Keeping data centers secure is paramount, but this isn’t always easy for businesses to accomplish. It often depends on the location of the data center, along with the number of devices that can access it. Having access controls in place can improve security in and around data centers, but companies also need to know which ones are necessary.
For example, if unauthorized entry is not a problem at your data center, it wouldn’t be necessary to have access controls that manage it.
In this guide, you’ll learn what access controls are, along with how they can affect data center security. You’ll also find information on data center security best practices.
What is Data Center Security?
A data center is a place where information is stored, typically on servers. It can be located on-site, at another location, or managed by a third-party vendor. Regardless of where the data center is located, security protocols must be in place to prevent breaches.
Since data centers contain all the information that pertains to the business it’s often the target of hackers. To prevent cybersecurity breaches controls that limit access to the data center are used. These controls not only limit access to the data center’s physical location but also to all devices.
Data center security best practices include everything the business puts in place to handle access from tangible items to the controls that manage them. However, before a company can start restricting data center access and implement the appropriate controls, a risk assessment should be conducted.
A risk assessment is a handy tool that helps businesses stay in compliance with cybersecurity regulations. It will also help companies identify potential and immediate threats to the data center. Some examples of common data center threats include,
- Denial of Services (DoS) attack
- Confidential/Protected information is breached
- Identify theft
- Theft or altering data
- Unauthorized access and use of network/system resources
Not only will a risk assessment identify threats, but it will also spot vulnerabilities that hackers could exploit. Some common weakness in data center security often include,
- Software and/or security protocols improperly implemented
- Incomplete testing of systems, applications, software, etc.
- Inaccurate configuration of data systems
- Flawed cybersecurity design
- Lack of effective physical/environment access controls
- Lack of redundancy for critical systems
There are various types of access controls businesses can implement to reduce cybersecurity threats. Knowing what the weaknesses are will make it easier to know which controls are needed.
Data Center Access Controls Best Practices
Before companies start implementing access controls, it’s necessary to consider the data center tier. This is the classification of a company based on the amount of information they handle. Tier 3 and 4 businesses are typically larger and more complex. They have more redundant infrastructure than smaller companies. This means higher tier organizations require sophisticated cybersecurity practices for managing and protecting their data.
Even though the amount of cybersecurity needed will vary depending on the size of the data center, there are some access controls that apply to all businesses regardless of their size.
Layered Cybersecurity Measures
It is vital that all aspects of data center security work smoothly together and with other elements. This will provide a layered system that is more difficult for hackers to breach. Layered security means that hackers must break through several layers before they’re able to access any information. Even if one layer is ineffective at stopping a hacker, there are still others that will likely be able to prevent the potential breach.
Having an access list of everyone authorized to handle data should be automatic. This applies to all businesses, even those that use a third-party data center. Even at a third party location, not everyone there needs access to the data to perform their jobs.
All businesses should operate under the “zero trust” cybersecurity philosophy. “Zero trust” is exactly what its name implies. Everything that pertains to non-public protected information (NPPI) should be viewed as “suspicious”. This includes all data transactions and movements.
The access lists should be constantly updated. Employees frequently change. By keeping these lists updated, companies can prevent breaches and mistakes by employees that aren’t authorized to handle NPPI.
More companies are realizing the value of video surveillance. Being able to constantly monitor the data center will prevent some unauthorized access and identify others. Closed-circuit television cameras (CCTVs) should be placed where all exterior and interior access points are covered. The cameras should come with zoom, tilt, and pan. Footage should be digitally backed-up and archived.
Secure Access Points
Locked doors and surveillance cameras are not enough to fully secure all data center access points. Fully locking gates over access doors when the data center is deserted is an option. However, there can still be security problems during business hours.
Manned security stations will prevent unauthorized access, along with security entry points that make it impossible for an authorized employee to pass their credentials back to someone else. While these security measures will cost money, they are important practices that every data center should consider adopting.
