iTWire recently took the opportunity to chat with Joseph Badaoui, Senior Engineer at Digital Reality about security issues related to the rise in co-location (mixture of on-prem and cloud) and the requirement for a convergence of physical and cyber security. We took the view that "security" ought to be taken in a very wide view.
iTWire: Welcome Joseph Badaoui, thanks for your time. I'd like to first get to the heart of the issue and ask whether you think the private data centre, as we know it, is becoming redundant. Surely a cloud-based environment offers plenty of advantages.
Badaoui: Great question. Although perhaps we need to step back from that for a moment to consider all data centre factors before making that determination.
iTWire: Clearly no-one wants to build dual data centres, just as an insurance!
Badaoui: Of course. But we still need to maximise our protection – to me, there are three redundancy elements to consider:
Firstly, it is important Ensure redundancy is built across system areas that are critical to delivering the capacity required to power, backup, and cool a facility at full IT load.
iTWire: I assume that means dual electricity supplies, independent air conditioning systems and so on.
Badaoui: Yes, that's right. Next, we must ensure the data centre has at least one independent backup system across all critical services unit. This will protect against complete system crash in the event of a component failure or if a system element must undergo maintenance. This means we're ensuring the systems in place are concurrently maintainable.
Finally, it is crucial that we confirm that the redundancy models extend beyond power and cooling to include the physical security infrastructure, and utilities within the data centre. This is essential to ensure operational effectiveness.
iTWire: OK, that gives us some context for what's inside the building and the services that are delivered, but what of the building itself? Presumably we don't have the funds to build an indestructible 'cube.' What should we do?
Badaoui: There are a number of measures that must be taken to protect against explosive devices, natural elements and potential intruders. Buildings should feature multiple layers of physical security including sufficient wall density, minimal windows and where required, use shatter resistant window film. CCTV with continuous recording (24/7/365), as well as plenty of external lighting are also essential.
iTWire: I recall hearing of other secure facilities that measure their security based on the amount of time a "determined intruder" needs to enter the building, achieve their objective and 'fight' their way out again.
Badaoui: Yes, that's certainly a useful yardstick. To complete my description, the perimeter of the building should also include a buffer, with security guards required for access. These measures will slow the time it takes for potential intruders to get in and out undetected.
iTWire: Of course it's all well and good to build this gigantic, indestructible cube, but we do need to permit people to enter and exit, particularly during an emergency.
Badaoui: As I see it, entry points should be limited to the main entrance and the loading dock, with vehicle access blocked by barriers such as bollards and concrete planters. To ensure safety during an evacuation, fire doors should be exit only and entry points should be monitored 24x7 using IP-enabled video surveillance. Cameras should be integrated into the network firewall so they are protected from cyber-attacks.
iTWire: Speaking of cameras, what are your suggestions there? Is there a one-size-fits-all solution?
Badaoui: Surveillance systems should be tailored to their application, which may include motion-detection, pan-tilt-zoom, and low-lighting capabilities.
Further, the security system should be isolated by data centre firewalls, with data retention and destruction policies for surveillance footage – I'd recommend keeping footage for a minimum of 90 days, with the ability to retain 'interesting' footage permanently.
iTWire: Clearly, if we're going to permit entry and exit by real people, we need to have some strong authentication processes in place.
Badaoui: Strict data governance measures – such as passwords and credentials - should be integrated into the network to manage user access. Therefore, ingress and egress access must be controlled by multi-factor authentication. If an organisation is employing biometric data, I'd recommend it remain in the possession of the end user.
iTWire: Indeed. I've personally visited facilities where people are weighed in "man-traps" on ingress and again on egress from the more secure parts of the building.
Badaoui: Yes, those are quite common.
iTWire: Speaking of physical security, are there other methods that ought to be in place?
Badaoui: I'd suggest that entry to secure areas of the data centre should require people to authenticate at least four times – for example, from the building perimeter entrance to lobby or loading dock and entrance to the most secure areas such as cages and cabinets.
iTWire: I guess that brings us to a useful completion. Although we're still left with the opening question as to whether the private data centre is redundant. Perhaps we can't make that determination but we have given potential owners plenty to consider.