More than just fences and walls – why physical security deserves more than just a check box.
Power, availability and physical security. These are some of the most important attributes that customers look for in a data center provider.
Security measures in place for data centers
For those outside of the data center industry, that may appear to be a list ranked in order of importance. After all, a customer can only lease space from a data center provider if space is available in their desired market. And data center equipment requires plentiful, consistent and reliable power to operate. So, power and availability are clearly essential and of the utmost importance.
Yet physical security can’t be taken for granted. And that’s because companies leasing space from data center providers today are entrusting them with something incredibly important.
First, they’re entrusting them with their data, customer information and confidential information. All these things could potentially be accessed from the servers in a data center, making the physical security of that data center paramount.
Ensuring only those qualified and authorized to access a company’s data center and the equipment it contains can help keep companies from facing a situation like what happened with Anthony Levandowski, a former Google engineer who attempted to bring sensitive documents and trade secrets to his new employer. A problem that can be mitigated by limiting access to only those authorized to have it.
Second, the data center space that companies lease may house the hardware and equipment that runs their operations and powers the very products and solutions that they’re selling to their own customers. Cloud infrastructure, cloud solutions and SaaS software applications are expected to be dependable and reliable. The providers of these solutions are expected to meet stringent SLAs that include a lot of nines. And when those solutions go down, they can cause a disruption that may result in lost revenue.
Take cloud infrastructure as an example. If the infrastructure that’s running a popular ride share, food delivery or online shopping application goes down, those end customers are losing revenue every second that their service is not available.
Physical security plays an important role in keeping those applications and services up and running by protecting the infrastructure that powers them from unauthorized individuals that may intentionally or unintendedly disrupt them. This is especially important today, as the number of physical threats to data centers increases.
Just last week, an individual from Texas was charged with attempting to disrupt popular Internet services by plotting an attack against an Amazon Web Services (AWS) data center. This individual was identified and arrested by the FBI before he was able to travel to Ashburn, Virginia, and execute his plan, but this illustrates just how real the physical threat is for data centers and data center providers.
While physical data center security may receive fewer headlines and congressional hearings than data security and cybersecurity, it’s just as important. But what should companies be looking for when analyzing a data center provider’s physical security?
Defense in depth is just the beginning
Today, many data center providers embrace an approach to physical security often referred to as “defense in depth.” This concept involves the establishment of multiple, concentric circles or layers of security. This begins with a gate around the perimeter of the data center and guards on premises to ensure that only those authorized gain entrance.
In addition to that first layer of security, there may also be a perimeter intrusion detection system utilizing cameras or other technologies that serves to notify security personnel should an unauthorized person attempt to gain access to the site.
Once within the data center, individuals seeking to proceed beyond the foyer or entrance area may require multifactor authentication. This often requires a badge and another, additional factor that can authenticate who the individual is. This was traditionally done with a license or another form of identification but is transitioning to biometric identification for many providers.
This concept of defense in depth is relatively proforma in data centers today – with many providers embracing perimeter gates and security, intrusion detection and two-factor authentication to proceed past the entryway.
What differentiates data center providers is the quality and capability of the security solutions they’ve embraced within their concentric circles of security, and the steps that they’ve taken to go above and beyond what’s expected in a data center – whether that be embracing new security technologies or innovative approaches to data center and campus layouts that can contribute to data center security.
For example, at Vantage Data Centers, we’ve worked to embrace biometrics – where possible and not restricted by local law or ordinance – for our multifactor authentication. We’ve also worked to embrace biometric solutions, including iris and facial recognition solutions, that lead the industry in success rate and security.
But biometric authentication is just one of the physical security advancements that we’re seeing in today’s data centers. There are other, innovative things that data center providers are doing utilizing technology and new approaches to security.
AI and environmental design
As we discussed, biometrics and other physical security innovations are becoming rather commonplace in the data center industry. What makes a data center provider stand out among the crowd is the ability to identify and embrace outside-the-box solutions and thinking that can eliminate security concerns before they even make it to the authentication stage of the process.
One of the areas where we see incredible potential at Vantage is in artificial intelligence (AI) for perimeter defense and intrusion detection. These solutions utilize cameras and other Internet of Things (IoT) sensors to determine and identify activity on a data center campus and alert security personnel if it’s determined to be a threat.
For example, let’s say an individual is able to hop the perimeter fence around a data center campus. In that situation, the cameras and other sensors will identify that activity – even if security personnel are not in the immediate area – process the data to determine what is happening and raise a red flag. The system can even dispatch security personnel to the exact location to mitigate the threat.
But what if we could take that a step further and keep that individual from ever scaling that fence in the first place?
An approach to crime prevention that is widely embraced in residential neighborhoods and cities around the world is beginning to be implemented by data center providers to increase the security of their campuses. The concept is called Crime Prevention Through Environmental Design (CPTED), and it involves the construction of an environment that is specifically tailored to increase safety and discourage individuals from committing criminal acts.
While CPTED is not a new concept for crime prevention in cities and towns, it is a relatively under-utilized approach for increasing data center security. To implement CPTED, data center providers need to reconsider their standard data center campus landscape and reimagine it with an eye towards creating a more secure environment.
More than just fences and walls
Availability, power and security are all essential considerations when looking for a data center provider. And that’s certainly reflected in the conversations that we’ve had with customers and prospects here at Vantage.
Often, customers will come to us with several hundred questions about physical security before they sign a lease. Some will ask about having ballistic protections, high fences and numerous security cameras. And those are all important questions and considerations for those companies. But those are things that many data center providers are doing today to “check the box” on physical security.
What large companies should be looking for extends beyond fence height and camera count. And they shouldn’t just be looking for the security infrastructure that’s in place, but what the data center provider is doing with it.
For example, at Vantage, we’ve implemented dashboards that provide customers with insights into daily activities and increase their transparency into what’s happening in their data center. And these dashboards aren’t “one size fits all.” Rather, they’re customizable to that particular customer’s preferences and requirements, ensuring they’re only seeing the information that is most important to them.
We’re also exploring role-based analytics tools that can more quickly assign permissions and security clearances to those that need them – and are authorized for them – to expedite the process of giving new or visiting employees the access they need to do their jobs.
High fences are great, yet data center providers that can deliver strong security without sacrificing productivity, and are willing to be innovative and think outside-the-fence when it comes to physical security, should be what data center customers are looking for.
The world of data center physical security is changing as new technologies and approaches emerge that evolve how we think about securing data centers. It’s not enough to just check a “defense in depth” box and move on. Companies should be demanding more.
To learn more about Vantage Data Centers’ approach to physical security, please click here.
Greg Thompson
Greg Thompson serves as senior director, physical security and information security at Vantage Data Centers. He is responsible for developing and implementing the company’s physical and cybersecurity initiatives.
Thompson has more than 10 years of experience in building and maintaining safe and secure environments. Prior to Vantage, Thompson supervised and directed industrial, physical and information security measures for more than 400 employees at General Dynamics Corporate. While at the Federal Bureau of Investigation, he directed security initiatives and strategies for various business units ensuring security measures aligned with and supported company agency objectives.
Thompson holds a Bachelor of Arts degree in government international politics and religious studies from George Mason University, a Master of Public Administration degree in emergency management homeland security from George Mason University, and an MBA and a Master of Science degree in cybersecurity from the University of Maryland Global Campus. As part of his focus on security, Thompson is a Certified Business Continuity Professional (CBCP) and holds a Lean Six Sigma Green Belt certification.