Similarities at Data Centers and Airports
Both businesses are high-risk and highly coveted targets
- By Kevin Tomich
- Apr 01, 2022
Few sectors face higher regulation and compliance standards in the United States than the aviation industry. With more than 2.9 million passengers flying daily in the United States and an annual economic impact of $1.9 trillion, the aviation industry is critical infrastructure which must be protected through rigorous security procedures. ACTS understands these requirements and works closely with the Transportation Security Administration (TSA) to enact security standards which protect the traveling public at all four airports which we secure, Pittsburgh International Airport (PIT), Cincinnati/Northern Kentucky International Airport (CVG), Minneapolis-St. Paul International Airport (MSP), and Charlotte Douglas International Airport (CLT).
The Threats are Similar
The 2,670 data centers in the United States face many of the same threats experienced by airports. As the host of mission-critical infrastructure, which house proprietary information and customer applications, data centers need security to protect their facilities. Insufficient safeguards leave data centers vulnerable to cyberattacks and breaches, where intellectual property, confidential information, and financial data can be exposed or stolen. These intrusions are costly, both financially and to the data center’s reputation. CPO Magazine reports that the average cost for a data center breach is $4.24 million.
Both airports and data centers are high-risk and highly coveted targets, where a single security breach can jeopardize an interconnected network and a brief outage can cause chaos – in the clouds, or in the cloud.
Mark Sargent understands the impact of security breaches at both airports and data centers. As the program manager of the contract security program for ACTS at MSP, Sargent is responsible for the management of the security officers who administer access control and screening procedures. He works closely with the Minneapolis Airport Police Department in defining the Key Performance Indicators (KPIs) which ACTS must fulfill to comply with Federal Aviation Administration (FAA) and TSA mandates.
Prior to joining MSP, Sargent served in the Navy and oversaw the security operations for Minnesota organizations in technology, retail and property management. Through these roles, Sargent toured many data centers, gaining insight into all aspects of their security, including staffing, emergency response, risk mitigation, Security Operations Centers (SOC) and access control.
As ACTS extends its service capabilities from airport security into data centers, Sargent said the similarities in these sectors share in safekeeping their facilities and how knowledge from the aviation industry’s extensive history can be applied to the relatively new data center industry in establishing security practices which reduce the risk of future failures.
Defense in Depth
Sargent said “Defense in Depth” is the primary function of aviation and data center security. Whether at an airport or data center, security must determine how many layers of protection are necessary to prevent breaches and impact to the facility’s operation.
“The first layer is the parking lot, the perimeter, the fence,” Sargent said. “If you’re able to lessen access activity to the exterior of a building, you’re coming back to the first layer of ‘Defense in Depth’ that gives you an advantage.”
While securing the perimeter might be sufficient for some facilities, others require multiple levels including security officers, cameras and biometrics. Sargent said each organization must analyze their needs and determine the depth and defense methods required.
“The role of security is limiting the ability of individuals to affect our operations. When we look at airports, there is a multi-level approach with a lot of steps that an individual would have to take to be able to breach security. That multi-layer function for access to an airport can and should be mirrored at a data center.”
Airports and data centers both compose rosters designating those authorized to access their facility. Every person is considered an authorized guest. Determining if that person is permitted on site, and where they can go within, is the responsibility of the security force.
The key objectives related to access control are:
- Identifying people who should be there, to focus on those that should not
- Quick, but accurate, resolution of potential issues
- Prevention of breach due to the high operational stakes and impact of intrusion
The easiest way to facilitate a system for administering access control is by composing a roster of employees, vendors and guests with permission to enter and sharing this information with security. Those not included are denied access because the security force does not know their true intentions.
Organizations can further support access control procedures by requiring everyone to wear identification.
“Identification allows the security force to know whether that person has authorized access or gained entry through a breach,” Sargent said. “If security sees someone that doesn’t have a badge displayed, that is where officers should ask: ‘What are you doing here?’”
Additionally, Sargent suggests data centers create a phone tree that defines those who should be contacted, according to a chain of command, in authorizing access for unanticipated guests. Security can then follow the phone tree in gaining permission for their entry.
“When an unregistered guest visits, the security force needs to know who they should contact to obtain clearance for that person to enter. We might struggle to reach someone at 2 a.m. We need additional contacts to call because the security force will not allow access without consent,” Sargent said.
He believes a defined system for communication, especially outside of normal business hours, is necessary because a lack of connectivity can impede business, operations, and the safeguarding of the company and its assets.
“If we don’t protect the client’s intellectual property, potential competitors can take that away. That is where data centers run into issues of losing millions of dollars to their competitors because those competitors are rolling out ideas after they were able to infiltrate the data center and gain that sensitive information.”
Security programs at airports and data centers often demonstrate a hybrid approach; a combination of two strategies with the goal of creating a better overall operational plan. The hybrid approach is demonstrated in two ways.
First, their security programs blend the workforce and technology.
“51% human and 49% technology,” Sargent said. “This gives us the capability to incorporate technology, like facial recognition or biometrics, and if those elements break down, the human element is there as backup.”
Sargent admits that technology can suffer glitches, particularly when an intruder attempts to disable its functionality. In those circumstances, the security force is ready to respond.
Second, the goals of the security program are achieved when the in-house, proprietary security management works in tandem with an outside, contract security organization. As in the case of the MSP security detail, Sargent is the primary contact for ACTS, a contract security organization, and reports to the Minneapolis Airport Police Department, a law enforcement agency.
“I believe that is one of the best forms of security programs due to staffing,” says Sargent. “Staffing is more difficult for in-house security because a Director of Security doesn’t have time to focus on recruiting, on training, on the regulatory side of licensing staff. They lack the resources that an ACTS has to staff appropriately and train.”
Sargent believes a hybrid security program which combines in-house, propriety staff and outside, contract security enables collaboration in shaping the security program’s operations.
“With an in-house security force at a data center, they have their own best practices,” says Sargent. “Contract security has their own best practices. Who is to say that some of their best practices don’t belong with us and some of our best practices don’t belong with them? The only way we’ll be able to come to that is to sit down and collaborate on the security plan.”
Detection of Prohibited Items
In the days following the tragic events of September 11th, the FAA and TSA implemented a list of prohibited items which cannot go beyond the airport security screening point. As security threats have evolved, that list has changed.
“At an airport, we’re looking for things that can cause harm to the human element,” says Sargent. “Data centers are looking for things that can cause harm to the technology. That level of safety and security can be handled in a similar fashion through physical searches.”
Sargent recommends that data centers create a list of prohibited items, deciding if thumb drives, cell phones, portable hard drives, and laptops are permitted within their facilities. If not, security should conduct physical searches of guests and their belongings with metal detectors to ensure those devices do not enter. These policies enable security to protect the data center from potential intrusion through systems whose work is not visible.
“Backdoors are a real thing whether it is a corporation with a physical back door or a virtual backdoor into a company’s intellectual property,” says Sargent. “The way that backdoors are created is by direct access to their infrastructure. Limiting access for those tools can prevent incidents of intellectual theft.”
As Data Centers and Airports evaluate their security operations, lessons can be learned and shared from leaders within both industries, as each seek to protect their people, property, and reputation.
This article originally appeared in the April 2022 issue of Security Today.