This access control generally only applies to tier 3 and 4 companies that often have large, off-site data centers. Along with controls at all entry/exit points and on the data center floor, companies also need to employ on-site manned security. Data centers with routine security patrols typically report fewer breaches that were the result of human error – accidental unauthorized access.
Radio-frequency identification (RFID) is a technology that allows digital data to be encoded with tags. These tags or i.d. labels make it easier for data centers to track and manage their assets in real-time. RFID labels can also be designed to send alerts the instant data is moved or altered. This allows data center employees to immediately respond to any perceived threat.
Employee Background Checks
Data centers can be busy places, especially if it’s managing the information for an upper-tier company. Along with the regular employees, companies often hire third-party contractors that also have to be vetted. Background checks not only help to prevent unauthorized access to data, but it also gives consumers confidence that the company can be trusted with their information.
Implement Exit Protocols
Employees will leave the company and others will see the scope of the jobs change. When this happens, businesses must have an exit plan in place to ensure data remains secure. Exit protocols should include collecting employee keys, updating data center access lists, and deleting any biometric information pertaining to that person. The goal is to keep data secure after access has been removed or changed.
Require Multi-Factor Authentication
The “zero trust” policy that companies should already be following includes requiring multi-factor identification for data center access. When it comes to data center security best practices, this is one of the most important access controls. Strong passwords can be broken, even if they’re changed regularly. Requiring authorized users to provide additional i.d often with an employee badge, fingerprint, or even using facial recognition software.
Securing Building Management Systems
Data center access control best practices include securing the building management systems (BMS). These are the systems that manage everything from access control, fire alarms, and airflow to room temperature. Hackers can breach these systems and potentially gain access to NPPI.
Previously, data centers would segment the management system from the main operating network. However, hackers have successfully jumped from a BMS to the network. The 2013 massive Target data breach is an example of this. With lateral movements – when a hacker jumps from a device or network, in an attempt to get higher access privileges – becoming more common companies need to develop new methods for securing BMS.
Data centers are starting to implement network encryption at the level where information is transmitted. This is the level that manages connectivity and routing between the endpoints. The data is encrypted during the transfer and is independent of other encryption protocols. This is a “standalone” solution to securing data only during transfer. Other encryption programs protect NPPI at other times.
Segment Network Traffic
Segmenting all network traffic will simplify cybersecurity enforcement and help contain potential threats to one sub-network. When traffic is classified according to its endpoint identity, it is isolated and independent. This makes it more difficult for hackers to access higher systems and networks, even if they are able to breach traffic at an endpoint.
Install Virtual Firewalls
Part of a data center’s security system is a physical firewall. However, adding a virtual one for customers will add another layer of security. The purpose of a virtual firewall is to monitor activity outside the data center’s physical network. It will identify packet injections in real-time without using resources from the main firewall.
Packet injections are inserted by hackers as a way to gain access to a network by posing as part of the normal communication stream.
Data Center Access Controls By Tier
Not every company will need to implement every one of these access controls. Some will be unnecessary for lower-tier businesses. Most organizations already know their classification due to compliance audits. The assigned tier also applies to the required standards a company must meet to be in compliance with industry cybersecurity regulations.
Tier 1 & 2
Businesses classified on these tiers are often smaller and have their data centers on-site. Many of their required cybersecurity measures are lower in cost since these companies usually do not need to access data in real-time. If a system failure occurs, tier 1 and 2 rated companies also won’t suffer financially.
Tier 3 & 4
Once an organization is classified as tier 3 or 4, higher levels of security will be required. Most, if not all of the access controls mentioned will need to be implemented. They will need to be able to access their data in real-time. These businesses will also have redundancies built-in. At the higher tiers, businesses will suffer financial losses if there is a system failure.
It is becoming more obvious to companies that their data centers could become easy targets for hackers. Access controls can prevent cybersecurity breaches, especially at higher network levels where NPII is commonly managed. The size of the company, along with other factors will determine which access controls businesses need.
The experts at RSI Security are here to answer any questions about data center security best practices and help organizations implement them.