Some data centers are built like fortresses, with thick concrete walls, pneumatically driven bollards and armed guards - we’ve heard of several facilities surrounded by actual moats. Some look like spaceships, with glass tubes instead of doors, laser-based intrusion detection systems and biometric security.
There are data centers built to withstand electro-magnetic pulses (EMPs) and data centers built inside nuclear bunkers. There are fences out there that are impossible to cut, and cabinets that are impervious to explosion damage. All of this exists for one simple reason: physical security is easy to demonstrate, and we live in paranoid times.
Heists don’t happen
But when was the last time you actually heard of a data center heist? Nobody really breaks into a data center to steal data. Nobody will blow a hole in the wall of your facility, load a truck full of servers and disappear in the direction of the nearest airfield, where a small airplane will take them across the border. A data center located outside the 100 year floodplain? That’s fair enough.
But I remember receiving a press release, highlighting the fact that a particular facility was located out of the flight paths and removed from major airports, something that was supposed to minimize the threat of hijacked planes crashing into a colocation cage. There’s no kill like overkill. Even EMP weapons – while certainly posing a real threat to data centers – haven’t been used nearly enough to justify this level of concern.
Buy rack space, get access
In November at the Zettastructure conference in London, Rich Johanning, vice president of Critical Infrastructure Protection at Aecom, explained how he would gain access to a server: “The first thing I do when we get hired to do pen testing on a data center is buy rack space in that data center. I walk in with a laptop and I now have access to everybody’s networks. They might be segmented out, but there’s no provisions in place to say ’hey, why has Rich been sitting over there for hours, and all he has done is play on his laptop?’ I have been able to do that for four hours at a time. I have been able to pivot to a bunch of places.”
Laser-resistant fences won’t help if your enemy is an army of security cameras, attacking remotely
For the most part, physical security has one simple purpose: to show customers just how much the service provider cares about the security of their data. There’s no way to easily demonstrate your firewall, or display your encryption tools, and the best cyber security experts on the planet will not impress an executive nearly as much as a few ex-military types.
But let’s not lose sight of what’s important in our industry. Cyber security, not physical security, should be at the top of your agenda. Laser-resistant fences won’t help if your enemy is an army of enslaved security cameras, attacking remotely from around the globe.
This story originally appeared in the November issue of DatacenterDynamics magazine.