Data center security: Time to head for the bunker?

The age of global terrorism requires a higher standard of data center security.
 

BY ROY HARRYMAN

This article originally appeared at AFCOM.com.

When Larry Harms takes a phone call, he answers from beneath 50 feet of solid rock.
 
He’s not trapped in a cave, but comfortable inside his new digs at StrataSpace, a former limestone mine converted into a facility exclusively for data center and other high-tech users near Louisville, Ken.
 
With fear of terrorism in the back of everyone’s minds, is this the future of data center security? Harms, president of the company, hopes so.
 
The mine’s owners originally planned a commercial storage facility. But the attacks of Sept. 11, 2001, spurred him to offer a new proposal: a super secure, squeaky-clean underground facility leased exclusively to high-tech tenants.
 
“I went to our board and said, ‘Let’s change our focus and take it to a higher level and provide security that’s second to none,’” he says. The result: “Companies are looking at this as a mirroring site. There are many applications for this type of facility if you’re willing to spend the money and step out of the box.”
 
In addition to a roof that is up to 65 feet thick, Strataspace is protected by coded access, steel doors, security guards, cameras and a discreet location.
 
“There are two ways in and two ways out,” he says. “We’re in a mass of solid rock so there is no place for people to bust in, but it’s lit up like a classroom. It would be awful difficult for someone to get past security.”
 
Strataspace isn’t the only data center going underground. The Bunker, a British hosting company built in a former NATO nuclear grade shelter, markets itself as “an impregnable fortress.” The facility, nearly 100 feet below ground, has 10-feet-thick concrete walls and two-ton steel doors protecting the servers inside. Guard dogs and cameras keep watch above ground.
 
Assessing the Risk
Although data centers haven’t been specifically targeted by terrorists, the future isn’t rosy, says Ron Hughes, president of California Data Center Design Group in Gold River, Calif.
 
“I think you will see a data center get attacked in the near future just because the impact is so great,” Hughes says. “By taking out a data center, they could take out the national power grid and air traffic control centers. I think it’s only a matter of time. If you know which data centers are really critical, it could have a tremendous impact on the national economy.”
 
Hughes offers this quote from China’s People’s Liberation Daily: “An adversary wishing to destroy the United States only has to mess up the computer system of its banks by hi-tech means. This would disrupt and destroy the U.S. economy.”
 
The FBI, according to Hughes, says that data centers “provide services so vital that their incapacity or destruction would have a debilitating impact on the defense or economic security of the United States.”
 
While many data center managers talk about physical security, “there just isn’t enough thought given to it,” he says.
 
Although data centers haven’t been in the crosshairs, they have experienced collateral damage. Strikes in Washington, D.C., New York and London have destroyed several centers, according to Kailash Jayaswal, author of “Administering Data Centers.” Companies also suffered data loss in the 1995 Oklahoma City bombing.
 
Information Week reports that one person was killed and four wounded last year when a gunman opened fire on the Indian Institute of Science in Bangalore. The city is home to more than 1,000 technology firms.
 
“Making sure you are planning for the incapacity of your primary site is of critical importance,” Hughes says. “A lot of companies ignored this for years. Sept. 11 woke a lot of people up.”
 
When a new data center is built, numerous safeguards can be planned into the facility. An ideal site is a large lot in a discreet location that is guarded, fenced and away from roads. Windows should be few and bullet resistant. Electrical equipment, generators, power plants and cooling towers should be located behind block walls.
 
But what if you’re stuck on the fourth floor of a courthouse or share a multi-tenant facility? Is there anything you can do? Let’s face it: Not every data center can be located in a bunker. Many, will have to make due with facilities that aren’t ideal for security.
 
Here are some things you can do, courtesy of Hughes, to reduce the threat to your facility:
 
Get Serious About Perimeter Security
This means letting the right people in and keeping the wrong people out. Guards, security cards, badges, pin numbers, approved admission lists and biometric codes can limit access. As people get closer to mission critical equipment, the level of security should increase.
 
“Forcing your way into a properly designed facility should be extremely difficult,” Hughes says. “A hardened exterior with highly visible security systems may discourage a terrorist from even trying.”
 
When employees leave the company, their badges should be immediately revoked and their entrance privileges terminated from all databases.
 
“One thing that could really hurt a data center is a disgruntled employee,” he says.
 
Limit Parking 
If cars are parked next to your facility, try to negotiate with the landlord to have them moved. Erect barriers (even aesthetically pleasing concrete planters) to keep someone from getting a car bomb close to your site.
 
Ensure redundancy: Multiple communication carriers, redundant entrance facilities and diverse routing for fiber can help prevent an attack from shutting down your center.
 
Have a disaster recovery plan: A plan that is well devised and tested can make the difference between being down for hours, weeks or going out of business.
 
Raise Awareness
Make sure employees understand the potential for a terrorist attack. Have them on the alert for suspicious vehicles, people and activity. An alert staff may prevent an attack from happening because they could cause a terrorist to choose a less protected location. Better safe than sorry.
 
Put Cameras in Action
Exterior cameras are crucial to security. In addition, cameras should be pointed at key controls inside the facility. But it’s just as important to have adequately trained security employees actually watching the monitors and not distracted by other duties.
 
Establish reasonable security measures and stick to them: Strike a balance between security and convenience.
 
“You get complacent,” Hughes says. “It’s a hassle to comply with the rules 100 percent of the time. It’s always a battle between what security you’d like to have and the day-to-day challenge of getting employees in and out of sites.”
 
But he adds: “If you don’t control access, if you don’t know what has been brought into the facility and you don’t know where visitors are at all times, you don’t have any security.”
 
Hughes, a former data center security manager, gave this policy to his staff: “I told them if there was going to be an exception, I would make it.”