While most discussions of IT security focus on logical controls, protection of the physical data center infrastructure is becoming increasingly important. The European Union (EU) General Data Protection Regulation (GDPR), which goes into effect next May, illustrates this point.
The GDPR is a strict new law governing the security and privacy of the personal data of anyone living in the EU. Although it is designed to standardize data privacy legislation across Europe, it has significant implications for companies around the world. It applies to any organization — regardless of its size or location — that collects and stores the data of EU residents.
The regulation mandates that all organizations know exactly where every instance of someone’s personal information is located and “implement appropriate technical and organizational measures” to ensure the protection of that data. Among the minimal organizational measures is ensuring the physical security of the premises where data is stored.
The GDPR isn’t the only regulation mandating physical data center security. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires that organizations restrict and monitor access to any facility that houses systems used for storing, processing or transmitting cardholder data. HIPAA prescribes “physical measures, policies and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
Most data centers have implemented physical security measures such as electromechanical door locks, smartcard or biometric access controls, and video surveillance systems. As with all IT security issues, however, humans are the weakest link. Data thieves can gain entry by “tailgating” behind employees or posing as building maintenance personnel. Malicious insiders who have the freedom to roam through all parts of the facility can gain almost unfettered access to IT systems.
Data center staff should be educated about the risks of tailgating, sharing key cards and allowing strangers into the facility. Visitors should be escorted at all times, and their activity logged. If possible, IT equipment should be housed in interior rooms, away from windows. Emergency doors should not have exterior handles, and alarms should be triggered when these doors are used.
Each staff member should be required to enter the facility separately, using his or her own access card. Physical access controls and credentials must be managed properly and updated frequently as personnel and job roles change. All physical security policies and procedures should be documented, and reviewed on a regular basis.
Locking cabinets can serve as a last line of defense should an intruder make it into the data center facility. Pod enclosures equipped with door locks can also provide an extra measure of protection. These tools are particularly important when IT equipment is housed in an office, storeroom, warehouse or other area where strict access controls are impractical.
When it comes to security and regulatory compliance, organizations are rightfully concerned about firewalls, intrusion prevention systems and other logical controls. However, the most sophisticated security tools are useless if cybercriminals can enter the data center facility and access or tamper with equipment. As organizations prepare for GDPR compliance, they should take a hard look at their physical security strategies and infrastructure, and implement policies and procedures for keeping intruders away from sensitive data.