Data Storage Security: Securing the Physical Data Center
We know that your data center’s network security is important to you. How important is your data center’s physical security?
The data in corporate and co-location data centers is easily doubling and tripling in size. Cisco projects that the amount of incoming and stored data stored in the data center is currently approaching 3ZB (as in zetabytes) and will triple by 2017. That is a lot of data to secure.
And the data center is not only handling a lot more data, it’s also handling more infrastructure then it ever did. New technology is converging servers, fabric and storage in on-premise and cloud computing infrastructures.
Growing data and computing convergence mean that data centers, to use a technical term, are popping at the seams. IT spends a lot of time securing these high volume installations network attacks. They should: whole hacker communities exist to attack data center network security.
But what about physical security? This does not seem nearly as important to many data center administrators. When the corporate data center is located deep inside an office building, chances are that black-hat data extraction teams aren’t going to be swinging in any time soon.
Yet data centers are in fact under physical threat. Physical intrusion is simple to do by playing the part of a cleaning employee or computer technician. Employee mistakes or malice are common. Natural disasters can wreak havoc; so can energy-related issues.
You may not need to secure a U.S. embassy’s data center in troubled territory. But you should secure your own data center against a variety of physical threats, and make certain that your co-location provider does. This is particularly important with businesses sending more and more data onto the cloud. That data is stored in a physical location.
Has your provider secured it against all manner of threats?
A good way to tell is to make sure your provider’s data center is in regulatory compliance with network and physical security requirements. SSAE-16 and its granddaddy SAS 70 are standard compliance audits along with FISMA or FEDRAMP for government-related data centers.
Depending on the audit’s level and your particular industry, the audits will test compliance with regulations like PCI DSS, GLBA (Gramm-Leach Bliley Act), HIPAA and SOX. The audits cover physical security as well as digital security and business practices.
What are the Threats and Why Should I Worry?
Physical threats to data centers cross a gamut of unpleasant possibilities. Most of them fall into one of three major classifications: natural disasters, physical intrusion, and energy issues.
When we think about physical threats to the data center our minds naturally go to the dramatic natural disaster: earthquakes, tornados, hurricanes, extreme weather, and tidal waves. (Yes, tidal waves – ask Thailand and Japan about that.)
Data centers should be located as far away from active disaster threats as possible. This does not mean you must build a data center across the country from your HQ, or contract with a data center provider many states away from your IT staff. For example, RagingFire wanted to build close enough to its co-location customers in the Bay Area although the region is seismically active. They built instead in less quake-prone Sacramento, inland of San Francisco and not too far for customer IT to visit.
We don’t often think of energy in terms of a physical threat to data centers. Yet energy problems are far more frequent than are natural disasters, and we should learn to think about them in terms of securing the data center.
Part of the reason for the disconnect between energy and security is that corporate IT and Facilities remain stubbornly separate on energy costs and concerns. IT tends to think that energy usage is not their problem, but it is – if your cooling fails then your storage systems fry.
· Cooling You may not be as fortunate as Iron Mountain, whose secure Pennsylvania facility is built into natural caverns and cooled by piped water from their underground lake. Modern technology can approximate this environment by pumping chilled water beneath a data center’s raised floors. Higher ceilings will keep warm air rising to the top instead of coiled around your equipment.
· Power grid If you build your data center near a metro area that is running out of juice – goodbye to expansion plans. There is a reason that new data center development is happening away from large metro areas, with suburban communities serving as the local workforce. Progressive rural or suburban communities are taking advantage of cheap power and land to attract data center construction. For example, Virginia has developed its aptly named Data Center Alley in Loudoun County. Land, a local workforce, high bandwidth, and enlightened utility companies are changing the economy by courting large data center builds.
· Network Operations Center (NOC) monitoring It’s a very good plan to host a NOC monitoring system and the personnel to watch them. Systems should include monitoring data center fires (obviously), humidity (not so obviously), power, outside weather, and internal temperature.
· 24x7 Backup Power While we are on the subject of power, make sure that your uninterruptible power supply (UPS) or generator is working, and will work long enough for repairs, orderly system shutdown, or evacuation.
Does it happen? Not like the Mission Impossible movies but it does happen. London has experienced more than its share: burglars broke into a Verizon data center, tied up employees and stole equipment. A year earlier another burglary occurred at a Level 3 co-location center.