Data Center Physical Security

"Data security starts with physical security." Natalie Lehrer underscored that point in her Information Week article called A Guide to Physical Security. She's right. Protection of company personnel, facilities, and data begins with physical security. It's a strategic priority at CenturyLink. The "rubber meets the road" in the management and operation of the facilities. Our data centers earn a M&O Stamp of Approval Certification from the Uptime Institute. Joel Stone is responsible for Global Data Center Operations at CenturyLink. Here's his take on the importance of a data center receiving M&O Certification:

"Earning the M&O certification demonstrates the effectiveness of a data center’s management and operations, giving customers “peace of mind” by ensuring the facility that houses their critical IT functions has passed a rigorous, third-party audit to conform its practices to the highest of standards."

This is Part 1 in a three part series covering various aspect of data center security. Part 2 will discuss environmental protections. Part 3 will cover media protections.

Security Policies

It starts at the top. Physical security at a data center is governed by CenturyLink Corporate Security. This group oversees the policies, processes, and work rules ensuring that all data centers operate under a consistent set of procedures and work guidelines. These help mitigate the possibility of operational failures, protect data center resources, and guide personnel in how to react safely, swiftly, and appropriately to given situations. Compliance with security policies is mandatory for all employees, contractors, and third-parties.

Access Authorization

The common practice of “tailgating” is impossible. CenturyLink strictly controls authorization credentials, and maintains a current list of all personnel with authorized access to its data centers. If you aren't on the authorized access list, you cannot enter the data center. There are four access groups: employees, contractors, customers, and visitors. Furthermore, badge access to the data center doesn’t include physical access to any of the information systems, security systems, or facility support areas. These areas require additional approvals from the respective authorities responsible for those areas.

Physical Access

There are three types of areas in a data center: public area, secured area, and restricted access area. No one is allowed to just walk in.

  • Public Access Area - the main lobby is the only public area in a data center. Access to the lobby requires the security team to unlock the entrance. For them to unlock the door, you have show a CenturyLink issued badge, which is then checked for proper authorization. Otherwise, the door isn't opened.
  • Secured Access Areas include all areas that are not designated as public access. Anyone entering a secured area must meet the criteria above and have prior authorization in place before they're granted access.
  • Restricted Access Areas are sectioned-off areas within the secured access area of the facility. Restricted areas require all the criteria above and additional authorization to access the specific area. Authorization is contingent on a demonstrated business need. All information systems and components are enclosed in a Restricted Access Area inside the secured access areas.

Entry Points

There are several layers of protection built in around the entry points. All doors are protected by card readers. Public facing entrances open only into public access areas. These entrances are separated from the secured areas via man traps and bullet-proof barriers. Moreover, data centers are staffed with security 24x7. All entry points into the data center and in between the different security level areas are fitted with alarms, which are tied into a central alarm system. On top of that, security personnel perform a full walk-through of the entire data center at least once per shift ensuring your infrastructure and information is well guarded.

Raise Floor and Cages/Racks

Customer infrastructure is housed inside of a “Managed Cage” space in the Restricted Access Area. Card readers and/or biometric readers are used to grant access. The customer cages/racks are locked down. In some cases only the customer has the key to the cage. Many of our customers elect to have CenturyLink manage the key for them. That being the case, key inventories are kept. Keys are strictly controlled and checked out for use. Inventory reviews are conducted every 12 hours. When customer keys are lost or combinations are compromised, we change the locks or combinations.

Physical Access Monitoring

We're always watching. CenturyLink monitors physical access 24x7. Each data center has video surveillance using CCTV cameras that watches the external perimeter of the building, external entrances, generators, internal doors between security zones, the public access area, the raised floor space, and all Restricted Access Areas. In addition, all alarms and surveillance equipment is monitored in real time.

Visitor Access

Again, permission to enter a data center is tightly controlled. Visitors are authenticated before access is granted. A visitor who is not a contractor or a customer must be an "authorized visitor," which means the person must have a legitimate business purpose for visiting and must be escorted by an authorized CenturyLink escort at all times. Authorized escorts are authorized employees or customers who have been issued a permanent ID Badge and are in good standing with the company.

Records Review

Sign in logs at a data center are retained inside the facility in two formats, paper and electronic. Every visitor is required to sign the paper log before entry. The log includes such information as name, company, badge type, access card, cage key #, check in and out times, etc. Access logs are reviewed daily to ensure that visitors are properly signed in and out by the security staff.

Annual Security Training

We thoroughly train our security personnel on the processes and procedures they are to follow. We also conduct regular internal audits to ensure compliance with our corporate security policies and the industry-best practices we've implemented. M&O Certification verifies that.

Summary

Physical access to a data center and the security zones inside the facility are tightly controlled. Not everyone can get in. No one is free to just move about. We see to that. Like we said at the top of post -- data security starts with physical security. You can have "peace of mind" that your infrastructure and data are completely safe. The bottom line is reduced exposure to downtime.

Check out the Advance Cloud Security we have for protecting your enterprise systems and data. In fact, you can start with a free CenturyLink Cloud trial today. Look for Part 2 in the series. It covers physical protections related to power equipment, cabling, smoke, fire, humidity, and lighting, etc.