Changes in the way we use technology to support business and infrastructure through the Internet of Things and Edge Computing, are meaning that it is often desirable, and sometimes necessary to have data centres located at sites that either offer better connectivity to Internet backbones or to provide a level of connectivity between sensors and systems that simply was not needed before for improved performance, monitoring, real-time automation and even-self-preservation.
Taking advantage of IoT and Edge data centres can often mean placing technology in locations that are not normally staffed for a range of reasons including, remoteness, weather conditions or cost. In these situations where the technology is usually performing a critical role, perhaps in an oilfield, renewable energy site, or on a cell tower, it is paramount that it remains secure. Not software secure but physically secure against vandalism, illegal entry, theft and the environment.
LPS1175
Physical security is an area that we have seen steadily move up the priority list in recent years, where previously areas such as flood, fire and power contingency may have taken priority. In some ways this is because those features are just expected, but another reason is the volume of data and applications that a typical DC serves to its organisation.
The size of the DC is almost irrelevant, it’s what the DC does for the organisation and the type of data it holds or processes, and the applications it runs. With the advent of IoT, those applications can be responsible for almost any aspect of a chemical processing plant, utility company or communications infrastructure.
The art of securing a data centre lies in having a strong understanding of the Loss Prevention Certification Board’s LPS1175 standard. The aim of this standard is to assess the physical resistance of security products when various types of unauthorised access tools are used against them. Depending on how a product performs it is given one of five different grades, according to the time and tools likely to be used by somebody wanting to subvert those products to get at whatever they are protecting. Essentially the standard provides a buyer’s guide that those designing a data centre (or anything else that needs protecting) can use to ensure the selected products meet the level of protection they require.
For those that have not looked at LPS1175 for a while, or perhaps are coming to it for the first time, here is brief summary of the gradings most commonly encountered in data centre design, whether modular or purpose-built design methodologies are being adopted.
It is very important to note that individual categories of products have specific requirements for each grade of the standard, specifying both the tools and time over which they are tested for maintaining security.
SR1 – Products in the category are broadly secure against an opportunist attack by bodily force using minimal tools (e.g. screwdriver, knife or pliers)
SR2 – Again an opportunist attack but with tools of a higher mechanical advantage (e.g. those listed in SR1 plus bolt cutters, claw hammer or a drill, for example)
SR3 – Attacks at this level are deliberate forced entry of protected premises using bodily force and a selection of attack options (e.g. SR2 tools plus axes, chisels, crowbars or blow torches of some kind)
SR4 – Forced entry at this level is by experienced individuals that have planned an attack with stronger, possibly powered tools, such as a felling axe, sledgehammer, steel wedges, disc grinder or jigsaw
SR5 – Products at this level have to withstand serious attempts at forced entry with top end battery power tools used by fire and rescue teams (e.g. SR4 tools plus circular or reciprocating saws with specialist blades). SR5 is a significantly higher level of protection to SR4, covering specialist cutting tools.
The standard itself goes into a lot more detail than there is space to cover here, but those wanting to learn more should visit www.redbooklive.com. The current standard can be read at http://www.redbooklive.com/pdf/LPS1175.pdf. The Redbook Live is a website managed by the LPCB and contains a lot of useful information including listings of suppliers and products it has tested – making it an invaluable source for those specifying products to secure a data centre.
The container option
You’ve probably heard the term ‘containerised data centre’ and associate it with huge data centre projects, such as those run by the public cloud vendors with tens of thousands of servers and the need for constant growth. In those instances, they are chosen for speed, cost effectiveness and ease of installation, but those benefits are not only true when working at scale. They can offer a very secure and flexible solution for remote data centres - depending on the internal configuration they can also perform very well in high density applications. They are also stackable up to 9m and at the design stage can be extended if specified as a requirement. In addition, these containers can be LPS 1175 certified, meeting the security protection outlined above. In an emergency, containerised solutions can also shine as part of a disaster recovery plan if already fitted out with the infrastructure, where they can be rapidly deployed to a site as a temporary solution.
The important thing to remember with containerised data centres, is that they are not all made equal. Some are designed from the ground up to comply with Lloyds Accreditation, meeting ISO & CSC standards. Others, sadly, are little more than a butchered shipping container.
The growing love for the micro data centre
For decades, organisations with branches have had the ‘Comms or Server Cabinet’ lurking in the corner of a room to support their connectivity and IT needs. But, with more computing power being squeezed into smaller spaces, and energy needs dropping, that cabinet has evolved into the Micro Data Centre (MDC). These units can be highly secure, and of course mean that building security that may already be in place, essentially layering them in protection.
The key to success
The essential thing to remember when considering security, is the value and importance of what you are protecting, and the subsequent damage to your organisation should a security incident occur. You are not just trying to stop criminals breaking in, you are trying to delay their chances of success so that security patrols or the police can arrive on site once alerted. In the same way that your
software and hardware requirements evolve to meet the demands of user needs and the security threats that you may face, physical security must adapt too. A small data centre room that performed a trivial role, may suddenly contain servers, data, and other infrastructure that could bring your entire operation to a standstill if a breach occurs whether through criminality or an act of nature. The physical assessment of a data centre is as important as the way you assess and specify the hardware that sits in it.