NEW YORK -- Physical security in the data center is often a neglected aspect of IT management. And while data center managers have a long way to go, some organizations are heeding experts' warnings -- and getting up to speed.
Security consultant Thor A. Mollung of Mollung Systems Management, who spoke at last week's Data Center Decisions conference, said mitigating risk in mission-critical IT facilities is paramount.
There are many facets the typical IT manager can overlook, and none can be more glaring than location.
"Site selection is one of the most important aspects of building a new data center. Location is huge. In an inner city area, all of the buildings are close to you, how do you protect your business from a blast," Mollung said.
Locations that can leave data centers vulnerable include those near airports, railways, seaports and crime areas. Take one near a railway. That's good for commuters, but what if there is an accident or sabotage at the rails, like someone transporting hazardous materials?
It's a risk Mollung said data center managers need to identify.
What if your data center is in a business development area and someone buys the empty lot next door that you were using as a barrier? What do you do to protect that?
According to Mollung, there are ways to harden your peripheral security. Organizations can harden the sides of the building with precast, concrete block; bollards; or natural borders like boulders.
But they don't have to look as ugly as it sounds.
"Site hardening needs to be esthetic. Work with a landscape architect to use natural surroundings. Security is a hidden feature. You don't want your security to be so overt that it attracts undue curiosity, Mollung said.
"Work with construction design to make sure the facility can stand the punishment of identified vulnerabilities. And whatever is being proposed for your data center, it needs to meet your budget, environment's needs and corporate outlook. These are different from company to company, and physical security needs to be designed around that," Mollung said.
According to the data center staff at the Federal Reserve, Mollung's message was on point. Rodney Rose, the data center operations manager at its New Jersey facility, said it put them at ease to see that these measures are being considered by other data centers.
The Federal Reserve operates out of two facilities, one in Manhattan's financial district and one in New Jersey. The New Jersey site used to be used strictly for contingency back up, but during the terrorist attack of Sept. 11, the Federal Reserve was forced to shut down the grid at the Manhattan facility. However, the Garden State site picked up the slack. The Federal Reserve's data center activities ran throughout the crisis, and the New Jersey facility has been live 24/7 ever since.
Today, both data centers are manned at all times by federal police, both in the buildings and on the rooftops. All visitors have to pass through three access points and card key entrances. The facilities have direct lines of contact with local police agencies, as well as the CIA and federal law enforcement.
According to Rob Braccia, staff director at the Federal Reserve Bank of New York, the Fed's data center facilities are above the curve, and especially since the Sept. 11 terrorist attacks.
"Between metal detectors, cameras, guard booths and other measures, we're the standard for data center security," Braccia said. "Being in the heart of New York's financial district, we have to be."
The Federal Reserve recently purchased a street from the township in New Jersey where the secondary facility is located, just to have control of the traffic.
Other security functions include specially designed ID cards that do not carry the location of the facility, the company's name or the employee's position, so that the cards are harder to match to a building. The only information is the employee's photo and name.
The Fed has even gone to biometrics. The laptops now have fingerprint access.
Robert Marsh and Benjamin Morse are a data center operations team for DOAR, a Long Island, N.Y.-based consulting firm. Marsh deals mainly with the facility operations and security while Morse deals more specifically with the technical considerations. But they work together to maintain security for their data center.
The Long Island facility has ID card access control, digital video surveillance and internal biometrics. The facility also has recently implemented a secondary communications line so it now has one coming in above ground as well as below ground.
"It's hard to prevent malicious attacks, especially from inside an organization," Morse said. "But it's important to mitigate that risk and prepare for the worst."
Let us know what you think about the story; e-mail: Matt Stansberry, News Editor