Intelligent Data Centres Issue 10 | Page 45

FEATURE IF YOU ARE A COLOCATION PROVIDER, THEN YOU WILL WANT TO PROVIDE A LEVEL OF PHYSICAL SECURITY THAT YOU THINK WILL MATCH OR EXCEED THE EXPECTATIONS OF POTENTIAL CLIENTS. T he need for data centre physical security springs from many places. If you are an enterprise business then you will know immediately how much security you need as it will be aligned to the intrinsic value of the data, the cost of failing to provide a service, or it could be forced upon you by regulations applied to your industry, i.e. banking or social services. If you are a colocation provider, then you will want to provide a level of physical security that you think will match or exceed the expectations of potential clients. On the other hand, a large global cloud provider may think that that as no client will try to find out ‘where’ the cloud is, other than perhaps in which national boundary, then the need for overt levels of security is reduced – the same applies to the resilience of the IT service provided as ‘cloud’ is often sold on price and it is difficult to suggest that something that is cheap is superior in quality. The extreme example of security, both physical and cyber, is, of course, data centres for military or secret services and these will usually be based on paranoia and reflect spending other peoples’ money without having to justify it other than it all being ‘in the national interest’. www.intelligentdatacentres.com Then we must consider what we are protecting the data centre ‘against’. Is it unlawful entrance (breaking and entering) where the intent is to steal data or the hardware that it resides upon? An example of that was the London data centre where perpetrators broke in through a roof and succeeded in stealing several servers. The suggestion was that the servers contained tens of thousands of sets of personal financial data but the police later reported that the servers (their high-end, latest generation, microprocessors to be precise) were found being sold on eBay for exotic PC gaming machine self-builders. Or is the intent to damage or disrupt the ICT service? This seems a less likely driver as there is another, more effective way of achieving that without entering the premises, which we will look at last of all. Whatever the need, following a standard is not a bad idea, especially if some form of compliance or certification is required. We do have the security section of EN50600. This is quite simple, although, somewhat disappointingly, tells you the principles to meet but does not give practical examples of how to do it. However, the principle is clear. Layers of zones, like the rings of an onion, with the crown jewels in the middle and the exterior property boundary on the outside. There are four layers (separating security zones) and the relationship between them is explored. A potential weakness (which you can simply ignore as being a layer) is that the final barrier can be the lock on the ICT cabinet – but most of us know just how flimsy the typical cabinet doors are and how easy and fast entry could be gained. Then the penetration of each layer is judged in terms of hold-up time against a man or a man with aggressive machine etc. In other words, how long can the layer resist compared to the time that that the police (or other security prepared to physically engage) can respond in force on site. This implies that the boundary between the layers and the zones between them is closely monitored, alarmed and recorded. As we build each layer, some of the paranoia is displayed, but why do I use Issue 10 45