“What is data center security? It is very simple. It is like playing a Beethoven sonata. All you need is a violin and a music sheet… If you don’t believe me, try it. Do you know why it doesn’t work? Because there’s one component missing – being a great musician with vast musical talent. Data center security also requires great talent.”
It is something that’s constantly being checked, tested and maintained. It is hard work, which for the most part, remains unnoticed by clients and visitors. And this is exactly how it should be – effective and reliable, but without all the ‘bells and whistles’ that are often unnecessary and annoying. I understand why today such a question arose. After all, we are at the annual party for customers and partners of IXcellerate – Rockin’Russia.
Today on the premises of the datacenter there are more than two hundred people, but you won’t see guards in masks or barbed wire. Moreover, right this moment there are ongoing projects installing new customer equipment and increasing the infrastructure of the data center. Everything is under serious surveillance, control and management, but without any fuss. Have you noticed how in half an hour we did a guided tour of our data center and a new 1100-rack data hall for more than 30 guests? So, naturally, one would ask: “How do you do it? How do you ensure the security of such a large data center?”
The conversation about data center security extends well beyond a short interview at a corporate party. It is more likely to cover multiple lectures, due to the enormous range of topics and content. It would include physical security, informational security (and data security), storage security and security of different storage mediums, including “archaic” ones like classified documents etc. Of course, we could talk about dozens of standards and specifications, but my sincere conviction is that it all contributes to no more than 20% of success. In most cases, when considering any of the above-mentioned “securities”, we could separate them into two major categories, technical and organizational.
A lot has been said and written about the ‘technical’ part of physical security. In regards to the operation of data centers, there exists a wealth of experience in designing, building and implementation. An abundance of top-tier security equipment exists, such as ACS, biometrics, movement sensors, video surveillance and much more. We use a whole array of fire safety options like advanced fire extinguishing systems, fire sensors types (very early warning, smoke, infrared) etc. Additionally, in response to emerging terrorist threats, data centers are equipped with metal detectors and chemical sensors that detect presence of toxic agents.
Many best practice procedures, regulations and policies have been developed. There are excellent certification systems. However, equipment and methodology is only a foundation. Real security is ensured by people who are properly trained, have technical means and policies that prescribe how to act in certain situations. And most importantly – they have created a risk/mitigation scenario matrix, which they use to constantly hone their skills.
When working with staff it is important to keep in mind that there have not been cases of evil-doers or saboteurs attempting to hack a data center in order to steal and sell servers or racks. Where the real risk lies though, is in the daily routine: interacting directly with the equipment, giving DC tours to customers, working with live racks. Most of the incidents are equipment failures or data loss situations, and they can be traced back directly to these incident types. The security issue is rarely given the attention it deserves, especially when it comes to running technical maintenance.
The real risks appear the moment the operations start. Imagine this: everything’s set and under control, no unauthorized personnel in the data hall, CCTV cameras are operational, all staff members passed a thorough access control check, movement sensors and biometric locks are engaged. And all of a sudden you have an engineer with a 3-meter ladder who accidentally slips and bumps into the equipment. These are the kind of situations that no amount of security measures or technical wizardry can fully prevent. And this situation is being overlooked far too often.
In addition to access control, it is crucial to organize correct and safe work procedures, to train your team and prepare a workspace. One should do well to assess potential threats that may arise during technical operations or during the installation/repair/modernization of the devices, or when moving heavy or oversized equipment.
For each type of procedure, you must identify its specific set of risks well in advance, and document a threat matrix, which will be used to create a work plan that would involve specialists in safety and workplace behavior. You can begin with simple things, like putting a protective grating where needed, equipping a stepladder with anti-slip footing and rungs, putting dielectric rubber mats, etc.
Today, all data centers have serious systems of physical, informational and “paper” security. The most advanced equipment is installed, and the proper paperwork and manuals are developed in accordance with the regulatory requirements. But this kind of security will be useless without the personnel knowing what to do in these situations. Security is not documentation, programs, or hardware. It is something more. It is a complex system, a mechanism consisting both of technical means and organizational arrangements. It is around-the-clock work, which incorporates constant threat analysis and regular employee training.
Going back to the whole orchestra analogy. There is a well-known quote from Oscar Wilde’s 1882 “Impressions of America” – «Please do not shoot the pianist. He is doing his best». It can pertain to a great many of situations, but not to the data center security. In our industry, if the pianist hits the wrong notes here and there – the whole orchestra sounds out of key. What you hear today at IXcellerate’s party is a well-executed sonata. The violin is tuned up, the pianist is ever so agile, and the music sheets are well-lit…
This article is based on an interview with Bogdan Kolodiy, pre-sales and solutions adviser at IXcellerate. It was taken on June 28th during IXcellerate’s annual Rockin’Russia summer party.