Data centre security is physical security

Issue 7 2021 Editor's Choice

When it comes to data centre security, most people think of cybersecurity due to the amount of technology installed in these environments. For companies running their own data centres, cybersecurity is part of the job, but for collocated environments, where many companies have computing systems within the data centre, physical security is the most important aspect of the service they offer.

Hi-Tech Security Solutions spoke to Conrad Kock, principal practice lead at Dimension Data in South Africa, as well as Florian Kastl, director of security, EMEA for NTT (the parent company of Dimension Data) about the company’s local and international data centres and the processes they implement to secure them for their clients. Dimension Data (we will refer to the company as Dimension Data for the rest of the article since the name is more recognised in South Africa), host data centres around the world where various clients install their IT infrastructure (hence the term collocated).

The key to running a successful data centre is to provide clients with peace of mind that their systems and data are safe. Because the company does not have any knowledge of what is on the systems in the facility, it is not responsible for each system’s cybersecurity, but it must control access and make sure systems are available 24x7.

Starting with the big picture

One of Kastl’s tasks is to standardise the security process for all the company’s data centres in EMEA (including one that will be opened in Johannesburg). He says the first step is an environmental risk assessment to determine the suitability of the location as a whole. This includes everything from earthquake or flood risks, to access roads and crime in the area which relates to the types of attacks the facility may face.

Following that there are diverse categories of security to consider depending on the potential clients the facility will host. For example, government clients would demand more security and resilience than smaller companies. Kock explains that data centres make use of the tiering standards of the Uptime Institute, as one example, to determine the resilience of the facility.

Other standards Dimension Data makes use of include the TIA-942 standard for structured cabling, as well as the ISO standards (such as 27001 and others) which cover a host of aspects of the facility itself, from cabling to power and cooling redundancy, as well as physical access control and the operational processes.

Five steps of authentication

For Dimension Data, the company has set five steps of authentication in place to control access to its facilities. The people who may require access range from technicians sent to manage their customers’ racks and servers, through to service providers tasked with maintaining security, power and other internal systems.

The first step is onboarding an individual. An authorised representative would call the data centre and schedule the arrival of a person – only certain people may log these calls. The relevant identity information is conveyed and when the individual arrives, this is checked at the entrance and again in the reception area where his/her identity is verified. Dimension Data collects their biometrics and checks IDs with the Home Affairs database.

The person is also sent through an induction, which today would include Covid screening, to make sure they understand the environment and would know what to do if, for example, there was a fire alarm while they were inside the facility. Only then are they authenticated and allowed inside the data centre itself.

The final security layer is at the rack(s) where companies keep their equipment, again under lock and key – although biometric locks are also popular. People are escorted to their company’s racks to ensure they only work on their own kit.

Naturally, Kock says this is only the access control for individuals and there are various other security systems in place, from perimeter security, alarms and surveillance, including surveillance inside the company’s operations area and the isles between the racks etc. Fire safety is also critical and a bit more complex than a normal office environment.

Two types of fire safety

In general, there are two types of fire suppressions systems for the critical areas within a data centre. Computer equipment can obviously not be exposed to water, so fires in these areas can’t have sprinklers as a suppression system. In these areas Kock says the suppression is accomplished by reducing the oxygen content in the air to a level that does not support fire, but will still allow humans to breathe – although people should evacuate when the alarm sounds, which should occur at the first sign of smoke or excessive heat.

Part of a data centre’s resilience is its ability to withstand power cuts and the like via UPS systems and generators. In these areas, water mist is used to quench any fires as the equipment is not as sensitive to moisture as IT systems.

Levels of resilience

Kock notes that a data centre’s resilience is key to its success. All the systems within the facility must work together to ensure the promised levels of resilience are met. Generally, a Tier 3 data centre is the standard businesses opt for as it is ‘concurrently maintainable’. This means the facility has full redundancy.

In normal circumstances both systems, whether it is power generators, UPSs, cooling etc., are used together, but when one goes down, the other takes the full load. The outage may be the result of an Eskom power failure or even regular maintenance on systems. They key is customers don’t see any downtime and their operations carry on as normal as there is not a single point of failure.

Of course, where communications is concerned, these facilities have multiple feeds into and out of the facility as per client requirements, but again, redundancy and the ability to carry on as normal is critical. As noted above, depending on the data centre’s clients and purpose, the facility may require even higher resilience and failover capabilities.

Cybersecurity is also a concern

As we have noted, the cybersecurity aspect is primarily the concern of the individual customers as they control their systems and these are isolated from other systems. If one client is hit with ransomware, for example, the others will not be impacted.

However, Kastl notes that one area where cybersecurity is critical for data centre operators is in terms of its own building management systems (BMS). In a worst-case scenario, if miscreants could take over the BMS system, they could disrupt operations by changing the cooling or power management systems. In the case of Dimension Data, the BMS system in its data centres is physically separated from the general office network to prevent any unauthorised access or malware attacks.


Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Deepfakes and digital trust
Editor's Choice
By securing the video right from the specific camera that captured it, there is no need to prove the chain of custody for the video, you can verify the authenticity at every step.

Read more...
A new generational framework
Editor's Choice Training & Education
Beyond Generation X, and Millennials, Dr Chris Blair discusses the seven decades of technological evolution and the generations they defined, from the 1960’s Mainframe Cohort, to the 2020’s AI Navigators.

Read more...
From the editor's desk: Showtime for Securex
Technews Publishing News & Events
We have once again reached the time of year when the security industry focuses on Securex. This issue includes a short preview, with more coming online and via our special Securex Preview news briefs. ...

Read more...
Back-up securely and restore in seconds
Betatrac Telematic Solutions Editor's Choice Information Security Infrastructure
Betatrac has a solution that enables companies to back-up up to 8 TB of data onto a device and restore it in 30 seconds in an emergency, called Rapid Access Data Recovery (RADR).

Read more...
Key design considerations for a control room
Leaderware Editor's Choice Surveillance Training & Education
If you are designing or upgrading a control room, or even reviewing or auditing an existing control room, there are a number of design factors that one would need to consider.

Read more...
Digitising security solutions with AI and smart integration
Regal Security Distributors SA Technews Publishing Integrated Solutions
The Regal Projects Team’s decades of experience and commitment to integration have brought the digital security guard to life as a trusted force for safer, smarter living.

Read more...
From the editor's desk: We’ve only just begun
Technews Publishing News & Events
The surveillance market has expanded far beyond the analogue days of just recording and/or monitoring screens. The capabilities of surveillance technology today extend to black screen monitoring with ...

Read more...
The future of the surveillance channel
Duxbury Networking Technews Publishing Elvey Security Technologies SMART Security Solutions Surveillance
The video surveillance market has evolved from camera-based specifications to integrated solutions that solve customers’ problems. Moreover, the growth of AI and cloud has changed the channel even more, with more to come.

Read more...
CCTV control room operator job description
Leaderware Editor's Choice Surveillance Training & Education
Control room operators are still critical components of security operations and will remain so for the foreseeable future, despite the advances of AI, which serves as a vital enhancement to the human operator.

Read more...
AI means proactive surveillance
DeepAlert Technews Publishing SMART Security Solutions AI & Data Analytics Surveillance
SMART Security Solutionsasked DeepAlert for some insight into how AI is transforming video surveillance, even to the extent of it being taught to protect the privacy of those in the cameras’ view.

Read more...