Smart cabinet access system for data centre

April 18th, 2016, Published in Articles: EngineerIT

With the digital revolution now in full swing, online transactions, mobility, social media and big data continue to increase the amount of information being transmitted, stored and accessed by businesses and consumers anytime, anywhere and on any device. And it’s all happening through the data centre. With virtually every task in every type of business involving the transmission of digital information across networks, data centres have become as integral to today’s economy as factories were in the late 1800s and early 1900s.

Much of today’s digital information being transmitted and stored via the data centre is private, valuable and must remain secure. From personal medical information and financial transactions to intellectual property and national intelligence, a wide range of mission-critical, private and confidential data that spans multiple industries is required by privacy regulations to be protected from unauthorised access.

Protecting that data is also imperative to maintaining corporate image and preventing serious financial risk. According to Privacy Rights Clearinghouse, more than 234-million records with sensitive credit card information have been breached within the past decade, and just in the past year, several large retailers and online entities lost millions following security breaches and ultimately experienced reduced customer confidence.

Today’s enterprise data centres are at the core of protecting and securing digital information, and external cyber security protocols like antivirus, encryption and firewall technologies have come a long way over the past decade. However, physically securing private and confidential information in the data centre is equally important – especially with the biggest cause of security incidents coming from within.

According to a 2011 survey by Gabriel Consulting Group, more than 60% of today’s security breaches are at the hands of company insiders or others with legitimate data centre access. Consequently, there is a need for better physical security and access control in the data centre at the cabinet level where the network equipment that transmits and stores data resides.

Why cabinet-level security?

While physical security in the data centre is a key part of industry regulations surrounding the protection of data, ensuring appropriate physical security of network equipment within data centres has often been overlooked.

With advanced external network security like firewalls and encryption, many businesses consider access control at the room level to be sufficient. Many also fail to recognise the potential for internal threats and the need to bring physical security to the cabinet level and deploy methods for accurately identifying culprits when a security breach occurs.

Security breaches at the hands of company insiders can include vendors, contractors, consultants, maintenance personnel and others with legitimate access to the data centre. For example, many data centres have areas dedicated to specific systems and outside vendors have access to the data centre to install, upgrade and maintain their equipment. This is very common in hospitals, universities and large hospitality venues. Colocation data centres that lease space to customers who are responsible for installing and maintaining their own equipment need to be especially careful due to the number and range of individuals frequenting the facility.

Internal IT staff with authorised access can also be a threat, including employees who are disgruntled, aligned with outside criminals or stealing data for monetary gain or for leverage at another company. For example, a network technician with access to storage devices can easily steal valuable account information or intellectual property using a simple thumb drive. As a result, the need to bring physical security down to the cabinet level in the data centre environment has become paramount.

While most privacy regulations recommend or require some level of monitoring, alerting and auditing, they lack details regarding implementation and processes. Consequently, businesses are often left to determine the appropriate physical security methods based on the information they need to protect. A cabinet access system specifically designed for the data centre environment with customisable management, administration and reporting can go a long way in providing superior physical security that complies with industry regulations.

Fig. 1: A cabinet access system with the flexibility to define access by the front or rear cabinet door, individual cabinet or row / group of cabinets can support a variety of data centre environments.

Fig. 1: A cabinet access system with the flexibility to define access by the front or rear cabinet door, individual cabinet or row / group of cabinets can support a variety of data centre environments.

Deployment considerations

When it comes to selecting a cabinet-level access system for the data centre, there are several considerations, including:

