Elevating Data Center Security
Rack-level electronic access control may thwart cybercriminals
The endlessly growing mountains of personal, private
data collected as part of routine transactions in our
digital world continue to be a target for cybercriminals,
who are moving beyond digital theft to the real world
by targeting the servers that contain this data.
In 2017, the global average total cost of a data breach was $3.86
million—up six percent from the previous year. As the total cost of
data breaches rise, the probability of an organization undergoing
a data breach increases to a staggering 27.9 percent, with cybercrime
ranking among the top three risks in the world by the World
Economic Forum. These numbers are staggering and grow costlier
every day, with data security breaches impacting governments, financial
corporations, credit card companies, telecoms and healthcare
organizations.
While firewalls, data encryption and antivirus/anti-malware tools
handle the logical side of data protection and security, the physical
heart of our digital world—also known as the data center—demands
an exceptional level of protection, which can be achieved through a
multi-layered approach to access control.
The Risks Keep Growing
As more personal information is pushed into the digital world, the
risks and costs of data breaches continue to climb. According to the
Breach Level Index, there were 1,765 publicly disclosed data breaches
in 2017, leading to the successful theft or loss of 2.6 billion data records.
To net it out, that equals approximately 4,949 records stolen
every minute, or 82 records every second.
Organizations found in violation of data regulations face costly
consequences. This situation dramatically elevates the importance of
physical protection and security for data center managers. As more
businesses, governments and organizations move toward cloud-based
data storage, regulatory bodies are placing a stronger emphasis on
data protection, making it more important than ever for data center
managers to ensure that their security administration meets industry
standards.
The Payment Card Industry Data Security Standard (PCI DSS)
for instance, is regarded as one the most significant data protection
standards in the IT industry today. PCI DSS is designed to protect
the personal data of consumers and sets access control requirements for the entities that secure their information.
The regulation calls for monitoring and tracking personnel who
might have physical access to data or systems that house cardholder
data. This access should be appropriately controlled and restricted.
Personnel covered under PCI DSS include full- and part-time employees,
temporary employees, contractors and consultants who are
physically present on the entity’s premises. The regulation also covers
visitors, such as vendors and guests, who enter the facility for a short
duration—usually up to one day.
But aren’t most data breaches completed by outside hackers
breaking in through firewalls and not by people within an organization?
The data says otherwise. In many cases, according to research
conducted by IBM, the next attack could be from within an
organization.
In 2015, 60 percent of all attacks were carried out by insiders—
either those with malicious intent or those who served as inadvertent
actors—by configuring a server incorrectly or leaving a port
open on accident.
For the data center manager, the benefits of compliance are twofold.
Compliance not only protects the confidential nature of the data
stored within the data center, it also protects the data center from
regulatory penalties and the added cost of lost productivity that may
occur as a result of a data breach.
Securing Assets with EAS
Managing access to the data center is becoming more complicated
as data housing facilities continue to expand their hosting capabilities.
From data centers housing information for a single organization
to colocation data centers where multiple companies are hosting
their data in one location, traditional key management is becoming
a significant challenge for facility managers. Personnel from one or
several organizations may access the data center at any given time,
making key management increasingly difficult to track.
Data centers typically have multiple layers of security and access
control: at the front door of the building, then a man trap to get past
the lobby, then access control to get into each data center room, then
possibly a cage depending on the data center structure.
However, it is at the rack level where data security and access
control have the potential to fall short. If the servers are behind
doors, there may not be physical locks securing those doors. And in
older server farms, the server racks are wide open to all who have
gained access to the cage that surrounds them. Thus, all of the physical
layers of security can’t prevent unauthorized or malicious attempts
to access unsecured servers. And if there is an attack or data
breach, it becomes more difficult to track down the “who, what,
when and where” of the breach if there is no rack-level security and
audit trail in place.
In response, data center managers are focusing on extending
physical security down to the rack level. Cabinet manufacturers are
transitioning from traditional lock-and-key mechanisms to integrated
solutions that combine electronic locking and monitoring capabilities
for optimum security. These electronic access solutions (EAS)
allow data center managers to easily incorporate intelligent locking
throughout the facility—from its perimeter down to its servers—using
the data center’s existing security system integrating with newer
DCIM systems or through a separate, fully-networked system.
