Security Enterprise Services

How to Physically Secure Data Centers

July 1, 2012
/ Print / Reprints /
/ Text Size+

Heartland Payment Systems, TJX, Epsilon and Sony: what do they have in common?

For one, trouble with the data center. Heartland Payment Systems, a payment processor based in Princeton, N.J., was the victim of a major cyber attack in 2008. Criminals installed spying software on the company’s computer network and stole the numbers of as many as 100 million credit and debit cards. TJX, the Framingham, Mass., retailer that owns national chains including TJ Maxx and Marshalls, estimated that a 2007 data breach would cost the company about $25 million. But in the end, the total cost was at least 10 times as high.

In March 2011, hackers stole millions of names and e-mail addresses from the Dallas-based marketing firm. Epsilon handles e-mail lists for major retailers and banks like Best Buy, JPMorgan, TiVo, Walgreen and Kroger. A study by CyberFactors, a cyber risk analytics company, estimates that the breach could cost between $225 million and $4 billion.

The Sony data breach, which exposed information from more than 100 million user accounts in April, could prove to be the mostly costly data breach of all time. Hackers obtained personal information, including credit, debit and bank account numbers in some instances, of PlayStation Network users and Sony Online Entertainment users. After discovering there had been a breach, Sony shut down both networks temporarily. The Ponemon Institute estimates that the breach could cost Sony and credit card issuers up to a total of $2 billion.

The losses and risks are even troubling, given the potential growth that data centers seem to indicate. Despite growing concerns of a global economic slowdown, the companies that construct and operate data centers expect growth next year to match levels last seen in the world economy’s boom years: about 19 percent. The growth of cloud computing is prompting increased demand for data center space in North America, according to a survey by Digital Realty. The growing interest in cloud adoption, along with the resumption of planned expansions that were deferred due to the economy, suggests robust growth ahead for the U.S. data center industry, the report says.

In addition, 92 percent of IT decision makers at large companies said they will “definitely or probably” expand their data center footprint in 2012, the highest number in the six-year history of the survey by Digital Realty, which is the largest operator of data center facilities. By comparison, 70 percent of respondents said they had expanded their data center operations over the past two years.


Securing the Data

Yet there are many success stories of data secured successfully. Take, for example, Silver Cross Hospital’s recently opened data center. The hospital recently opened a 600,000-square-foot, $370 million medical complex with an outpatient center, medical service building and hospital in New Lenox, Ill. The project also included a new 2,450-square-foot data center, 50 percent larger than its existing one.

Even more – OSF HealthCare’s new Children’s Hospital of Illinois in Peoria and the soon-to-open Ann & Robert H. Lurie Children’s Hospital of Chicago – have combined new data centers with new medical facilities. The hospitals are establishing a technology foundation for healthcare that will be dominated by electronic health records that cannot be compromised.

In addition, Cook County Health and Hospitals System (CCHHS) of Cook County, Ill., have deployed a unified virtual data center infrastructure, worth nearly $3 million, to serve the operational needs of some two dozen facilities across the Chicagoland area. The CCHHS cloud solution reportedly speeds up access to patient care data for clinicians and staff personnel while giving the CCHHS a data center infrastructure that is ready for future growth.

Beyond new construction, securing a data center’s IT infrastructure, physical security also plays a large role with data centers. Physical access to the site is usually restricted to selected personnel, with controls including bollards and mantraps. Video camera surveillance and permanent security guards are almost always present if the data center is large or contains sensitive information on any of the systems within. The use of finger print recognition man traps is starting to be commonplace.

“At a data center, it’s all about anonymity,” says William Holmes, head of critical infrastructure and facilities for Bytegrid, a holdings company that acquires, develops and operates wholesale data center facilities. The company recently acquired a new 214,000-square-foot data center in downtown Silver Spring, Md. It is the largest multi-tenant data center in the state of Maryland. The facility is rated ultra-secure for government interests, and it is also considered “financial grade” and home to one of the world’s 10 largest banks.  

“Security at a data center is a marriage between the physical asset and the process side,” Holmes explains. “We focus a lot on the threats that are particular to this business. For example, in the Washington D.C. area, there’s always the potential for protestors, so we have to be attuned to whether our tenants are liable to be attacked. We work on a list, from the highly unlikely to the very possible, and then present the case to senior management.”

Holmes uses a variety of security practices to secure the data center, which he says includes an eight-foot high perimeter fence, heavy grade interior windows, no exterior windows, a 24-hour guard service from Securitas, palm and fingerprint readers and biometric eye scanners.

The same can be said at Retirement Systems of Alabama (RSA), which manages public pension funds for state and local employees and public education employees in the state of Alabama, and operates the Dexter Avenue Data Center in Montgomery, Ala.

John Hill, CTO, explains: “First, complete background checks are done on each visitor, and video entry is everywhere. Next, from the minute someone walks in the door, they are under complete observation; there are no gaps. They need complete credentials to even access a floor in the elevator. To get to the data center floor of the Dexter Avenue building, you first enter a turnstile with a biometric credential. Once you step out of the elevator, there are additional biometric readers to get you to the next step.  That type of security takes place every step of the way.”

Hill worked with Larry Oliver with systems integrator Vision Security Technologies, which is a Security-Net member company. Hill notes that specific security in place at RSA includes an underground high-reliability network power feed from Alabama Power with three transformers, emergency generators, 4,000 gallons of on-site diesel fuel, APC racks with HID readers front and back, a Clean Agent Fire Protection System and more.



Want to Learn More About Securing a Data Center?

Attend the Anixter Data Center Seminar Series, Data Center Physical Security, on August 16, 10:30 am CST. Register today at

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Diane Ritchey

You must login or register in order to post a comment.



Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.


Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security December 2014 issue cover

2014 December

This issue of Security Magazine covers our 12th annual Top Guarding Firms list. Check out the best of the best as of December 2014. The 21st century has brought with it new types of security threats. Read how to combat and protect against these threats.

Table Of Contents Subscribe

Security Emergency Preparedness Training

Which security personnel emergency preparedness training is the top priority to you and your enterprise?
View Results Poll Archive


CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.


Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.