  • Ease of deployment: Cabinet access systems should be easy to deploy on any cabinet with components that do not take up valuable rack-unit space allocated for network equipment.
  • Flexibility: The system should have the flexibility to support a variety of data centre environments, including individual cabinet-level access or group-level access for end-of-row (EoR) configurations or pod-based data centres where rows or groups of cabinets are often segregated by function. Another consideration is the ability to support both front and rear cabinet door access separately as some data centres may have different teams responsible for accessing the front and rear of equipment (see Fig. 1).
  • Scalability: Cabinet access systems should be scalable, just as data centres should be scalable. Centralised IP-based access systems with components that reside on the network and are centrally managed from a single software-based platform have virtually no limit to the number of cabinets or groups of cabinets that they can control. This allows the system to grow as the data centre grows.
  • Smart access: Cabinet access systems should use the latest smart access technology for improved security over keyed locks. Keys can be easily misplaced or passed from one individual to another. Unlike smart access systems, keyed systems can make it impossible to truly identify culprits when a security breach occurs – there is no way to indicate exactly who the person was that used the key. Managing who has keys, when they should have access and immediately retrieving keys following changes to access levels and personnel can also be a difficult task that presents greater opportunities for unauthorised access. Card access systems should also be based on the latest advanced smart card technology such as iClass. Standard low-frequency proximity card systems are vulnerable because their information can be easily copied and used to create duplicate cards. iClass card-based systems allow for encrypted communication between the card and the reader, making card duplication extremely difficult.
  • Biometric capabilities: Cabinet access systems that offer a biometric access option can provide an even greater level of security and help facilities achieve maximum compliance with security regulation auditing requirements. For example, systems that use advanced fingerprint scanning technology to identify user access require the person to be physically present for authorised access. This enables facilities to produce a 100% indisputable audit trail and eliminate the possibility of keys or a smart card being lost or ending up in the wrong hands. In addition to improved security, biometric access is also easier for the user – there is no need to carry a card or remember a password.
  • Advanced security features: Another security feature to look for in a cabinet access system is dual custody mode. Commonly used in extremely high security environments, dual custody requires two different users to be present to successfully authenticate access. Three-point latching systems can also offer better security by immobilising both the top and bottom of the cabinet door rather than just at the lock. The communication between readers and the system should also be encrypted for improved security.
  • Superior reliability: When selecting a cabinet access system, redundancy and stand alone capabilities are critical to maintaining system reliability. If the network on which the access system fails, the access system should be able to locally record access occurrences and download information to the central data base once network is re-established. Systems using ring typologies allow re-route of signal in case the circuit is broken. Systems should also be able to maintain cabinet security in the event of a complete power failure.
  • Centralised management: Advanced management software for managing up to thousands of cabinets and users should be a part of any cabinet access system.
Fig. 2: The ability to partition a system’s IP-based controllers and their cabinets into zones and create and assign users to specific user groups with access parameters can facilitate managing, administrating and controlling access to cabinets based on facility, spaces, function or users.

Fig. 2: The ability to partition a system’s IP-based controllers and their cabinets into zones and create and assign users to specific user groups with access parameters can facilitate managing, administrating and controlling access to cabinets based on facility, spaces, function or users.

The software should be easy to set up and configure with the ability to receive and communicate access attempts, alarms and other events from each cabinet in real time for monitoring and alerting to appropriate staff members at workstations or remotely via phones and hand-held devices. Systems features such as the ability to remotely lock and unlock specific doors or place the entire system into full lockdown in case of a system breach add a sophisticated level of management. The system should also have the capability to immediately alert in the event that a connection is cut or a cabinet door has been forced.

  • Reporting capabilities: The ability of a cabinet access system to store events and generate detailed audit reports that indicate which users accessed which devices at what time and for how long, can be vital for compliance with security regulations that require specific reporting and auditing. The ability to customise and automate reports is also a key benefit for capturing the required information when it is needed.
  • Zoning capabilities: A quality cabinet access system should have the ability to group the system’s IP-based controllers and their cabinets into smaller zones to facilitate management and reporting based on individual facilities, specific spaces, functions or tenants / customers within a single data centre or colocation facility (see Fig. 2).
  • User parameters: The system should allow for setting up a variety of user parameters and access levels based on a specific environment, including full administrative access, access for monitoring and control, zone access, or standard users with access to specific cabinets. The ability to assign users with access for managing individual zones is ideal for allowing tenants to manage their specific zone within a colocation centre. Being able to set up and assign users to user groups with access to specific cabinet doors and with parameters, such as timebands, that allow access during specific times, are ideal for data centre operations with multiple shifts. User groups and timebands are also ideal for setting up temporary access for maintenance personnel or visiting vendors (see Fig. 2).
  • System integration: Regardless of which cabinet access system is selected for a data centre, the ability and ease of integrating and exchanging information with other systems that reside on the network can make for an overall smarter, more secure computing space. For example, through simple network management protocol (SNMP) traps, queries and syslog files, information can be shared with other security and building automation systems or with data centre infrastructure management (DCIM) systems for monitoring, alarm and control. Systems that use iClass-based smart access cards can also integrate with other iClass-based systems – a facility’s existing smart cards can be programmed for cabinet access in the data centre, which can cut down on deployment costs.

