Rack-Level Security: The Last Line of Physical Defense
Security is a fundamental requirement in data centers and processing facilities, with recent high-profile data breaches and losses ensuring that the focus is greater than ever.
Physical security is a vital part of the equation, working in tandem with cybersecurity measures to ensure a multi-layered approach which recognizes the threats in totality rather than in isolation.
An area of development to further enhance protection is the shift toward physical protection at rack level. Data centers and computer rooms will be physically secure, with purpose-built facilities typically having perimeter security and access control for both general facility access and also a hierarchical approach for specific areas, particularly in enterprise-owned operations which usually have restricted access to the data servers.
However, this protection is often not taken down to rack level, which, as the cabinet is the final line of defense, can be short-sighted.
Assessing the risk
Given the nature of data centers, it is understandable that they are inherently risk averse. However, there are different risk profiles that will inform the level of security that needs to be adopted. There are essentially two primary factors to consider when deciding if rack-level security is necessary. The first is the degree of sensitivity of the data being held; the second is the criticality of the equipment in a given rack to the ongoing operation of the facility.
Certain operations are always going to have a higher risk profile due to the nature of the data being handled and stored. Financial institutions and healthcare providers are two of the more obvious examples where rack-level security may be deemed a necessity rather than a “nice to have”.
The importance attributed to such data is highlighted by standards and regulations which are specific to those markets. These include the PCI – DSS (Payment Card Industry – Data Security Standard) and the HIPAA (Health Insurance Portability and Accountability Act), both of which include guidance on the controlling of access to data. The PCI – DSS has far reaching consequences for many companies, both large and small, since it effectively relates to anybody who is processing credit card data.
Malicious versus unintentional
It is reasonable to assume that the majority of data breaches are the result of external cyber attacks which seek to exploit software or networks. While this is indeed the case, research suggests that up to 25% of malicious attempts to steal data originate internally.
It is not always malicious intent that is the issue. In the event of a problem with a server, it is not uncommon for an IT consultant or contractor to be brought in. It is relatively simple for a mistake to be made when faced with a vast array of racks: going to rack “20” rather than rack “19” and consequently unplugging the wrong item can have serious consequences.
People who work within the data center are also not above making human errors. By having control at rack level, an external engineer can, for example, only be given access to the rack in question. Locking down a server which is critical to the business continuity of the facility can not only prevent malicious tampering but also significantly reduce the potential for genuine mistakes.
Holding data locally
While many organizations use cloud services which are housed in facilities with excellent multi-layered security, it is not uncommon to also have racks which store data locally. Having this cached data helps to overcome the speed issues associated with accessing everything from the cloud.
There are also many companies that are yet to migrate to the cloud, storing all of their data locally. Depending on the risk profile, security at rack level should at least be considered as part of the overall data security strategy.
Enterprise and colocation facilities
That is not to say that opportunities do not exist to extend rack-level security in some of the largest enterprise data center facilities. Major blue-chip companies are driving the trend by recognizing the advantages of ensuring that certain business-critical racks have very restricted access.
An example would be servers storing data from security cameras and access control systems, with the serious consequences that the unplugging of a camera, either deliberately or unintentionally, could have. If such a server is compromised, then it is not just data loss but potentially the loss of the facility’s entire security system. In such instances, multi-factor authentication can be adopted, whereby more than one form of identification is required to access the cabinet, increasing the level of security and reducing the potential for unauthorized access.
Colocation data centers, where companies are leasing cloud storage space, can also benefit from this approach. Having a layer of security beyond just the standard entry protocols for these multi-tenant sites may be a desirable route, particularly for those organizations who identify themselves as having a higher risk profile and want security levels that reflect that. It provides client control of the rack which can be secured outside of the third party that is providing the data storage.
Electronic locking versus mechanical locking
A major benefit of adopting electronic locking over a simple key-based approach is traceability. Here, we are talking access control at rack level rather than just restricting access to what are often several hundred racks. It therefore provides a much tighter level of control.
In the event of an incident, the person who accessed a specific server at a given time will be recorded. If an unauthorized access attempt is made, an alert can provide the potential to intervene, although in the vast majority of cases, any breaches are investigated retrospectively. Therefore, having the information on which to act is invaluable, as well as providing automated monitoring, documenting and control of access, plus the capacity for fast reprogramming in the event of a lost or stolen access card or a change in access rights.
While in some applications, rack-level security is planned at the facility design stage, it is also relatively easy to retro-fit. So, if a colocation facility takes on a new client with a high risk profile, then access control can be offered for specific racks.
The last physical line of defense
One of the problems with access control in data centers is the lack of specific regulation. While many of the standards and regulations stipulate a requirement for access control measures to be employed in data processing and storage facilities, the actual methods and technologies are left open. Data center owners and those responsible for data processing can therefore benefit significantly from working with companies that have direct experience of security in this particular market.
Rack-level security is certainly not necessary for all data applications, but with the right knowledge and support from an experienced security solutions partner, for those where it is applicable it can provide an invaluable contribution as the final layer in a multi-layered approach to physical security.
Connect with us today to discover how we can help you better secure your data center.