Is Your Data Center in the Right Class to Support Real-time Learning (Part 3)?
Data privacy and security has been a hot topic in the press over the last six months. High-profile security breaches have publicized the issues we face in Information Technology around this topic. While we spend lots of time looking for threats from hackers tunneling into our data, we also want to pay close attention to the security of the data center.
Five Data Security Questions to Ask
The security question is one of five questions to answer in building or improving your district data center, to provide the reliability you need for real-time learning. The questions came out of my attendance at the Data Center Design class (course number DC125) sponsored by BICSI, the cabling industry authority. The 5 questions were:
- How reliable is your electrical system, from the utility all the way to the racks?
- Have you designed your cooling to maximize reliability and efficiency?
- What is going on under the floor?
- Have you designed and tested your security?
- What about wide-area-network redundancy?
I covered the Questions 1 through 3 regarding electrical systems, cooling and under-floor issues in previous posts. In this post, I want to discuss the Question 4 – Security.
The data center is usually where most of the systems are stored that have really critical information to protect, like student information systems and employee health and payroll systems. As such, we need to take special care to protect access to this area and the information stored in it.
3 Main Types of Security Design in Data Centers
Securing the data center involves the use of all three of these components in an integrated system. By thinking about them together, we can prevent large breaches in security at the source.
Architectural design parameters have the largest influence on data center security. Several factors can minimize the risk to the data center. First, provide natural surveillance of the data center. Establish ample opportunity for potential security risks to be spotted in spaces near and approaching the data center. These could be open spaces or circulation areas with plenty of windows looking into them. In this way, intruders cannot reach the data center unobserved. The biggest deterrent to keep people from going where they should not is to provide opportunities to spot them getting there.
If the data center is located on an outside wall, provide architectural barriers like fencing and bollards to protect the wall. Any doors, windows or other openings to the data center less than 18 feet above the ground should be protected. The protection could be in the form of an architectural barrier, an electronic alarm or surveillance by a person.
Doors should be planned to provide maximum security while still meeting all fire code exiting requirements. One example is that they should “fail secure” in the event that electronic locks lose power. That is that they would remain closed and locked. Another is that they should be equipped with door position sensors, to monitor whether they are propped open for more than three minutes.
Regarding electronics, let’s think about protecting door access first. Here is information from BICSI about the three categories of authentication:
- What a person has (like keys and cards)
- What a person knows (like a password)
- Who a person is (like recognition by another human, or fingerprints and voice recognition)
For the tightest security, it is recommended that door locks or electronic access control systems include more than one of these categories. This is called multifactor authentication. This is the best way to ensure that stolen cards or passwords do not allow unauthorized access. Further BICSI recommends that one of these multifactor authentication categories be biometric data, or who a person is.
Going beyond door access, electronic protection also involves motion sensors and surveillance cameras. Motion sensors, like door access, should involve multiple factors. This increases accuracy by preventing false readings. Most motion sensors involve at least two factors, like heat sensors for the presence of person combined with infrared sensors for motion. Motion sensors should be activated during times that the data center is not scheduled for use. They should only be overridden by those with proper security access.
Surveillance cameras can be tied to both the door access and motion sensors. For example, each time the door is opened the camera system can turn on and provide higher-resolution coverage of the door entry. Security cameras should be protected with tamper-proof covers. There should be enough cameras to cover all entries and exits to the data center, as well as all key areas of work. High quality cameras with pan, tilt and zoom capabilities are recommended.
While surveillance may not always prevent a breach, it gives valuable evidence of what happened. It is good not only for catching people doing the wrong thing, but it limits the liability for those people who are doing the right thing. It also provides liability protection for the organization, in the event of any legal action.
Operational policies and procedures are probably the most neglected aspect of security. However, they do hold the security process together. The security plan should be written, published for all key participants and reviewed at least annually. It should be aligned with the disaster recovery plan. The security plan is an area that our district will need to address this year as well.
Per BICSI, the security plan should have the following components:
Essential Security Plan Components
- