Similarities at Data Centers and Airports

Similarities at Data Centers and Airports

Both businesses are high-risk and highly coveted targets

Few sectors face higher regulation and compliance standards in the United States than the aviation industry. With more than 2.9 million passengers flying daily in the United States and an annual economic impact of $1.9 trillion, the aviation industry is critical infrastructure which must be protected through rigorous security procedures. ACTS understands these requirements and works closely with the Transportation Security Administration (TSA) to enact security standards which protect the traveling public at all four airports which we secure, Pittsburgh International Airport (PIT), Cincinnati/Northern Kentucky International Airport (CVG), Minneapolis-St. Paul International Airport (MSP), and Charlotte Douglas International Airport (CLT).

The Threats are Similar
The 2,670 data centers in the United States face many of the same threats experienced by airports. As the host of mission-critical infrastructure, which house proprietary information and customer applications, data centers need security to protect their facilities. Insufficient safeguards leave data centers vulnerable to cyberattacks and breaches, where intellectual property, confidential information, and financial data can be exposed or stolen. These intrusions are costly, both financially and to the data center’s reputation. CPO Magazine reports that the average cost for a data center breach is $4.24 million.

Both airports and data centers are high-risk and highly coveted targets, where a single security breach can jeopardize an interconnected network and a brief outage can cause chaos – in the clouds, or in the cloud.

Mark Sargent understands the impact of security breaches at both airports and data centers. As the program manager of the contract security program for ACTS at MSP, Sargent is responsible for the management of the security officers who administer access control and screening procedures. He works closely with the Minneapolis Airport Police Department in defining the Key Performance Indicators (KPIs) which ACTS must fulfill to comply with Federal Aviation Administration (FAA) and TSA mandates.

Prior to joining MSP, Sargent served in the Navy and oversaw the security operations for Minnesota organizations in technology, retail and property management. Through these roles, Sargent toured many data centers, gaining insight into all aspects of their security, including staffing, emergency response, risk mitigation, Security Operations Centers (SOC) and access control.

As ACTS extends its service capabilities from airport security into data centers, Sargent said the similarities in these sectors share in safekeeping their facilities and how knowledge from the aviation industry’s extensive history can be applied to the relatively new data center industry in establishing security practices which reduce the risk of future failures.

Defense in Depth
Sargent said “Defense in Depth” is the primary function of aviation and data center security. Whether at an airport or data center, security must determine how many layers of protection are necessary to prevent breaches and impact to the facility’s operation.

“The first layer is the parking lot, the perimeter, the fence,” Sargent said. “If you’re able to lessen access activity to the exterior of a building, you’re coming back to the first layer of ‘Defense in Depth’ that gives you an advantage.”

While securing the perimeter might be sufficient for some facilities, others require multiple levels including security officers, cameras and biometrics. Sargent said each organization must analyze their needs and determine the depth and defense methods required.

“The role of security is limiting the ability of individuals to affect our operations. When we look at airports, there is a multi-level approach with a lot of steps that an individual would have to take to be able to breach security. That multi-layer function for access to an airport can and should be mirrored at a data center.”

Authorized Access
Airports and data centers both compose rosters designating those authorized to access their facility. Every person is considered an authorized guest. Determining if that person is permitted on site, and where they can go within, is the responsibility of the security force.

The key objectives related to access control are:

  • Identifying people who should be there, to focus on those that should not
  • Quick, but accurate, resolution of potential issues
  • Prevention of breach due to the high operational stakes and impact of intrusion

The easiest way to facilitate a system for administering access control is by composing a roster of employees, vendors and guests with permission to enter and sharing this information with security. Those not included are denied access because the security force does not know their true intentions.
Organizations can further support access control procedures by requiring everyone to wear identification.

“Identification allows the security force to know whether that person has authorized access or gained entry through a breach,” Sargent said. “If security sees someone that doesn’t have a badge displayed, that is where officers should ask: ‘What are you doing here?’”

Additionally, Sargent suggests data centers create a phone tree that defines those who should be contacted, according to a chain of command, in authorizing access for unanticipated guests. Security can then follow the phone tree in gaining permission for their entry.

“When an unregistered guest visits, the security force needs to know who they should contact to obtain clearance for that person to enter. We might struggle to reach someone at 2 a.m. We need additional contacts to call because the security force will not allow access without consent,” Sargent said.

He believes a defined system for communication, especially outside of normal business hours, is necessary because a lack of connectivity can impede business, operations, and the safeguarding of the company and its assets.

“If we don’t protect the client’s intellectual property, potential competitors can take that away. That is where data centers run into issues of losing millions of dollars to their competitors because those competitors are rolling out ideas after they were able to infiltrate the data center and gain that sensitive information.”

Hybrid Approach
Security programs at airports and data centers often demonstrate a hybrid approach; a combination of two strategies with the goal of creating a better overall operational plan. The hybrid approach is demonstrated in two ways.

First, their security programs blend the workforce and technology.

“51% human and 49% technology,” Sargent said. “This gives us the capability to incorporate technology, like facial recognition or biometrics, and if those elements break down, the human element is there as backup.”

Sargent admits that technology can suffer glitches, particularly when an intruder attempts to disable its functionality. In those circumstances, the security force is ready to respond.

Second, the goals of the security program are achieved when the in-house, proprietary security management works in tandem with an outside, contract security organization. As in the case of the MSP security detail, Sargent is the primary contact for ACTS, a contract security organization, and reports to the Minneapolis Airport Police Department, a law enforcement agency.

“I believe that is one of the best forms of security programs due to staffing,” says Sargent. “Staffing is more difficult for in-house security because a Director of Security doesn’t have time to focus on recruiting, on training, on the regulatory side of licensing staff. They lack the resources that an ACTS has to staff appropriately and train.”

Sargent believes a hybrid security program which combines in-house, propriety staff and outside, contract security enables collaboration in shaping the security program’s operations.

“With an in-house security force at a data center, they have their own best practices,” says Sargent. “Contract security has their own best practices. Who is to say that some of their best practices don’t belong with us and some of our best practices don’t belong with them? The only way we’ll be able to come to that is to sit down and collaborate on the security plan.”

Detection of Prohibited Items
In the days following the tragic events of September 11th, the FAA and TSA implemented a list of prohibited items which cannot go beyond the airport security screening point. As security threats have evolved, that list has changed.
“At an airport, we’re looking for things that can cause harm to the human element,” says Sargent. “Data centers are looking for things that can cause harm to the technology. That level of safety and security can be handled in a similar fashion through physical searches.”

Sargent recommends that data centers create a list of prohibited items, deciding if thumb drives, cell phones, portable hard drives, and laptops are permitted within their facilities. If not, security should conduct physical searches of guests and their belongings with metal detectors to ensure those devices do not enter. These policies enable security to protect the data center from potential intrusion through systems whose work is not visible.

“Backdoors are a real thing whether it is a corporation with a physical back door or a virtual backdoor into a company’s intellectual property,” says Sargent. “The way that backdoors are created is by direct access to their infrastructure. Limiting access for those tools can prevent incidents of intellectual theft.”

As Data Centers and Airports evaluate their security operations, lessons can be learned and shared from leaders within both industries, as each seek to protect their people, property, and reputation.

This article originally appeared in the April 2022 issue of Security Today.

Featured

  • On My Way Out the Door

    To answer that one question I always get, at every booth visit, I have seen amazing product technology, solutions and above all else, the people that make it all work. Read Now

    • Industry Events
    • ISC West
  • Live From ISC West: Day 2 Recap

    If it’s even possible, Day 2 of ISC West in Las Vegas, Nevada, was even busier than the first. Remember to keep tabs on our Live From ISC West page for news and updates from the show floor at the Venetian, because there’s more news coming out than anyone could be expected to keep track of. Our Live From sponsors—NAPCO Security, Alibi Security, Vistacom, RGB Spectrum, and DoorKing—kept the momentum from Day 1 going with packed booths, happy hours, giveaways, product demonstrations, and more. Read Now

    • Industry Events
    • ISC West
  • Visiting Sin City

    I’m a recovering alcoholic, ten years sober this June. I almost wrote “recovered alcoholic,” because it’s a problem I’ve long since put to bed in every practical sense. But anyone who’s dealt with addiction knows that that part of your brain never goes away. You just learn to tell the difference between that insidious voice in your head and your actual internal monologue, and you get better at telling the other guy to shut up. Read Now

  • Return to Form

    My first security trade show was in 2021. At the time, I was awed by the sheer magnitude of the event and the spectacle of products on display. But this was the first major trade show coming out of the pandemic, and the only commentary I heard was how low the attendance was. Two representatives from one booth even spent the last morning playing catch in the aisle with their giveaway stress balls. Read Now

    • Industry Events
    • ISC West

Featured Cybersecurity

New Products

  • ALTO Neoxx Electronic Padlock

    ALTO Neoxx Electronic Padlock

    Built to withstand all access control needs, the tough new SALTO Neoxx electronic padlock takes security beyond your expectations. 3

  • BriefCam v6.0

    BriefCam v6.0

    BriefCam has released BriefCam v6.0, which introduces the new deployment option of a multi-site architecture. This enables businesses with multiple, distributed locations to view aggregate data from all remote sites to uncover trends across locations, optimize operations and boost real-time alerting and response – all while continuing to reap the benefits of BriefCam's powerful analytics platform for making video searchable, actionable and quantifiable. 3

  • LenelS2 BlueDiamond™ mobile app

    enelS2 has introduced its Indoor Location subscription-based service for businesses and other organizations using LenelS2’s BlueDiamond™ mobile app version 2.1.8 for smartphones. 3