systems, and storage systems that are not retaining videos as long as expected.
There are so many aspects of physical security at data centers, but what are some best practices to embed physical security into the culture of your data center management?
4 Best Practices for Data Center Physical Security
The four best practices for physical security at data centers are controlling physical access, using multiple layers of security, training all personnel on the security procedures and why the procedures are important, and testing your physical security controls.
1. Monitor and track personnel through the data center.
Physical access management to data centers is a critical component of the overall physical security of the environment. Both providing access and understanding movement through the data center are key. The use of biometric readers, anti-tailgating systems, mantraps, and other physical access control systems to ensure access to spaces is authorized and monitored is critical.
2. Use multiple systems to provide layers of security.
Physical security is one of the classic examples of defense in depth. To provide comprehensive physical security, multiple systems and processes must work together, like perimeter security, access control, and process management.
3. Provide training on all physical security procedures.
Ensuring that all personnel adhere to physical security procedures and understand the importance of their responsibilities to a data center’s physical security program is a key concept. Intruders will always look for weak links, and it has been proven time and time again that weaknesses can often be on the human side of the equation.
4. Test your physical security controls.
Internal testing of physical security controls is an important concept in relation to physical security. Validating access grants, ensuring that video footage is recording, and verifying that anti-tailgate mechanisms are working as intended are three areas that I recommend you check. Testing of your physical controls a part of your normal operating procedures is one step that is often overlooked.
Auditor Insight on Physical Security Best Practices
As an auditor, one thing that I look for is how physical security is built into the culture of data center management.
Do operational personnel understand the reason why the policies and procedures are in place? Do they recognize the importance of physical security? If personnel fail at following and enforcing physical security policies, then there is a risk of a physical security breach.
A great example of this is the ubiquitous “no tailgating” sign. I have seen the “no tailgating” sign or policy in data centers blatantly ignored because employees think it’s not an issue or an important rule to follow. This cannot be farther from the truth; not following the no tailgating policy has a direct impact on the data center’s physical access control implementation.
The ability to track movements and insure security becomes at-risk, which can lead to unauthorized access and possible breaches. It’s examples such as this that give me insight into the culture of data center management at an organization.
Does your data center take physical security seriously? Is your critical data protected from physical threats? Contact us today to start learning more about information security for data centers.
About Mike Wise
Mike Wise has over 15 years of information security experience, specializing in data centers and distributed computing. He is passionate about helping clients grow their understanding of information security. As an Information Security Specialist at KirkpatrickPrice, Mike holds CISSP, QSA, and ITIL certifications.