The remote monitoring capabilities offered by electronic access
solutions help data center managers quickly identify a violation, enabling them to receive updates on their computer
or via text or email on their personal
devices. An electronic access solution is composed
of three primary components: an access
control reader or input device, an electromechanical
lock and a controller system for
restricting, monitoring and recording access.
When designing an electronic access solution,
it is important that the appropriate electronic
lock is chosen for the specific enclosure and
provides the intelligence, flexibility and security
needed at the rack level.
Electronic locks are actuated by external
access control devices, which validate user
credentials and produce a signal that initiates
the unlocking cycle. Electronic locks can
be combined with any access control device
from keypads to radio frequency identification
(RFID) card systems, biometrics or
wireless systems. The access control device
can also be integrated into the electronic lock
for a streamlined, integrated solution that requires
minimal installation preparations.
Each time an electronic lock is actuated,
an electronic “signature” is created which is
captured to monitor access–either locally
with visual indicators or audible alarms, or
remotely over a computer network. The electronic
signatures can be stored to create audit
trails that can be viewed at any time, whether
on- or off-site, to forensically reconstruct a
series of access events. This electronic audit
trail keeps track of cabinet access activity,
including location, date, time, duration of
access and specific user credentials.
These audit trails provide data center
managers with an additional resource: They
can track the amount of time a server rack
door is opened in order to monitor maintenance
and service activity. If a server rack
is scheduled for activity that should take 30
minutes, but the audit trail shows the door
was open for several hours, management can
find out why the delay occurred and exercise
better management of service personnel and
costs for service.
This audit trail can be used to demonstrate
compliance with data protection regulations
and allows data center managers to
immediately identify and respond to security
breaches or forensically reconstruct events
leading to a violation. Remote management
and real-time monitoring eliminates the need
for on-site staffing and reduces costs associated
with managing data center security.
Support for Multifactor
Authentication
When designing a new installation or retrofit,
it is important to select an electronic lock
based on the depth of intelligence and level
of protection required. Many EAS suppliers
offer a range of electronic locking solutions
designed to make implementing rack-level
security relatively simple and cost-effective.
These include robust cabinet locks integrated
into locking door handles that are self-contained,
modular devices designed to provide
multifactor authentication in order to supply
access to a server cabinet.
Multifactor authentication is a growing
requirement for many access control scenarios
and more data center managers are
implementing it, particularly for server racks
containing highly sensitive data. Common
multifactor systems typically require the following
factors:
- Something you know–such as a PIN
- Something you have–such as an RFID card
- Something you are–biometric data, such
as a fingerprint or through facial recognition
scans
With multifactor authentication, one
piece of information alone does not grant
access. An electronic lock can be designed
to require the user to present an RFID card,
and then enter a PIN code on a keypad.
There are electronic locking systems that are
designed to be modular, allowing different
types of access controllers to be easily added
to the lock and satisfying the specific level of
security for a given server rack.
The levels of safety can be further enhanced
in a relatively simple manner. For
example, there are electronic locking systems
that combine RFID cards and fingerprint
readers. Technicians assigned to access a
server rack using this type of system have
their fingerprint data loaded onto the card.
To access the server, they present their card
which transmits their fingerprint data to the
reader; they then provide their fingerprint to
complete access.
Designing for Compliance
Electronic access solutions provide a strong
level of physical access control for a variety
of data center security applications, whether
providing storage for one organization or
several housed in a colocation environment.
Managers of colocation environments have
started to adopt intelligent locking systems
due to the challenges of protecting access
to individual cabinets, rather than “caging”
a cabinet or group of cabinets into separate
areas of the data center.
Electronic access solutions are adaptable
to both structural designs and control
mechanisms that are already in place. Often,
building access cards or ID badges are already
part of an organization’s access control
system; using them for rack-level access
eliminates the need to create new or separate
credentials.
Expectations for data security and management
have changed significantly. Regulations
are driving facility managers to consider
comprehensive security solutions with monitoring
capabilities and digital audit trails to
protect sensitive information from the threat
of unauthorized access and theft. Regulatory
requirements related to data security will
continue to increase in response to the constantly
changing tactics of data thieves.
Data center managers can prevent these
situations from occurring by optimizing security
down to the rack level with electronic
access solutions. Electronic locks extend intelligent
security from existing building security
networks to data center cabinets. As
a result, data center managers can ensure
their facilities and equipment are protected
against the risk of data
breaches and any penalties
associated with noncompliance.
This article originally appeared in the May/June 2019 issue of Security Today.