When we hear the term physical security what does it mean for you? How about the case for data centers? Physical security is the protection of personnel, hardware, software, networks, and data from physical actions and events that could cause serious loss or damage to an enterprise, agency or institution. This includes protection from fire, flood, natural disasters, burglary, theft, vandalism and terrorism. In this article, we will see the fundamental theories and principles that are used in industry-level to provide the best in class security to data centers.

The Biggest Threat to Security

We, humans, do all the precautionary measures to make sure the security of our data centers. Even there are multiple levels of security that we apply to improve and tighten the security. But still, do you know that humans are the biggest threat to data center security? People are essential to the operation of a data center, yet studies by the Uptime Institute and the 7×24 Exchange consistently shows that people are directly responsible for 60% of data center downtime through accidents and mistakes — improper procedures, mislabeled equipment, things dropped or spilled, mistyped commands, and other unforeseen mishaps large and small. With human error, an unavoidable consequence of human presence, minimizing and controlling personnel access to facilities is a critical element of risk management even when concern about malicious activity is slight.

Human error in data center facilities is posing one of the biggest internal threat to business continuity, found the study by Enlogic, the company that provides data center energy monitoring products. More than a third of respondents viewed human error as the most likely cause of downtime. Equipment failure and external threat of power outages were the second and third likely causes cited by respondents.

Considering the above facts, the best way to improve the data center’s physical security is by keeping unauthorized or ill-intentioned people out of places that they do not belong, such as a data center or other locations that may contain critical physical infrastructure. Physical security reduces data center downtime by minimizing the human presence in a data center to essential personnel only. Although physical security protects against sabotage, espionage, and theft, it offers even more protection against human error.

What needs Protection?

Let us see what are the things that need to be protected in a data center environment. To identify what needs protecting, create a conceptual map of the physical facility. Then, locate the areas that need to be secured, and classify them by the strength or level of security. The areas that need to be secured might have concentric boundaries with security strongest at the core or the areas that need to be secured might have side-by-side boundaries that require comparable security levels.

As illustrated in the above picture, inner areas can have different or increasingly stringent access methods, providing added protection called depth of security. The innermost circle indicates the deepest, strongest security. With the depth of security, an inner area is protected both by its own access methods and by those of the areas that enclose it. In addition, any breach of an outer area can be met with another access challenge at a perimeter further in. Computer racks stand at the innermost depth of security because they house critical IT equipment.

It is important to include in the security map not only areas containing the functional IT equipment of the facility, but also areas containing elements of the physical infrastructure which, if compromised, could result in downtime. For example, someone could accidentally shut down the HVAC equipment or deliberately steal generator starting batteries. A system management console could be fooled into thinking the fire sprinklers should be activated. To summarize, successful physical security needs to consider any form of physical access that can adversely impact business-critical equipment.

Access Criteria

When you want to access a physically secured area or property, there is mainly two thing that you need to be answered.

1. “Who are you?”

2. “Why are you here?”

Two simplest questions and most important answers. The first question, “Who are you?” establishes or verifies personal identity. The second question, “Why are you here?” provides justification for physical access, a “reason to be there”.

Certain individuals who are known to the facility need access to the areas relevant to their position. For example, the security director will have access to most of the facility but not to client data stored at the installation. The head of computer operations might have access to computer rooms and operating systems, but not the mechanical rooms that house power and HVAC facilities. The CEO of the company might have access to the offices of the security director and IT staff and the public areas, but not the computer rooms or mechanical rooms.

A reason for access to extremely sensitive areas can be granted to specific people for a specific purpose — that is, if they “need to know,” and only for as long as they have that need. Because a person’s organizational role typically implies the reason for access, security focuses on identity verification. The next section discusses physical security identification methods and devices.

Physical Security Identification Methods and Devices

When we are using multiple devices to tighten our physical security, how these devices are making sure that only the correct persons are allowed and rest all are denied? There are multiple identification methods used in this case such as,

1. What you have?

2. What you know?

3. Who you are?

1. What you have?

What you have is something you wear or carry, such as a key, a card, or a small object, such as a token that can be worn or attached to a key ring. Several types of cards and tokens are currently being used for access control. They range from the simple to the sophisticated. They have varying performance, based on several factors, including:

The magnetic stripe card is the most common type of card, with a simple magnetic strip of identifying data.

