When it comes to your physical racks and servers, do you know who has access to your assets? Stephen O’Connell, managing director at Rack-Sec, outlines how you can utilise electronic access control to ensure fool-proof security at rack-level.
With the need to protect and auditability for equipment racks becoming more of a must have than a wish list, electronic access control (EAC) to rack level has entered the DC security arena.
DSS/PCI compliance has been in place for a number of years, which requires physical protection and auditable records to protect records of credit cards and personal information stored on servers.
GDPR compliance has recently been made mandatory for personal details held on servers. Although the mention of physical security is a bit vague, with likely heavy fines being introduced for non-compliance by the EU.
The compliance says reporting of any data breach must be notified to the governing body within 72 hours. Therefore, the quicker you can confirm where the breach has happened, the better. With EAC you can audit all personnel quickly to eliminate a physical breach, with research indicating 30% of data breaches are likely to be from your own personnel.
A data centre will normally house different applications and platforms requiring support from a number of services; do you know how many personnel/service companies have access to your data hall/computer room?
Cleaners, maintenance staff, third party maintenance staff, network team, server teams, third party support server companies and other contractors. Talking with large companies, I have found the average number can be up to 60 plus.
Most entrance doors are protected by a building security proximity card system. This will give you information as to who has entered the room, however no detail as to what rack has been opened. This second line of defence will be a key in the rack swing lock, which get lost, so personnel just tend to leave a spare key in the most used rack doors for convenience.
Some sites have added CCTV to the protected areas, however due to coverage limitations most do not cover down to rack level.
Now add to the problem when you are using a colo DC, even more personnel from other companies will be working around your racks, mostly unsupervised.
There are two ways of achieving protection with EAC. One would be the traditional building proximity access system connected via the EAC swing locks, but I haven’t seen that much take up of this as yet by security companies. Also, the amount of equipment and interconnect cabling would be expensive and a big risk installing in a working DC.
The other is the standalone system. There are a number of systems on the market all of which have their good points and not so good points. The connectivity is normally TCP/IP which cuts down on interface cabling, some even have a remote opening feature.
With space required on a SQL server, ongoing licenses costs and support can be very costly. Most have the ability to connect to temp/humidity sensors, fire and water detection, and some, connection to intelligent PDUs for power consumption (invaluable when racks are in a colo) and planning.
Some also have the ability to control local rack cameras – this is the ultimate security option. Having an image of personnel accessing and working in the rack is a complete audit trail with no question or doubt on identity. In fact, with a few tweaks here and there, some systems could be utilised as a mini DCIM, an interesting thought due to the high costs on implementing and maintaining a full blown DCIM.
The EAS swing handle will be fitted with a RFID reader which should be matched to the proximity cards proposed. There are a few companies that supply the handles –the most used seems to be the Southco unit, as they have a swing handle with a multi-pule RFID reader head.
You should also be aware that not all these cards are created equal and there is a plethora of different types out there (Mifare, HID, iclass). Therefore, the type you choose (coupled with the level of encryption) can make a huge difference to costs.
Reporting is generally via an SQL server resource, with different levels of access. Reports are usually to a high standard, and you should check that the information can be manipulated and not just static, i.e. PDF. All systems should be able to email alerts when thresholds and indicators have been activated.
There is a small amount of companies that have a system with no need of SQL space, no ongoing licensing costs, and offer installation – most systems companies only supply the system. With the installation in a live rack environment it is essential competent personnel are used with experience working in DCs and live racks.
All IT departments will now have their own security and compliance team, it makes sense this department should have control of all data defence to control any type of likely breach. Not relying on in-house third parties to grant access, monitor and record activities in the DC.
It’s time to take control of all your assets; the equipment is now readily available, and if you haven’t had a physical breach it will only be a matter of time. The longer without a breach surely means the more likely that one is on the way.
Some rack manufactures now have an EAS system available to be fitted to the rack before delivery to site, but again you do need to check on the specification, hidden costs, licencing and support.