Security regulations and initiatives impact all markets

Federal directives and protocols to protect classified national security information and intelligence within government entities have been in place since the 1980s, and the digital revolution has given way to several security regulations that impact all markets and industries. The following common privacy regulations affecting a variety of enterprise businesses and data centre facilities include requirements for limiting physical access to information systems, equipment and IT operating environments to authorised individuals.

  • HIPAA and HITECH: The Health Insurance Portability and Accessibility Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act focus on the protection of personal health information and electronic health records. With violation penalties that can reach $1,5-million, these two acts apply to hospitals and healthcare facilities, as well as companies that need to access or transmit this type of information.
  • Sarbanes-Oxley: Mandatory for all organisations, the Sarbanes-Oxley Act of 2002 (often abbreviated as SOX) was enacted in response to financial scandals that occurred in the late 1990s. The act specifies the types of information to be stored by businesses and the amount of time it should be stored. SOX requires businesses to have an auditable trail of information, physical security, and a system for monitoring and reviewing access on a periodic basis.
  • PCI-DSS: Established jointly by Visa, MasterCard, Discover and American Express, the Payment Card Industry Data Security Standard (PCI-DSS) relates to all businesses that accept credit card payments – either online or off. Requirement 9 of PCI-DSS states that any physical access to data or systems should be appropriately restricted and entry controls used to limit and monitor physical access to systems that store, process or transmit cardholder data.
  • EU general data protection regulation: This regulation unified data protection within the European Union (EU) and within organisations outside of the EU that process any personal data of EU residents. It requires any entity that holds personal data to keep the data safe and secure from potential abuse, theft or loss.
  • SSAE 16: Issued by the American Institute of Certified Public Accountants, SSAE 16 is an auditing standard that covers data centre security, controls, management and operating effectiveness. Geared primarily towards traded enterprises, financial institutions, healthcare organisations and large colocation data centres, SSAE 16-compliant data centres restrict physical access to the data centre through a combination of physical security systems and biometric identification.
  • Cloud Security Alliance (CSA): With nearly 50 000 members, this non-profit organisation, working to promote security within cloud computing providers and facilities, heads several research and education initiatives to help companies ensure secure cloud computing services. They also help to assess the security of private and public cloud computing facilities, including physical security and access control.

Data centres were once viewed as supporters of a business model, but today they are the business model. With virtually all business now accomplished via the data centre, enterprise companies need to protect private data from both external and internal security breaches to comply with regulations and to protect their customers and their reputation.

As the overall need for physical security in the data centre gains more attention in the aftermath of security breaches, the TIA TR42.1 works even on a physical network security standard that will provide guidelines for protecting critical network equipment from unauthorised access. The standard is slated to recommend the capability to detect and report unauthorised access to cabinets and device connections or disconnections via DCIM. To overcome the challenges of physical security at the cabinet level, government and enterprise data centres need enhanced cabinet access systems that ensures indisputable audit trails, integrates with existing facility security systems, offers flexible deployment options and significantly cuts deployment and operating costs – all while maintaining the highest level of regulatory compliance.

Contact Greg Pokroy, Jaycor International, Tel 021 447-4247, greg@jaycor.co.za

Related Articles

  • Quantum computing is important for Africa
  • Disparate radio systems threaten public safety
  • The cloud is still “cloudy”
  • Helping consumer monitor and manage water consumption
  • Gadgets4Geeks – June 2019