When the card is swiped in a reader the information is read and looked up in a database. This system is inexpensive and convenient; its drawback is that it is relatively easy to duplicate the cards or to read the information stored on them. The barium ferrite card (also called a “magnetic spot card”) is similar to the magnetic stripe card but offers more security without adding significant cost. The Weigand card is a variation of the magnetic stripe card. Unlike readers for proximity cards and magnetic-stripe cards, Weigand readers are not affected by radio frequency interference (RFI) or electromagnetic fields (EMF). The robustness of the reader combined with the difficulty in duplicating the card makes the Weigand system extremely secure (within the limits of a “what you have” method), but also more expensive. One of the best suite example for magnetic stripe card was the bank ATM cards which were available few years back(now replaced by chip based cards).

The barcode card carries a bar code, which is read when the card is swiped in the reader. This system is very low-cost but easy to fool — an ordinary copy machine can duplicate a bar code well enough to fool a bar-code reader. Bar-code cards are good for minimum-security requirements, especially those requiring a large number of readers throughout the facility or a large volume of traffic traversing a given access point. This is not so much a security system as it is an inexpensive access monitoring method.

The infrared shadow card improves upon the poor security of the bar-code card by placing the bar code between layers of PVC plastic. The reader passes infrared light through the card, and the shadow of the bar code is read by sensors on the other side.

The proximity card, sometimes called a “prox card”, is a step up in convenience from cards that must be swiped or touched to the reader. As the name implies, the card only needs to be in “proximity” with the reader.

It is a card with a built-in silicon chip for onboard data storage and/or computation. The general term for objects that carry such a chip is smart media.

Smart cards offer a wide range of flexibility in access control. For example, the chip can be attached to older types of cards to upgrade and integrate with pre-existing systems, or the cardholder’s fingerprint or iris scan can be stored on the chip for biometric verification at the card reader — thereby elevating the level of identification from “what you have” to “who you are.”

Contactless smart cards having the “vicinity” range offer nearly ultimate user convenience: half-second transaction time with the card never leaving the wallet.

2. What you know?

What you know is more secure than what you have. An example of what you know is a password, PIN code, or procedure for something such as opening a coded lock, typing a verification code at a card reader, or using a keyboard to access to a computer. A password/code presents a security dilemma: if it is easy to remember, it will likely be easy to guess. If it’s hard to remember, it will likely be hard to guess, but it will also likely be written down, thus, reducing its security.

3. Who you are?

Who you are refers to identification by recognition of unique physical characteristics. Physical identification is the natural way people identify one another with nearly total certainty. When accomplished (or attempted) by technological means, it is called biometrics.

Researchers have developed several computer based, biometric scanning techniques that look for human features such as,

• Fingerprints and Hands or the shape of fingers and thickness of hands 
• The Iris, or the pattern of colors within the Iris 
• The Face or the relative position of the eyes, nose, and mouth 
• The Retina or the pattern of blood vessels within the retina 
• Handwriting or the dynamics of the pen as it moves
• Voice

Among this 3 security verification methods, which one do you think as the most effective security technique? I know the answer will be the security techniques under ‘Who you are’are the most reliable. This chart shows the relative reliability of each of the three basic security identification approaches.

“What you have” is the least reliable form of identification, because there is no guarantee that the correct person will use it. It can be shared, stolen, or lost and found.

“What you know” is more reliable than “What you have”, but passwords and codes can still be shared, and if they are written down, they carry the risk of discovery.

“Who you are” is the most reliable security identification approach, because it is based on something physically unique to you. Biometric devices are generally very reliable, if recognition is achieved — that is, if the device thinks it recognizes you, then it almost certainly is you. The main source of unreliability for biometrics is not incorrect recognition or spoofing by an imposter, but the possibility that a legitimate user may fail to be recognized (“false rejection”).

Combining Methods to Increase Reliability

A typical security scheme uses methods of increasing reliability. For example, entry into the building might require a combination of swipe card plus PIN; entry to the computer room might require a keypad code plus a biometric. Combining methods at an entry point increases reliability at that point; using different methods for each level significantly increases security at inner levels, since each is secured by its own methods plus those of outer levels that must be entered first.

These are the most basic things that each data center individuals should be aware of when looking at data center security. Plenty of technologies exist to try to help address this problem of keeping unauthorized or ill-intentioned people out of places where they don’t belong.  IT managers generally know who should be allowed where. The challenge lies in deciding which of an array of identification technologies to apply in what combination in order to answer two simple questions, “Who are you, and why are you here?” So decide what’s best for you and your data center security.

Knowledge Credits: Energy University by Schneider Electric

Have a comment or points to be reviewed? Let us grow together. Feel free to comment.