When looking at data centers, enterprise customers have traditionally wanted to see bells and whistles – the lights on servers. In the era of COVID, that mindset is slowly evolving. Increasingly, they are moving away from the attitude that all their data must be securely kept on-premises. At the same time, they are not ready to throw all of their information and applications into the cloud; some of it, they realize, must be situated where they know it resides, and they know the steps that are being taken to keep it secure. This hybrid IT approach has gained significant traction over the last several years.
Many firms are moving toward the hybrid approach: keeping some of their information on site, while moving other data to off-site, third-party data centers or the cloud. The growth in multi-tenant data centers (MTDC) is significant and shows no sign of slowing down. Industry analysts 451 Research recently wrote, “Post COVID-19, we expect demand for leased datacenters overall to rise, as cloud growth translates into datacenter requirements and as enterprises start factoring pandemic preparedness into future business continuity strategies.” Arizton analysts estimate the colocation market will grow at an annual rate of seven per cent, reaching revenues of more than $53 billion by 2025.
With that shifting mindset, companies want to ensure the space where their data and applications are kept is maintained through reliable and tested Uninterruptible Power Supply (UPS) systems, coupled with security, as close to 100% reliability as possible on a consistent basis (hence the term the “five nines”). Customers want their colocation provider to have a physical infrastructure that’s as reliable as the power from their UPS system, where they will not have to continually second-guess these basic physical security elements.
Put another way, they want to be able to sleep at night, knowing the information that keeps their business in business is secure and available to those who need it.
Companies are asking the data center vendors they contact to be particularly careful regarding security with their colocation solutions because it is, by its very definition, space shared with the information from other firms, and outside of the enterprise’s direct control. Each colocation provider takes slightly different approaches to physical security, but they are all basically the same at their root. There are standard security features that any world-class colocation provider’s environment will have in place. The difference comes when one gets to enhanced security features and specific security regulations. With that in mind, if you’re thinking about moving some or all of your data and applications into a hybrid IT environment, here are several items to look for regarding physical security when you’re evaluating any colocation data center facility.
The Five Rings of data center security
Data Center Security is far more just implementing Access Control Lists (ACL) on a router and firewalls. Physical colocation requires a minimum of “five rings of security.” These five security features are a must for all colocation providers and cover public spaces from the perimeter all the way to the individual server housings.
- Entering/leaving the building – The perimeter of the building should be secure, with features in place such as cameras covering 360 degrees of the building’s exterior, biometric readers and/or security guards. Bag searches should be considered a mandatory requirement for people entering and leaving. For example, both clients and visitors must sign in and sign out and must not be allowed to keep the badges they’re issued when entering the center.
- Entering the mantrap – A data center’s mantrap is exactly what it sounds like: it’s an access control system that consists of a small space and two interlocking doors. One set of the doors must close before the other one can be opened, either automatically or manually by a security guard, so that the person is briefly ‘trapped” in the vestibule before clearing the second door. A combination of PIN biometric and card security measures should exist to enter the mantrap. Additional anti-tailgating measures should be in place as well, making sure that only one person can enter at a time.
- Exiting the mantrap – Once in the mantrap, are there additional biometric security steps before anyone is allowed to leave the space, again, one person at a time?
- Entering the colocation white space – Another round of biometric hand scanners and card readers should be in place, to monitor exactly who is allowed to gain access into the colocation’s white space, the physical space where your equipment will be installed.
- Accessing the cage and/or cabinet – Finally, the innermost ring is entering or accessing an individual cage or cabinet. A complete level of security must be in place to enable this: people should be required to gain access through a key at minimum, or dual authentications (PIN plus biometrics) for higher-level security. This can be especially important in scenarios where companies are sharing cabinets or cages in the data center; making an additional level of security in place, such as requiring pin and biometrics or a key to access an individual space, a desirable option.
These five rings of data center security must be in place, in addition to any on-site security personnel as well as security cameras throughout the data center.
Enhanced data center security options
While the Five Rings offer a good security foundation, many clients are interested in additional security features. Many of these requirements focus less on access and more on the physical security of cabinets, cages, and servers. Commonly requested additional security options include:
- Double mesh on cages, creating meshing so tight that not even a thumb drive can fit through
- In raised floor situations, mesh is often requested to extend all the way to the facility floor
- Screw-secured raised flooring
- Double key entries
- Secure tops on cages and under floor mesh
- Motion sensors inside private customer cages
- Custom video surveillance - Additional cameras inside cages
- Hiring third party security companies to have a physical live security professional sitting outside the cage door to monitor access
- Access tracking and reporting
These requests are often easy to accommodate, but if you’re interested in implementing some or all of them, you’ll want to speak with your data center provider before you move into the colocation facility.
Security standards and regulations
Security standards and regulations are another aspect in the colocation provider arena where providers can set themselves apart. Any colocation solution will adhere to ISO 27001 and some level of Systems and Organization Controls (SOC), with SOC II increasingly becoming a common standard. Make sure you ask any data center operator which regulations they’re adhering to before you agree to sign a contract.
ISO and SOC aren’t the only standards you may want to consider. PCI DSS (the Payment Card Industry’s Data Security Standard) for instance has its own set of well-outlined security requirements. Not all data center facilities will meet PCI compliance, so it is important to specifically ask if it’s available, if you need it. The same applies for HIPAA (Health Insurance Portability and Accountability Act) compliance. While specific security requirements are not as clearly outlined in HIPAA documentation, you’ll want to make sure the chosen colocation provider and data center facility can meet these needs if it’s important to your company.
The dedicated, hard-working employees within the data center, day in and day out, will always be the first line of defense. It is necessary to ensure that the personnel within the data center being considered are as solid as the cameras and the biometric measures in place. A solid support system at all levels of infrastructure, security and personnel within the data center are vital to a secure, successful deployment.
In sum: Instilling confidence in data center security
Security at a colocation data center serves several functions – from keeping your servers safe to ensuring packages sent to the facility are received and correctly delivered. In addition to power and space, good security (physical, policies, and practices) is one of the biggest requirements clients have, and it’s a requirement you should insist on if you’re thinking of moving in this direction, as many other companies have already done. Make physical security a key discussion point on your checklist when shopping for colocation vendors, and don’t hesitate to ask for a tour of the facility (either in-person or virtual) in order to experience the security features for yourself.
The bells and whistles may initially attract you, but at the end of the day, the knowledge that your data and applications are safe, secure and available to those who need them must be a key factor in your decision.