FEATURE
IF YOU ARE A
COLOCATION
PROVIDER,
THEN YOU
WILL WANT TO
PROVIDE A LEVEL
OF PHYSICAL
SECURITY THAT
YOU THINK
WILL MATCH
OR EXCEED THE
EXPECTATIONS
OF POTENTIAL
CLIENTS.
T
he need for data centre physical
security springs from many places.
If you are an enterprise business
then you will know immediately how
much security you need as it will be
aligned to the intrinsic value of the data,
the cost of failing to provide a service, or
it could be forced upon you by regulations
applied to your industry, i.e. banking or
social services.
If you are a colocation provider, then you
will want to provide a level of physical
security that you think will match or
exceed the expectations of potential
clients. On the other hand, a large global
cloud provider may think that that as no
client will try to find out ‘where’ the cloud
is, other than perhaps in which national
boundary, then the need for overt levels
of security is reduced – the same applies
to the resilience of the IT service provided
as ‘cloud’ is often sold on price and it is
difficult to suggest that something that is
cheap is superior in quality.
The extreme example of security, both
physical and cyber, is, of course, data
centres for military or secret services and
these will usually be based on paranoia
and reflect spending other peoples’ money
without having to justify it other than it all
being ‘in the national interest’.
www.intelligentdatacentres.com
Then we must consider what we are
protecting the data centre ‘against’. Is it
unlawful entrance (breaking and entering)
where the intent is to steal data or the
hardware that it resides upon? An example
of that was the London data centre where
perpetrators broke in through a roof and
succeeded in stealing several servers.
The suggestion was that the servers
contained tens of thousands of sets of
personal financial data but the police later
reported that the servers (their high-end,
latest generation, microprocessors to be
precise) were found being sold on eBay for
exotic PC gaming machine self-builders.
Or is the intent to damage or disrupt the
ICT service? This seems a less likely driver
as there is another, more effective way
of achieving that without entering the
premises, which we will look at last of all.
Whatever the need, following a standard is
not a bad idea, especially if some form of
compliance or certification is required. We
do have the security section of EN50600.
This is quite simple, although, somewhat
disappointingly, tells you the principles to
meet but does not give practical examples
of how to do it.
However, the principle is clear. Layers of
zones, like the rings of an onion, with the
crown jewels in the middle and the exterior
property boundary on the outside. There
are four layers (separating security zones)
and the relationship between them is
explored. A potential weakness (which you
can simply ignore as being a layer) is that
the final barrier can be the lock on the ICT
cabinet – but most of us know just how
flimsy the typical cabinet doors are and
how easy and fast entry could be gained.
Then the penetration of each layer is judged
in terms of hold-up time against a man
or a man with aggressive machine etc. In
other words, how long can the layer resist
compared to the time that that the police
(or other security prepared to physically
engage) can respond in force on site. This
implies that the boundary between the
layers and the zones between them is
closely monitored, alarmed and recorded.
As we build each layer, some of the
paranoia is displayed, but why do I use
Issue 10
45