Physical Security is a Must-Have
Trusting your systems and data to a third-party provider can be a risky business. Of course, many data center operators are reputable and deliver on their promises. But, there are thousands of third-party data centers spread across the US, and you’ll want to choose the one that fits your needs best. So, doing your due diligence is important, especially if you’re looking for someone to host your mission critical systems or to help you maintain compliance.
If you’re scouting for a new home for your systems and data, chances are you’ve visited a few vendor websites. Cybersecurity takes center stage on these sites, because that’s what most people think of when they consider the risks to their data.
But, the physical security of your data is vital as well. Physical attacks aren’t nearly as common as cyberattacks, but data centers are still vulnerable, both from outside the organization and from within.
10 Physical Characteristics of a Secure Data Center
Whether you’re touring a potential site or just vetting vendors over the phone, here are some things to look for:
24×7 security guards. Automated security systems are a must-have, but trained security personnel are essential as well. They can ensure processes are being followed, help prevent unauthorized access to areas, spot malicious activity, and prevent common theft of data and devices.
Security cameras, inside and out. Smile! You should be on camera from the moment you approach the building until you’ve left the property. (With the exception of trips to the bathroom as installing security cameras in bathrooms isn’t legal in the US.)
All activity should be monitored in real time on closed-circuit television, and film should be retained for at least three months. A well-coordinated physical breach may not happen all at once or be discovered right away. Having several months of footage can help investigators piece together the event.
Limited entry and access. Every visitor, including vendors, must log in when they arrive and when they leave. These logs should also be kept for several months.
Preauthorization. Vendors should schedule any maintenance with the operations manager, and each individual performing the work should be properly vetted. Once inside the building, vendors and other visitors should be escorted at all times.
Limited employee access. You wouldn’t give all of your employees admin rights to your systems. Nor should all of the data center’s employees have access to every part of the building. Internal doors to sensitive areas should require authentication for access.
Two factor identification. Keycards aren’t good enough for data center security. Each door should also require some sort of biometric passcode such as a fingerprint or retina scan.
Mantraps. Sensitive areas should require entry through two doors with a space between them. Think of this as an extra layer of protection in the event the first layer is breached.
Limited access to the outside. As tempting as it can be to try to save on cooling costs in the winter by opening a window, this is not a good idea. To be secure, all windows in a data center should be sealed.
Limited signage. There’s a reason you don’t see data centers advertised with signage on the outside of the building. The same goes for internal signage. Other than common areas like breakrooms and rest rooms, you should leave visitors wondering what’s behind all those locked doors.
No Fly Zone. These days, anyone can buy a small drone for a few hundred dollars and equip it with surveillance equipment. You can protect yourself by choosing a data center in an established no fly zone, with a vendor that monitors the air above its facilities as well as the surrounding area.
FAQ: Should I Visit a Data Center Site Before I Sign a Contract?
There are a number of reasons you might want to choose a data center outside of your immediate area. For example, if you’re in a hurricane prone region, choosing a secondary data center in the Midwest for disaster recovery can improve the resiliency of your systems. Or, you might want to establish a primary data center closer to your user base to reduce latency.
If you’re considering a data center in another part of the country, you may be wondering if you need to physically visit the data center yourself, or whether you can trust what the vendor tells you about their physical security precautions.
While we believe it is always best to get a first-hand look at a data center before signing a contract, it’s not always possible. And, unless data centers are your business, it’s not always easy to know what to look for. (Even the checklist we’ve provided isn’t complete.)
One way to ensure your data center physical security won’t compromise your data and systems is to choose a data center that has been independently audited for SOC 2 compliance. You should also ask for a copy of the report so you can see if the data center operator has just met the minimal requirements or is really serious about security.