The data center is the heart of an organization's information technology operation. The data center is where a business stores its information, monitors its systems and runs reports, in addition to other information technology activities. It is imperative that a company take the appropriate steps to secure the data center properly, reducing the risks to this vital business function.
A locked door is at the top of the list of measures to protect the data center. Aside from the obvious advantage of keeping out people with bad intentions, it keeps out other people who should not be there. This prevents a plethora of accidents, from spilled drinks to bumps to pulled power plugs. Limit access to employees or service personnel who must have access to the data center. Card access is one of the simplest measures for securing the data center doors, but some companies go the extra mile and use biometrics to make sure that only authorized persons gain entry to the room.
Location and Perimeter
The decision on where to locate a data center should take into consideration the risks inherent in a given location. For instance, locating a data center near railroad tracks introduces the risk of chemical car accidents. Locating a data center in a flood plain invites flooding of the center. After a safe location is determined, perimeter security should include fences, video cameras and security personnel.
Heat and dust are major enemies of computing equipment. Therefore, data centers need to be clean and cool. Large HVAC systems are typically needed to keep the room cool. Air flow design is critical to ensuring that a critical aisle doesn’t overheat. The room must be cleaned on a daily basis to keep dust to a minimum. The importance of cleaning increases if there is a high printing volume in the data center, since paper produces a lot of dust. Most data centers are equipped with heat sensors so that if the room temperature rises above a predetermined level, the equipment automatically shuts down.
Data centers are targets for cyber criminals who need not physically enter the room. They work hard to find a virtual door that will allow them access to the company’s information systems. Hackers use many tools to achieve entry, including port scanners, network mappers, plain old Web access and more. These tools help the hacker to probe for vulnerabilities in the organization's information technology infrastructure. It is imperative that these doors be shut as tightly as the physical doors. Server hardening, firewalls, intrusion detection systems and more all play a part in protecting the data center from cyber attacks.
Fire suppression is a must for a data center because the very nature of the computing equipment introduces the risk of fire. Typical fire suppression methods include but are not limited to sprinklers, oxygen depletion and gas. A data center security checklist must address fire suppression or it is incomplete.
Dumpster diving is the practice of plowing through a company’s dumpsters in search of confidential information. All trash paper produced by the data center should be shredded for confidentiality. Many times hackers and social engineers find enough information in the trash to help them to gain both logical and physical access to a company’s vital information.
An important function of the security personnel is to be sure only authorized people gain access. But even authorized entrants can cause problems. Cleaning crews have been known to unplug servers so that they can plug in their vacuum cleaners. If the security personnel are from a service, they should be subjected to background checks to be sure the proverbial fox is not guarding the hen house. A company employee should accompany service men who need access to the center to service equipment.
Every data center is subject to the risk of one or more natural disasters. Whether from lightning, floods, earthquakes, wildfires or any of a number of natural disasters, there is significant risk to the operation of the data center. It is imperative that management develops a good disaster recovery plan for such situations. The plan should include procedures for activating the plan, emergency communications, response teams, travel and recovery. The lack of a good disaster recovery plan exacerbates the risk of negative impact from a disaster.
Although a data center faces many risks, they can mitigated in many ways. Sound physical and logical security, well-documented recovery procedures and a good employee training plan all go a long way in protecting and securing a data center.