Carrier neutral Central London colocation server hosting data centre

Do you have the right attitude to secure your colocation data centre?

Bill Walsh, Operations Manager, City Lifeline, London

Colocation data centre users really value physical security, as was revealed not only in Telehouse’s research at the start of the year, but also in a recent survey we conducted at this year’s IP Expo of nearly one hundred IT and systems managers who visited our stand. Colocation hosting users place physical security as their top requirement and expectation of an independent colocation data centre, above power availability, redundant cooling, world-class connectivity and a central location. Customers valued physical security and trust above all of those, and they have good reason to.

Physical intrusion – it can happen

Those with longer memories may recall the spate of thefts of Sun computer systems across London at the start of the last decade. Those with even longer memories may remember the world-wide shortages of computer DRAM memory in the late 1990’s, which led to PCs all over the world being randomly stolen so their memory chips could be stripped out and resold. At an even higher level, there was the Al Quaida plot to blow up a major Docklands colocation facility and disable the UK internet (foiled by MI5). More recently it’s not uncommon to hear of disgruntled technicians walking out of a colocation data centre with their employer’s most critical piece of equipment before anyone had realised or could react. Data centre users really need to trust their colocation data centre and a right to expect that trust will always be fulfilled.

Can you be trusted to secure a data centre?

So what does a professional colocation data centre need to do to achieve that trust? Infrastructure certainly, but the most important thing by far is a real human being – a properly trained professional security guard, on-site 24 hours a day, 365 days a year, who can personally assess situations on the ground and make decision immediately. In these kinds of situations, nothing substitutes for a real, trained person.

The second most important consideration is a safe security office for security staff to work in, inside the colocation facility. They need to have a clear view of all the non-alarmed entrance points to the building by CCTV if necessary, but preferably by direct sight. Their office needs to be at reception, so they can talk to, evaluate and screen all people going in and out of the colocation facility. It needs to be strong with tough, glass shields that can be shut fast for maximum protection from potential intruders. Security guards need to be able to retreat into it for long enough to be able to think, evaluate and ring for assistance, or, in extreme cases, call the police.

Furthermore, security teams need infrastructure to support them, particularly in large colocation data centres where they cannot be everywhere at once. All possible entrances to the colocation facility should be either directly visually monitored or secured (fire escapes for example, which would never usually be opened). Main entrances should be blocked by magnetic electronically-controlled doors, so that no entrance is permitted, except when security makes a positive decision to allow someone to enter or exit the colocation facility. Where non-manually controlled exit and entry is allowed, anti-tailgate pods should be installed, so that two people can never enter on one pass.

Good access control systems are needed to control entrance to all the technical and colocation plant areas. Swipe cards are the norm, and are very effective. Doubling-up on access controls has a disproportionate effect on security; even swipe cards supplemented by a simple digilock will greatly increase security effectiveness (but don’t forget to change the digilock codes regularly). Swipe cards plus biometrics (e.g. fingerprint recognition) inside a security-controlled colocation facility is very difficult to circumvent and just the existence of such a combination will deter most security violation attempts.

Give yourself more eyes and ears

CCTV is vitally important in a colocation data centre. All external entrances should be monitored continuously, as should all stairwells and corridors. The monitors should be in the protected security office, and the CCTV control systems need movement detectors and electronic trip-wires to alert security when something untoward happens. Furthermore, don’t forget that something may happen at night when the security guard is doing his rounds, so he needs a way of being alerted when he’s not in the security office. All CCTV should be continuously recovered as experience shows that retrospective security analysis of what went on in the colocation facility is at least as valuable as real-time alerts.

Plus, as with all security systems, presentation and appearance matters. Delivering someone who sizes you up and concludes it’s too hard, is better than having fought off an attack. Security is not all about equipment (although that does matter too). It’s much more about training, attitude and awareness. It’s about having security people in the colocation facility who are continuously aware of their surroundings, are alert to unexpected changes and curious and dynamic enough to respond to change. They have to be supported by technical colocation infrastructure, but, more importantly, they need to be backed up by training, processes and procedures.

Colocation security is all about judgement

For instance, the security guard’s most important tool is not his CCTV or his swipe cards – it’s his access list – the up-to-date list of who has customer colocation authority to come and go, who may or may not allow deliveries or authorise equipment removals. It needs to be kept continuously up-to-date, both by the colocation supplier or the data centre manager, but also most importantly by the customer or colocation data centre user’s management. This requires good co-operation, procedures, collaboration and excellent contractor management.

All the security in the world is no use if a man in a boiler suit carrying a spanner can turn up at the back door, saying he’s come to fix the leak on the fourth floor and be let in without question. Delivery processes, car park controls, support authorisation and escalation procedures, all need thought and care so that when they are needed, they work first time.

Time and again surveys show that customers rate physical security as the most important service a colocation facility or a colocation data centre can offer. Security is an attitude - it is not purely about equipment. Any colocation provider or a colocation data centre operator needs to think it through carefully, implement it thoroughly, and more importantly earn his customer’s trust.