Matthias Buehner - Fotolia

Data center physical security gets a tougher look

Organizations seeking colo data center space are now asking more questions -- many of them detailed -- about the physical security of the data center.

When a prisoner jailed for carjacking walked away from a work release program in Delaware earlier this month, he sought refuge in a data center.

The man had been working all afternoon with a prison crew before he escaped. Early the next morning he found his way through a broken door and into a data center.

Nothing was reportedly stolen or damaged, but it is just one recent example of what some data center operators say is the most overlooked component in the data center -- physical security.

The market for data center physical security products will grow from $1.18 billion this year to $2.22 billion in 2019, according to a report, "Global Data Center Physical Security Market 2015-2019," from Technavio, a London-based technology market research firm.

That growth will be driven by the increased importance of data center infrastructure, increased security threats and breaches and tighter SLAs between end-users and colocation providers, among other factors, according to Rakesh Panda, a senior analyst with Technavio.

Some data center operators, including DuPont Fabros Technology, Inc., say they are seeing increased scrutiny of the data center's physical security from clients.

"Some of [our clients] used to want very little info but now they are looking more in-depth at what we do and how we do it," said Scott Davis, executive vice president of operations at DuPont Fabros, a wholesale data center owner and operator based in Washington, D.C.

The company would previously get requests for data from clients once or twice a year, but now it is more often, according to Ted Royster, DuPont Fabros' director of security.

"They want documentation that their equipment is secure," Royster said.

The increase prompted DuPont Fabros to add another staff member to respond to the sheer volume of requests for information and audits across the company's entire data center portfolio, Davis said.

When those requests come in, clients have access to access control logs, and security camera footage, he said.

"It is important that when a customer says 'Can we see this?' you want to be able to show it to them," Davis said.

Despite the piqued interest in physical security from some customers, there have been very few high-profile physical security breaches at data centers -- certainly nothing matching the many incidents of logical security breaches, including the most recent one involving U.S. federal government employee data, as well as others that hit big-name retailers such as Home Depot and Target.

But the number of security breaches in the data center is almost 10 to 12 times more than what is reported, according to Technavio's Panda. The majority of data center security breaches are to the logical security, but often physical security breaches end up being reported as "data theft," including most of the insider theft and employee negligence in tier 1 and tier 2 data centers, Panda said.

Hillard Heintze is a risk security management company headquartered in Washington D.C. that conducts security audits on data centers. John Orloff, the company's senior vice president of security risk management and a former member of the U.S. Secret Service, said the company undertakes penetration testing at data centers, where he tries to circumvent humans and technology to get inside.

The growth of data center outsourcing has helped fuel a focus on physical security, he said.

"The clients want to make sure only the people that should be allowed in are the ones that are allowed in," he added.

The continuing presence of physical security breaches in the headlines has likely increased attention on physical security, too.

"It's become front of mind for everyone," Orloff said.

Earlier this year, the federal government in Canada revealed a fire call to one of its most secretive and supposedly most secure data centers, which resulted in a physical security breach.

Firefighters responding to a call at the Communications Security Establishment Canada in Ottawa in 2013 simply cut a blot and swung open a gate to get inside, according to documents obtained earlier this year by the Toronto Star.

In the documents, it was revealed there were several broken surveillance cameras and a red security badge was missing.

Among the key trends for data center design and operation is an increase in questions about physical security, Drew Leonard, vice president of colocation product management for CenturyLink, said during a session last month at Uptime Institute's Symposium. CenturyLink is a Monroe, Louisiana-based provider of local and long distance telephone services, fiber optic internet and cloud computing.

Enterprises are asking for stricter SLAs in regard to data center security breaches plus requesting more security cameras and locks on cabinets, he said.

The perception of tight security at the data center helps too, Leonard said, such as a perimeter fence.

He has seen an increase in requests for customized cage security and customized video surveillance.

"There seems to be a new level of interest about what we do to provide a greater level of security in the data center," Leonard said. "They want to make sure that there cage is only their cage and they are the only ones that have access."

Before the lease negotiations are finalized, potential clients ask more detailed questions including the specific certifications of data center staff or request to see in-depth background checks, Davis said.

Some of [our clients] used to want very little info but now they are looking more in depth at what we do and how we do it.
Scott DavisExecutive Vice President of Operations, DuPont Fabros Technology

"Some of the organizations are asking us to go deeper," Davis said, and some are making sure that the checks extend to all of the on-site security guards and technicians, not just those who work full-time.

Orloff agrees, noting data centers should have strict policies about ongoing background checks.

"The greatest threat may be the insider threat," he said. "You really need to know your workforce."

One specific certification Davis said he is getting questions about is ISO 27001 regarding information security management.

Healthcare clients specifically have expressed some concern about having data center staff near the racks and the company's latest data center design has fencing between the racks and operational equipment, Davis said.

Some clients have also asked to see the company's so-called post orders, which show the operator's methods and procedures for building security.

Royster said would-be data center clients should keep up on the latest technology in use for the physical security, including ways a security card can be enhanced and developments in CCVT technology.

Clients should also expect constant communication from the data center operators. For example, if a fire alarm test is scheduled, that should be communicated well in advance, Davis said.

DuPont Fabros Technology also found a way to deal with the number of data center tours requests-- he has created a professionally produced video that offers a walk-through of the building. In addition to the racks, it can show up-close and detailed information about the electrical areas, including UPS, backup diesel generation and fire suppression systems, David said.

Enterprises seeking a cololocation -- whether it is retail or wholesale -- still don't ask all the questions that they should, Davis said. Among those questions is whether the colo providers can add more CCTV cameras or occupancy sensors in the future, if needed.

The operator of the data center in Delaware where the prisoner snuck in, First Data Corp., did not respond to a request for comment.

Robert Gates covers data centers, data center strategies, server technologies, converged and hyperconverged infrastructure and open source operating systems for SearchDataCenter. Follow him @RBGatesTT.

Next Steps

Is your data center up to code?

Who should have access to your colocation facility

Data center security best practices

Dig Deeper on Data center design and facilities