Avoiding Costly Penalties and Loss by Securing Datacenters at the Rack Level

It only takes a matter of seconds. Armed with a simple flash memory drive or USB port, an unauthorized user can quickly steal valuable data from a server rack with a working Ethernet connection. For datacenter managers, quick confirmation of access credentials is crucial in the event of a security breach, especially when faced with penalties and steep fines for non-compliance with data protection laws.

However, managing access to the datacenter is becoming more complicated as data housing facilities continue to expand their hosting capabilities. From datacenters housing information for a single organization to co-location datacenters where multiple companies are hosting their data in one location, traditional key management is becoming a significant challenge for facility managers. Personnel from one or several organizations may access the datacenter at any given time, making key management increasingly difficult to track.

As paper-based information continues to go digital and organizations move toward cloud-based data storage, regulatory bodies are placing a stronger emphasis on data protection, making it more important than ever for datacenter managers to ensure that their security administration meets industry standards. The Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley Act and Health Insurance Portability and Accountability Act (HIPAA), for instance, are regarded as the most significant data protection standards in the IT industry today and dictate requirements for securing and accessing information.

In response to these regulations, datacenter managers are focusing on extending physical security down to the rack level. Cabinet manufacturers are transitioning from traditional lock-and-key mechanisms to integrated solutions that combine electronic locking and monitoring capabilities for optimal security. These electronic access solutions (EAS) allow datacenter managers to easily incorporate intelligent locking throughout the facility – from its perimeter down to its servers –using the datacenter’s existing security system or through a separate, fully-networked system.

The Cost of Non-Compliance

According to a 2011 study performed by the Ponemon Institute, compliance with rules and regulations allows organizations to achieve a higher level of efficiency in their security programs. For the datacenter manager, the benefits of compliance are two-fold: it not only protects the confidential nature of the data stored within the datacenter, it also protects the datacenter from regulatory penalties and the added cost of lost productivity that may occur as a result of a data breach.

Compliance with data protection regulations covers a wide range of confidential information, from financial to medical records. Compliance with these regulations extends globally as well. More and more, data management companies are hosting information overseas for American entities, which requires them to comply with U.S. guidelines and regulations. PCI DSS for example, advises technical and operational requirements for protecting the information of credit card holders. PCI DSS includes standards for tracking and monitoring access to network resources and cardholder data, which includes server cabinets that house this information.

Organizations found in violation of data regulations face costly consequences. In May 2006, the U.S. Department of Veterans Affairs fell victim to a breach when unencrypted information on a laptop and external hard drive was stolen when an analyst removed the equipment from the facility. Estimated costs for prevention and loss in this case were $25 to $30 million. Clearly, the stakes are high.

Securing Assets with EAS

To ensure full compliance, datacenter managers are choosing networked access solutions that provide greater control through remote monitoring and digital audit trails of information. The remote monitoring capabilities offered by electronic access solutions help datacenter managers identify a violation fast – enabling them to receive updates on their computer or via text or email to their Smartphone.

An electronic access solution is composed of three primary components: an access control or input device, an electromechanical lock and a system for monitoring the status of the access point. When designing an EAS, it is important that the appropriate electronic lock is chosen for the specific enclosure and provides the intelligence, flexibility and security needed at the rack level.

Electronic locks are actuated by external access control devices, which validate user credentials and produce a signal that initiates the unlock cycle. Appropriate electronic locks can be combined with any access control device from keypads to radio frequency identification (RFID) proximity card systems, biometrics or wireless systems. The access control device can also be integrated into the electronic lock for a streamlined, integrated solution that requires minimal installation preparations.

Each time an electronic lock is actuated, an electronic “signature” is created which can be captured to monitor access – either locally with visual indicators or audible alarms, or remotely over a computer network. The electronic signatures can be stored to create audit trails that can be viewed at any time, whether on- or off-site, to forensically reconstruct a series of access events. This electronic record can store cabinet access activity including location, date, time, duration of access and specific user credentials.

This audit trail can be used to demonstrate compliance with data protection regulations and allows datacenter managers to immediately identify and respond to security breaches or forensically reconstruct events leading to a violation. Real-time monitoring eliminates the need for on-site staffing and reduces associated costs associated with managing datacenter security.

