Data centers store and share companies’ information—this includes any sensitive data that could cause damage to the company if they were breached. As such, it’s a critical area companies must prioritize when developing and deploying their cybersecurity infrastructures. Whether you operate internal data centers or rely on third-party ones, you need to ensure you’re implementing robust data center physical security standards.
Data Center Physical & Environmental Security Best Practices
Your data center may house sensitive information about your clients, business partners, or other internal stakeholders. For this reason alone, securing the information is essential. However, if your data also includes information protected by regulatory standards—such as patient data (protected by HIPAA) or cardholder data (covered by PCI-DSS)—your protective measures must go above and beyond, implementing three layers of security:
- Data center physical protections, which concern individual devices or workstations
- Data center environmental protections, which concern access to sensitive areas
- Data center HITRUST CSF protections, including both area and device controls
By the end of this blog, you’ll be prepared to safeguard your data center from all physical and environmental threats, up to the security standards specified in HITRUST CSF.
Data Center Physical Security Standards and Best Practices
Physical security requirements for data centers depend on the specific physical and virtual assets that make up the infrastructure. For example, physical servers that are connected to individual computers and workstations require different monitoring than independent servers.
The minimum physical security standards for protecting a data center include the following:
- Lifecycle management for all devices within the ecosystem and all software on them
- Threat and vulnerability management, including regular vulnerability scans of devices
- Monitoring and access control for networks operating within or throughout the center
- Identity and access management (IAM) to authenticate and control user activities
- Cloud security across all data center devices connected to any cloud networks
Data centers also need to ensure all devices containing or connected to sensitive information covered by government or industry regulations are protected up to all applicable thresholds.
Additionally, physical safeguards involve the general areas surrounding the devices. These safeguards include protections against physical harm that impacts these areas, such as natural disasters, floods, or fires. They also include barriers of entry for physical intruders.
Challenges for Data Center Minimum Physical Security Standards
Data center security challenges center around the types of data stored and processed, along with the threats a company is likely to navigate. For the former, all data that includes personally identifiable information (PII) such as names or billing information is critical to protect, per data privacy regulations such as CCPA and EU GDPR. A PII scanner is essential.
With respect to attacks and cybersecurity events, data centers need to implement vulnerability scanning to identify and mitigate potential threats. One effective practice is penetration testing, which is a simulated attack to study and learn from the pen-tester’s moves and behavior. In particular, internal or “white hat” pen-testing can focus on what an attacker does once already within your systems.
Data Center Environmental Security Minimum Safeguards
Environmental protections typically involve first establishing a secure perimeter, then monitoring for activity within and around its borders. One of the most effective tools for establishing the perimeter is a firewall, which analyzes content attempting to enter or exit your environment. This authorizes entrances and exits, preventing unauthorized attempts.
For optimal results, data centers should also consider installing a proactive web filter, another layer that complements the firewall by further filtering any content that passes through it. This additional service focuses specifically on the most complex and advanced malware attacks.
Considerations for Data Center Environmental Security Safeguards
When implementing environmental security safeguards, the challenges center around defining the security perimeter in an increasingly mobile and cloud-based landscape. Home and remote networks carry their own security vulnerabilities. Login credentials can be compromised, leading to insider threats that are difficult to identify and mitigate.
For these reasons, data centers should consider implementing a zero trust architecture (ZTA):
- No individuals should be “trusted,” with access automatically granted, in any case.
- Access to resources must be authenticated irrespective of other access privileges.
- Network and data access should occur within limited, closely monitored sessions.
Implementing these controls can impede workflows as personnel move between resources. However, it greatly reduces loss potential across all files if an attacker does gain illegitimate access.
HITRUST Physical & Environmental Security Requirements
One method to address both minimum physical security standards and environmental security standards for data centers is to implement the HITRUST CSF framework. HITRUST offers optimal security across all elements of your information technology infrastructure with safeguards that meet or exceed security requirements for a variety of compliance frameworks.
HITRUST’s Control Category 08.0 is titled “Physical and Environmental Safety.” It includes 13 total Control References, each of which has baseline Control Specifications and Implementation Level guidance for mapping and reporting across applicable regulations. These controls are organized under two primary Objective Names covering Areas and Equipment, which correspond to environmental protections and physical protections, respectively.
HITRUST Objective Name 08.01: Secure Areas
The first Objective Name within Control Category 08.0 is titled “Secure Areas.” It focuses on securing a company’s premises and all data housed within them. Its Control References are:
- Control Reference 08.a – Establishing a physical security perimeter – Physical barriers must be used to block off all areas that house sensitive data.
- Control Reference 08.b – Controlling physical entry into all areas – All entrance into all protected areas must be strictly monitored and restricted.
- Control Reference 08.c – Securing data-sensitive rooms and spaces – Distinct safeguards for sensitive facilities must be designed and applied.
- Control Reference 08.d – Safeguarding against external threats – Specific protections against natural disasters (floods, fire, etc.) must be installed.
- Control Reference 08.e – Ensuring safe working areas for staff – Personnel responsibilities for work within protected areas must be designed.
- Control Reference 08.f – Securing public access areas – Access, delivery, and other public areas must be protected and isolated.
The HITRUST framework provides flexible security for data centers with its Implementation Levels scaling up for greater risks and compounding regulatory obligations.
HITRUST Objective Name 08.02: Equipment Security
The second HITRUST Objective is “Equipment Security.” It focuses on devices and endpoints within secure areas, including the following Objective Names:
- Control Reference 08.g – Siting and protecting all equipment – Siting for protection and access control must be applied to all equipment.
- Control Reference 08.h – Supporting all sensitive utilities – Power and utility outages must not compromise sensitive equipment security.
- Control Reference 08.i – Securing cables and connections – Cables carrying sensitive information must be protected from interception.
- Control Reference 08.j – Maintaining security of equipment – Availability and integrity of all equipment must be maintained through updates.
- Control Reference 08.k – Monitoring equipment off-premises – Equipment outside of premises must be secured against all external threats.
- Control Reference 08.l – Securing equipment reuse and disposal – All sensitive information must be removed or overwritten before disposal.
- Control Reference 08.m – Authorizing all sensitive asset removal – All removal of sensitive equipment and software must be authorized.
Across these Equipment Security Control References, there are varying Implementation Levels that account for risks at different volumes or kinds of data and all corresponding regulations.
Professional Data Center Security and Cyberdefense
To recap from above, data center physical security standards and best practices revolve around protections installed on and around individual devices and workstations. On another level, data center environmental safeguards focus on perimeter and access controls surrounding the same devices. One of the most effective ways to implement both is through the HITRUST CSF, which details specific controls scalable to meet or exceed many compliance requirements.