Data centre security is physical security

Issue 7 2021 Editor's Choice

When it comes to data centre security, most people think of cybersecurity due to the amount of technology installed in these environments. For companies running their own data centres, cybersecurity is part of the job, but for collocated environments, where many companies have computing systems within the data centre, physical security is the most important aspect of the service they offer.

Hi-Tech Security Solutions spoke to Conrad Kock, principal practice lead at Dimension Data in South Africa, as well as Florian Kastl, director of security, EMEA for NTT (the parent company of Dimension Data) about the company’s local and international data centres and the processes they implement to secure them for their clients. Dimension Data (we will refer to the company as Dimension Data for the rest of the article since the name is more recognised in South Africa), host data centres around the world where various clients install their IT infrastructure (hence the term collocated).

The key to running a successful data centre is to provide clients with peace of mind that their systems and data are safe. Because the company does not have any knowledge of what is on the systems in the facility, it is not responsible for each system’s cybersecurity, but it must control access and make sure systems are available 24x7.

Starting with the big picture

One of Kastl’s tasks is to standardise the security process for all the company’s data centres in EMEA (including one that will be opened in Johannesburg). He says the first step is an environmental risk assessment to determine the suitability of the location as a whole. This includes everything from earthquake or flood risks, to access roads and crime in the area which relates to the types of attacks the facility may face.

Following that there are diverse categories of security to consider depending on the potential clients the facility will host. For example, government clients would demand more security and resilience than smaller companies. Kock explains that data centres make use of the tiering standards of the Uptime Institute, as one example, to determine the resilience of the facility.

Other standards Dimension Data makes use of include the TIA-942 standard for structured cabling, as well as the ISO standards (such as 27001 and others) which cover a host of aspects of the facility itself, from cabling to power and cooling redundancy, as well as physical access control and the operational processes.

Five steps of authentication

For Dimension Data, the company has set five steps of authentication in place to control access to its facilities. The people who may require access range from technicians sent to manage their customers’ racks and servers, through to service providers tasked with maintaining security, power and other internal systems.

The first step is onboarding an individual. An authorised representative would call the data centre and schedule the arrival of a person – only certain people may log these calls. The relevant identity information is conveyed and when the individual arrives, this is checked at the entrance and again in the reception area where his/her identity is verified. Dimension Data collects their biometrics and checks IDs with the Home Affairs database.

The person is also sent through an induction, which today would include Covid screening, to make sure they understand the environment and would know what to do if, for example, there was a fire alarm while they were inside the facility. Only then are they authenticated and allowed inside the data centre itself.

The final security layer is at the rack(s) where companies keep their equipment, again under lock and key – although biometric locks are also popular. People are escorted to their company’s racks to ensure they only work on their own kit.

Naturally, Kock says this is only the access control for individuals and there are various other security systems in place, from perimeter security, alarms and surveillance, including surveillance inside the company’s operations area and the isles between the racks etc. Fire safety is also critical and a bit more complex than a normal office environment.

Two types of fire safety

In general, there are two types of fire suppressions systems for the critical areas within a data centre. Computer equipment can obviously not be exposed to water, so fires in these areas can’t have sprinklers as a suppression system. In these areas Kock says the suppression is accomplished by reducing the oxygen content in the air to a level that does not support fire, but will still allow humans to breathe – although people should evacuate when the alarm sounds, which should occur at the first sign of smoke or excessive heat.

Part of a data centre’s resilience is its ability to withstand power cuts and the like via UPS systems and generators. In these areas, water mist is used to quench any fires as the equipment is not as sensitive to moisture as IT systems.

Levels of resilience

Kock notes that a data centre’s resilience is key to its success. All the systems within the facility must work together to ensure the promised levels of resilience are met. Generally, a Tier 3 data centre is the standard businesses opt for as it is ‘concurrently maintainable’. This means the facility has full redundancy.

In normal circumstances both systems, whether it is power generators, UPSs, cooling etc., are used together, but when one goes down, the other takes the full load. The outage may be the result of an Eskom power failure or even regular maintenance on systems. They key is customers don’t see any downtime and their operations carry on as normal as there is not a single point of failure.

Of course, where communications is concerned, these facilities have multiple feeds into and out of the facility as per client requirements, but again, redundancy and the ability to carry on as normal is critical. As noted above, depending on the data centre’s clients and purpose, the facility may require even higher resilience and failover capabilities.

Cybersecurity is also a concern

As we have noted, the cybersecurity aspect is primarily the concern of the individual customers as they control their systems and these are isolated from other systems. If one client is hit with ransomware, for example, the others will not be impacted.

However, Kastl notes that one area where cybersecurity is critical for data centre operators is in terms of its own building management systems (BMS). In a worst-case scenario, if miscreants could take over the BMS system, they could disrupt operations by changing the cooling or power management systems. In the case of Dimension Data, the BMS system in its data centres is physically separated from the general office network to prevent any unauthorised access or malware attacks.


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Local manufacturing is still on the rise
Hissco Editor's Choice News & Events Security Services & Risk Management
HISSCO International, Africa's largest manufacturer of security X-ray products, has recently secured a multi-continental contract to supply over 55 baggage X-ray screening systems in 10 countries.

NEC XON shares lessons learned from ransomware attacks
NEC XON Editor's Choice Information Security
NEC XON has handled many ransomware attacks. We've distilled key insights and listed them in this article to better equip companies and individuals for scenarios like this, which many will say are an inevitable reality in today’s environment.

The future of digital identity in South Africa
Editor's Choice Access Control & Identity Management
When it comes to accessing essential services, such as national medical care, grants and the ability to vote in elections to shape national policy, a valid identity document is critical.

Do you need a virtual CIO?
Editor's Choice News & Events Infrastructure
If you have a CIO, rest assured that your competitors have noticed and will come knocking on their door sooner or later. A Virtual CIO service is a compelling solution for businesses navigating tough economic conditions.

AI-enabled tools reducing time to value and enhancing application security
Editor's Choice
Next-generation AI tools are adding new layers of intelligent testing, audit, security, and assurance to the application development lifecycle, reducing risk, and improving time to value while augmenting the overall security posture.

From the editor's desk: AI and events
Technews Publishing News & Events
      Welcome to the 2024 edition of the SMART Surveillance Handbook. Reading through this issue will demonstrate that AI has undoubtedly made its mark on the surveillance industry. Like ‘traditional’ video ...

Perspectives on personal care monitoring and smart surveillance
Leaderware Editor's Choice Surveillance Smart Home Automation IoT & Automation
Dr Craig Donald believes smart surveillance offers a range of options for monitoring loved ones, but making the right choice is not always as simple as selecting the latest technology.

The TCO of cloud surveillance
DeepAlert Verifier Technews Publishing Surveillance Infrastructure
SMART Security Solutions asked two successful, home-grown cloud surveillance operators for their take on the benefits of cloud surveillance to the local market. Does cloud do everything, or are there areas where onsite solutions are preferable?

Surveillance on the edge
Axis Communications SA Guardian Eye Technews Publishing Surveillance
Edge processing, a practical solution that has been available for some time, has proven its utility in various scenarios, tailored to the unique requirements of each user.

AI developments in surveillance
DeepAlert Secutel Technologies Technews Publishing Surveillance
When AI-powered video analytics first emerged in the surveillance market, it was heralded as a game-changer, promising near-magical object recognition and identification. As always, it was oversold, but times have changed and we are close to seeing the ‘magic’ at work.