How EAS Improves Security

Physical security is critical in the protection of valuable data and IT infrastructure. A long-standing challenge for datacenter managers is combining their existing building entry with rack entry security systems. Electronic access solutions simplify the integration of these systems with the datacenter’s existing security system, allowing one cohesive security network to be used across the facility to control access.

Electronic access solutions also provide an alternative solution to mechanical locks where physical keys are required. Compared to lock-and-key systems, which have the potential for keys to be misplaced or stolen, electronic access solutions offer a more enhanced level of security through the use of electronic locks that can be activated with individual user credentials. Securing server cabinetry with electromechanical locks eliminates key inventory and distribution and ensures that only authorized personnel have access to sensitive equipment and information.

There are other ways to leverage electronic locks in datacenters as well. For example, electronic locks can link to security and environmental systems. Connecting them to IP video cameras and rack monitoring systems gives facility managers an additional tool for monitoring access activity. Electronic locks can also be equipped with a mechanical override system that enables manual access to enclosures in the event of a power failure.

Designing for Compliance

EAS is appropriate for a variety of datacenter security applications, whether providing storage for one organization, or several housed in a co-location environment. Managers of co-location environments in particular have begun to adopt intelligent locking systems due to the challenges of protecting access to individual cabinets, rather than “caging” a cabinet or group of cabinets into separate areas of the datacenter. Universities have also recognized the value of EAS, especially when data storage for several academic departments is pooled in one location. Compliance also affects universities operating a medical branch or patient care facility, as confidential data stored there is protected under HIPAA.

Electronic access is highly adaptable to both structural designs and control mechanisms that are already in place. Often, building access cards or ID badges are already part of an organization’s proximity card system; using them for rack level access eliminates the need to create new or separate credentials. Only one device is retrofitted per structure, which means existing security parameters can easily be extended across multiple applications.

When designing a new installation or retrofit, it is important to select an electronic lock based on the required depth of intelligence and protection necessary. Electronic locks such as Southco’s H3-EM Electronic Locking Swinghandle can be used on their own or as part of a complete solution that combines access control and remote monitoring capabilities. The H3-EM Electronic Locking Swinghandle with Integrated Prox Reader features a built-in reader that produces a Wiegand output, which is widely used in building security systems that utilize prox cards.

H3-EM Electronic Locking Swinghandle with Integrated Prox Reader

When connected to an access control device, such as a pin pad or wireless radio frequency (RF) controller, The H3-EM offers standalone HID card-based enclosure access control, or it can be connected to an existing building security system to control access from the building entry down to the rack level using a single, integrated access control system. The H3-EM with Integrated Prox Reader is also available with a complete networked access control system for remote control and monitoring of multiple cabinets.

The Future of EAS

Looking ahead, there are several new developments on the horizon through which technology will continue to improve the state of rack-level security and compliance within the datacenter.

• One IP and One Power Source – In order to optimize security networks, there are new efforts in the industry to advance electronic access technology into a more streamlined online system. The ability to maximize a single access controller with several cabinets linked under one IP address is a potentially substantial step forward in the electronic security sector.
• Mobile – IT manufacturers are considering using mobile devices as access control mediums. “Near-field communications” for instance, transmit signals between a mobile device and a prox card reader after an authorization code is entered via a cell phone. This development could allow datacenter security personnel to monitor activity and receive information from EAS via smartphones in the near future.
• Wireless – Running cables for server racks is a known challenge for datacenter professionals. Converting to wireless systems would eliminate installation issues and allow for an even simpler integration process. Providers would likely follow suit and develop more compact components for inside server cabinets and other IT enclosures.

Conclusion

Expectations for data security and management today have changed significantly. Regulations are driving facility managers to consider comprehensive security solutions with monitoring capabilities and digital audit trails to protect sensitive information from the threat of unauthorized access and theft. In a recent study by Gartner, it is predicted that through 2015, people and process issues will actually cause 80% of all outages affecting mission-critical services, with 50% of downtime linked to issues including configuration and hand-off issues. Datacenter managers can prevent these situations from occurring by optimizing security down to the rack level with electronic access systems. Electronic locks extend intelligent security from existing building security networks to datacenter cabinet applications. As a result, datacenter managers can ensure their facility and its equipment are protected against the risk of data breaches and any penalties associated with non-compliance.