Many people think that data center security is all about preventing cyber-threats to customers’ data and infrastructure. The truth is much more complex (as truth tends to be). Cyber-security is important, but physical security encompasses and protects against threats that many security experts deem even more critical.
Client and staff safety are paramount, but asset protection is a close second. Data centers employ an array of technology and personnel to protect the people, infrastructure and data housed within, but also the perimeter and what lies just beyond.
Our in-house physical security teams are vigilant 24/7/365, and here's a look at how we, and other security professionals like us, do our jobs.
Let’s talk tech
Smart data centers employ technology like multifactor authentication (something you have, like an access card, and something you know, like a PIN). These measures reduce threats by tightly controlling access to various areas within and without the data center. The very smartest data centers combine biometric access and knowledge-based information with advanced analytics.
Biometric authentication may include iris or fingerprint scanners, voice verification and more. It's the job of the head of physical security to determine which solution or solutions is appropriate for their facility and the clients within. In fact, iris scanners are becoming less common, while touchless fingerprint scanners that have the ability to scan four fingers at once, are on the rise.
These new scanners are just an example of the types of emerging technologies physical security professionals must evaluate before deploying. Case in point, many security experts are exploring how drones (as well as anti-drone tools) and robotics can effectively identify threats. It’s exciting stuff, to be sure, but hi-tech gadgets are just one part of our job.
Slow days? What are those?
There is rarely an uneventful day when you're the head of physical security at a data center—even the "slow" days are pretty full.
Security specialists will frequently monitor radio traffic as well as local and national news in order to identify potential threats that might put the facility in jeopardy.
Face-time is another priority. When there are no immediate threats, I walk the data center halls, and talk to employees, contractors and, of course, clients.
Regular interaction with clients is an invaluable method for gathering feedback on performance as well as noting any concerns or observations they might have.
Talking with staff boosts morale and ensures that members of the team have the right training and tools they need to do their job effectively.
Speaking of training, extensive and ongoing training are critical tools at every level—the head of physical security included. Having a workable understanding of the latest technology, processes and methodologies helps data center security professionals effectively maintain the integrity of the facility. Security personnel (and their respective skill levels) are, after all, the data center's first line of defense.
What happens when the red light flashes?
In the event of an attempted incursion, the head of physical security maintains overall management of the situation—from initial discovery to final elimination of the threat. They must ensure that there is an effective and immediate response from internal security teams as well as personnel within the building who may not be directly threatened.
While my team identifies the identity and nature of the intrusion, it's my responsibility to analyze and investigate the reasoning behind it. After detailed analysis, we often find that the intrusion wasn't malicious. Even when we don't identify any malicious intent, the exercise itself is a useful opportunity to improve our systems, processes, and training.
However, no matter the size or scope of the incident, it's my job as the head of physical security to keep clients, partners, and our management team in the loop regarding the status and final remediation of the incursion. If the threat is extremely severe, I also have the responsibility to contact local, state or Federal law enforcement authorities.
Needless to say, incursions large and small often include a commensurate amount of paperwork. We always perform post-mortems and "after-action" incident reports. They include crucial information like root-cause analyses, a description of the event as well as an exploration of potential prevention measures and process optimizations.
Expecting the unexpected
Processes for planned events are easy—continuity plans need to be in place as well as ongoing training and an inventory of regular supplies. Unplanned events are, as one would expect, trickier.
When the unexpected strikes, limiting impact is the name of the game. In our case, we draft emergency response plans, conduct drills, and perform security product research in order to narrow the window of what could be considered "unexpected."
The latter, technology research, sounds simple, but it's crucial. As I alluded earlier, outfitting our data centers with the most modern, effective technology is one way we help predict and eliminate threats against people, facilities, and infrastructure in and out of the data center.
Who's on the team?
As you can imagine, I have to be very selective with what the criteria necessary to be on our security team. We have an in-house security team—which is rare among data center providers. Because our team is internal, we can interview and hire candidates with exactly the right skill-set, experience, and personality necessary to maintain a highly effective data center security apparatus.
Often, these candidates include veterans, former law enforcement or individuals with extensive security backgrounds. No matter the person or background, having impeccable customer service communicate skills (that's the personality part) is an absolute must.
What keeps me up at night?
I'm not alone when I say that connectivity is the biggest concern. Developing effective security measures that protect infrastructure without hindering our clients' mission-critical activities requires extensive fiber-mapping.
Communication is also a constant concern. Developing and maintaining good relationships with law enforcement and with other data center security heads (whether it's inside or outside our own organization) helps everyone stay safer.
For example, on a local level we often help cross-train law enforcement so they have a more thorough understanding of potential threats. This creates a foundation for a solid working relationship and improves their ability to detect potential suspicious activity outside the data center perimeter.
Or, in the case of a potentially more serious incursion, open communication with my counterparts across the industry as well as state and Federal law enforcement can mean the difference between a quickly contained incident and a widespread disaster. I take that responsibility very seriously.
That said, as important as the role of Head of Physical Security is, without a rock-solid team like ours, I'd be a head without a body. Together, we work tirelessly to ensure the safety of the people and assets inside and outside the data center.