While much of the debate on cybersecurity focuses on protecting data center network boundaries from unauthorized penetration and subsequent attacks, IT managers should not overlook the potential of a physical assault on their primary data center. And although the initial thought might be for an externally organized attack, don’t overlook the potential for internal attacks on data center infrastructures.
For example, utility access from the street into your data center may be underground via trenches or (preferably) hardened conduits, but at some point on their path from origin to your location, they are likely to be on telephone poles. And of course those poles -- and all the services they carry -- are prime targets for terrorists or other attackers.
Contact your electric, telecom and cable television providers to find out exactly how your service is routed from their central offices to your site. See if there are alternate routes that may offer you some additional protection.
About 10 years ago, following the Sept. 11 terrorist attacks, U.S. banking and finance sector regulators (including the Federal Reserve Bank, Office of the Comptroller of the Currency and Securities and Exchange Commission) issued an interagency white paper that recommended strategies to reduce the threat of attacks on banking sector information systems and networks. One of the recommendations was to set up a disaster recovery site approximately 500 miles from a primary data center, thus minimizing the chances of simultaneous attacks. This was subsequently reduced to about 30 miles between sites.
Make sure your primary data center and disaster recovery site are sufficiently distant that they are less likely to experience simultaneous physical attacks.
If you only have one data center, consider establishing a disaster recovery site using a third party that is located a sufficient distance from your primary data center.
Another way to reduce the chances of a physical attack is to locate your data centers in non-descript buildings, such as older and previously abandoned warehouses. This approach was successfully used by a number of Wall Street firms.
If your data center is in a newer and more modern building, be sure that signage identifying the building is minimal. Don’t describe the building’s purpose with external signage. Instead, the company logo should be sufficient.
Location, location, location
If you are planning to build a new data center, or retrofit an existing building, site selection is probably the primary concern.
Be sure that you have access to resilient and (if possible) diversely routed utility services so that you can have at least two physical paths into your data center. Since many modern data centers have lights-out operation, they do not need to be located in proximity to the company CIO’s home, as has often been the case.
Key design factors during the site selection process include utilities infrastructure, availability and capacity of fiber optic systems (especially dark fiber), natural and man-made risks and how well the physical perimeter of the data center can be secured.
Location also means evaluating proximity to interstate and local highways, rail lines, airports, oil and natural gas pipelines, oil and gas storage facilities, canals, rivers and other bodies of water.
Check these external situations carefully when selecting a site.
Try to locate the data center so that your security teams have a clear line of sight (e.g., directly and with security cameras) to the property’s perimeter, driveways and parking lots.
In addition to cameras, consider the installation of chain-link fencing around the perimeter.
Several other safeguards, in addition to building access control and physical security systems equipped closed circuit television (CCTV) and motion detectors, should be considered.
Include HVAC systems with centralized air intakes with specially designed filters that can block entry of hazardous airborne biological or chemical particles.
Protecting your information technology infrastructure requires a combination of physical and local safeguards. While much attention of late has focused on logical safeguards (e.g., intrusion detection systems and anti-virus software), be sure that your data center’s physical infrastructure is also fully protected from attacks.
About the author: Paul Kirvan, CISA, FBCI, has more than 24 years of experience in business continuity management (BCM) as a consultant, author and educator. He has completed dozens of BCM consulting and audit engagements that address all aspects of a business continuity management system (BCMS) and which are aligned with global standards including BS 25999 and ISO 22301. Kirvan currently works as an independent business continuity consultant/auditor and is the secretary of the Business Continuity Institute USA chapter and a member of the BCI Global Membership Council. He can be reached at firstname.lastname@example.org.