While no one will refute the importance of physical security within data centers, server racks in data centers here are typically secured using physical keys that are easily duplicated. And, compounding that problem, is the use of a common key to secure large swathes of racks, CK Cheong, CEO of ERS Group, told DCD.
ERS is a Singapore-based firm that specializes in data centers with a focus on energy efficient solutions and providing a secured environment. With clients that include the top data center operators in Singapore, as well as subsidiaries in Malaysia and Indonesia, Cheong’s observations offer a unique and unfiltered viewpoint of the situation around Southeast Asia.
Securing Asia’s data centers
“Think about how many people have access to a data center hall - there could be hundreds of racks. Are they using a physical key? Well, this key is easily duplicated. Anyone can access the rack, open it up, and gain access to anything on the server,” explained Cheong, who also named in-rack uninterruptible power supply (UPS) appliances and unguarded network ports as vulnerable to tempering.
“Security is not thought about much while the infrastructure is built. Security only happens after they have completed the infrastructure,” he said, noting that power and cooling are the components that initially gets the lion’s share of the attention and budget in most data centers.
Cheong is hardly alone in his assessment. In our earlier report, a panel of experts speaking at the DCD Summit held at Interpol World last month agreed that security is implemented almost as an afterthought in many data centers.
And it doesn’t help that IT managers don’t typically think as much of physical security for their colocation infrastructure. “IT managers are usually focused on cybersecurity more than physical security. In their minds, physical security is not in their [job] scope,” he said.
Thankfully, the situation is changing. “More people are talking about standards such as ISO 27001 and information security management system (ISMS) today. Some of the components in these standards touch on physical security, and this creates awareness for IT managers,” said Cheong.
Closing the gaps
So how can security in data centers be beefed up? Cheong acknowledged that security requirements differ somewhat depending on whether it is a colocation environment, or a fully-owned data center such as one operated by a financial institution such as a bank. There is no question in his mind though, that the basic “key tracking systems” popularly in use today are not up to the task.
ERS addresses security by ensuring that its solutions cover the three bases of authentication, authorization, and accounting, says Cheong. The need to validate the identify of visitors aside, a good authorization system ensures that authorized personnel are only able to access what they need to do their jobs.
He also stressed the importance of detailed event logs for traceability and audits in the wake of a security incident. This explains the company’s emphasis on a platform that not only sounds the alarm in the event of a security incident, but also capable of capturing verbose logs for future analysis.
The ideal security implement should consist of what Cheong calls “3FA” or three-factor authentication for airtight security. This blends a multi-factor approach consisting of what “what you have,” “who you are” and “what you know” to heighten security beyond a physical-key-only approach.
Solutions in ERS’ arsenal adhere to this paradigm, and includes a specialized proximity card with additional security features implemented using wireless Bluetooth to stymie duplication attempts. Biometric readers help ensure that stolen ID cards or dongles will not let intruders get far, while the use of compact but powerful hardware deployed within racks allows advanced authentication to be implemented at individual racks if necessary.
For now, Cheong has identified a possible grey area within data centers that organizations may want to pay heed to. While security at the rack is typically managed by the IT manager, and security of the facility and data center hall by the facility folks, what about the aisle within data center halls? “Who is going to pay for [implementing] security there?,” he asked
Ultimately, C-level support is crucial to implementing proper security within the data center, Cheong said, who sees it as crucial that they gain a greater security awareness. Such awareness is needed for the establishment of the requisite KPIs for IT and facility managers to adhere to; its absence will likely result in security being relegated to yet another important task that is simply not seen as urgent.