While principles of physical security are largely universal, data centers require a nuanced approach and are a great case study for security practitioners. In this blog, I will discuss basic security design for data centers and the new technologies now available to address the COVID era.
Looking ahead at commercial and industrial demands for data consumption, it is clear the data center industry will continue to thrive. Estimates on market growth average 15% year over year from 2020-2023. Whether you are evaluating your company’s need to move data off-site or an owner investing in constructing a new data center for leasing, it is critical to understand the minimum physical security requirements. While your IT infrastructure is a given necessity, neglecting physical security can cost you and your clients time, money, and your company’s public image.
Physical security always has the objectives to deter, detect and defend. A well-designed approach applies layers to the property where the innermost layer contains your most secure assets. Within data centers, the secure assets are either the owners’ or their clients’ business systems and data.
Consider the Location to Start the Design Process
A key element that should be part of any data center security design is the location and site selection. While there is a list of determining factors, one critical factor to note is CPTED, or Crime Prevention Through Environmental Design. CPTED is a holistic approach to design security into the built environment and make it more resilient and unattractive for incivilities, crime, violence, and terror. CPTED is based upon the concept that proper design and effective use of the built environment, can lead to a reduction in both the incidence and fear of crime (predatory stranger to stranger crime, and terrorism), while improving the quality of life (where we live, work, and play).
Is this an industrial/commercial site or a setting that is part of a residential area or downtown environment? Single buildings or multi-level buildings have other conditions that will need to be addressed.
While I am mainly focusing on the design and security within the data center these other areas are key in a master security design plan that affects the operations and security design within a given facility.
Reduce Risk with a Layered Security Design Approach
A layered security design approach requiring a progressively higher level of both physical and electronic security measures to move from a lower level to a higher level of security will significantly reduce risk and ensure only authorized personnel have access in and out of protected areas. Access control, video surveillance, intrusion alarm and duress systems can monitor, restrict, authorize, detect, and report events and unauthorized activities both in and outside of these facilities.
This initial layer of security also includes traffic flow controls (vehicular, personnel). Pedestrians should not be able to walk onto the property without running into barriers or authorized personnel. Impact-rated gates are the preferred choice to defend against vehicular attacks.
The size of your campus will determine whether security personnel also need to be present. Generally, larger campuses with multiple buildings could invest in security officers to be posted at strategic gate entrances – limiting access to only portions of a campus. Access control, video surveillance and intercoms are used to access, monitor, and communicate to the perimeter entry points accessing the property.
Traditionally the lobby is where the security or visitor check-in and processing happens and the control or monitoring center are located. As with most secured facilities, all those entering the location will be speaking to security staff through ballistic rated panels and passing their ID and paperwork through a secured draw.
Once visitors and employees pass security and access the portals they are now in a secured corridor or a secured elevator lobby for multi-level sites. Again, valid credentials to access the door or call the elevator to access other floors will be required.
At this point you will need access control to enter the majority of any other locations within the building on a need to only basis and limited in duration (storage, electrical, mechanical, galleries, receiving/loading dock and offices). Most of these spaces will have video cameras positioned and recording activities.
Securing facilities and limiting only authorized personnel is a must to limit the risk of business disruption, data breaches and public image. A layered security design approach can mitigate risk. However, the best physical security measures will fail if an organization does not provide and continually develop and enforce their policies, procedures, and staff training.
Since the COVID-19 pandemic clients are looking at new technologies and design concepts to protect their staff and clients by reducing or eliminating readers that require touching a device. This is the case when dual authentication is required from card and keypad (PIN) readers and some biometric devices. Iris readers and facial recognition cameras now can include thermal imaging to detect elevated body temperatures. These devices can also restrict access due to an elevated body temperature and alert personnel or deny access when face coverings are not worn. Scanning reader technologies such as the Morpho Wave readers can read hand biometrics without the need to touch the device. The hand simply passes across the scanners.
Other design changes include the increased use of auto door operators that are activated upon valid access from the access control system. When used on high activity doors this greatly limits the need to touch door handles or panic hardware to access and exit through doors.
These new technologies and design changes come at a price but are protecting owners, clients, staff, vendors and reducing risk that could impact the operations of a data center.