In today’s world, data is everything. With the increase in digitalization and the growing reliance on technology, organizations are continuously looking for ways to protect their data centers. A data center is the backbone of an organization and any breach in security can lead to devasting consequences. Traditionally, data center security has been focused on protecting the perimeter fence lines but this approach is no longer enough. In this blog, we will discuss why thinking beyond perimeter fence lines is vital to your data center security.
Data centers are complex systems that require a multi-layered security approach. In the past, the perimeter fence line was considered the first line of defense against physical attacks. However, as the sophistication of attacks has increased, perimeter security alone is no longer enough to protect data centers. Attackers can use a variety of methods to bypass physical security, including social engineering, phishing attacks and insider threats. Once inside the perimeter, attackers have access to sensitive data, and the damage can be devastating both in terms of fines and reputational risk to the business.
To effectively protect a data center, organizations need to think beyond perimeter fence lines. One significant cyber physical security blind spot is the risk of data breaches to Data Center Cabinets, Wiring Closets, and Remote Enclosures. Traditional mechanical locks that protect these cabinets and enclosures are no longer reliable in the face of advanced cyber physical threats. Today, most data center cabinet locks rely on a small number of industry-standard keys that can be easily purchased on eBay or Amazon by anyone. This security gap creates a potential entry point for attackers who can gain unauthorized access to sensitive data, security controls, servers, firewalls, and network devices. To build access controls that meet compliance and regulatory needs, critical infrastructure requires reliable and monitored physical security. Unauthorized access to even one cabinet, one remote wiring enclosure, or one leased data center space can have far-reaching impacts on a company’s global compliance and operations. Traditional access control systems cannot easily expand to address this problem, as they are designed to secure building doors and are too costly and complex to scale up to protect the thousands of data cabinets and wiring closets found in large, distributed organizations.
Here are three areas to review and address when looking to improve data center security beyond the perimeter fence:
1. Mitigate the Risk of Insider Threats
Insider threats are one of the biggest security risks facing data centers today. Here are some examples:
Malicious insiders:
These are insiders who intentionally cause harm to the organization by stealing sensitive data or sabotaging systems. They may be disgruntled employees, or contractors who have access to sensitive information and systems and can use it for their gain. To prevent against malicious insider threats, physical access controls for areas such as data center cabinets should go beyond keys and include higher levels of identity assurance that provide an irrefutable audit trail of who accessed which cabinet, a what time and for how long. Solutions include multi-factor authentication with PINs, Cards, Biometrics and/or mobile step-up.
Accidental insiders:
These are insiders who unknowingly cause harm to the organization by making a mistake or being careless. For example, an employee might mistakenly forget to properly close a cabinet after a service was performed creating the possibly of a cyber physical breach. All cabinets and critical remote enclosures should have sensors that can alert organizations of doors left open or access at unusual hours.
Negligent insiders:
These are insiders who violate security policies and procedures due to negligence or lack or awareness. For example, an employee may have their access card stolen and not report it in a timely manner. Data center areas that don’t employ multi-factor authentication for critical areas can be subject to cyber physical breaches from stolen credentials.
Shared space insiders
Leased office spaces and co-location facilities can mean that your digital network is increasingly vulnerable to risk of access — accidental or intentional — from other tenants that share those same facilities. Restricting access to a floor or a room may not be an option, or may not be enough.
2. Enhance Physical Security in Restricted Areas with Secure Credentials that deliver flexibility without compromising security.
Enroll Anywhere:
Look for solutions that provide the flexibility of remotely adding visitors, contractors and maintenance staff at any time for anywhere to ensure access policies are maintained even in after hour emergency situations.
Employ Flexible Multi-Factor Authentication:
To enhance your compliance controls and secure your critical infrastructure implement a solution that offers flexible multi-factor options that can be customized per-user, per-device and by time-of-day. Rapidly growing options for data center cabinets and remote enclosures include Card + PIN, Time-Based One-Time Passwords (OTP), SMS, Duo, Ping, Okta, and mobile biometrics.
Use Secure Contractor Scheduling:
Static PINs for data center access are easily shared and compromised, use unique rolling-PINs solution to pre-schedule limited-time access for contractors and maintenance staff, without the need for issuing cards and with full time-of-day control.
Use Digital Surveys for Compliance:
Leverage mobile surveys to collect why the individual is accessing critical infrastructure and how long they are planning to be on site, resulting in clearer, more-reliable audit records and the ability to setup alerts for overtime visits.
3. Ensure data center security solutions install, operate, and provide cybersecurity at Scale.
Choose a Data Cabinet/Remote Enclosure Solution that Installs like a Network Appliance:
Avoid reliance on panels and custom power requirements with a solution that fits inside your rack and uses PoE.
Benefit from a cloud-scale system:
This makes it easy to operate at digital-infrastructure scale – including fully-supervised devices, centralized logs and alerting, remote management of settings, remote software updates – and automatic roll-back in the event of configuration or software errors, to keep your devices on-line.
Leverage the Reliability of “Autonomous Edge”:
Make sure devices remain automatically synchronized with the cloud servers and can run fully offline for extended periods in the event of infrastructure failures; this includes the ability to locally authenticate and securely log all access and alarm events while offline, and automatically synchronize with the cloud when access is restored.
Confirm Confidentiality, Integrity & Availability:
Check that the solution encrypts your user’s card, PIN and biometric data, at the cabinet-level. Securely identify users and validate access – without transmitting data to the cloud that could be used to compromise your security or your users’ privacy. Credentials, logs, device-storage, software and communications should be fully encrypted, signed and authenticated. This ensures that you have audit records you can rely on, and cyber-secure access controls. Finally, confirm the hardware and software systems employ multiple layers of redundancy, to sure that your users can always access your critical infrastructure.
In conclusion, data center security is no longer about just protecting perimeter fence lines. The risks associated with unauthorized access to Data Center Cabinets, Wiring Closets and Remote Enclosures cannot be overlooked. Organizations need to adopt a holistic approach to security that includes multiple layers of physical security protection all the way to the server racks. This approach can help mitigate the risk of insider threats and cyber physical security threats while ensuring regulatory compliance.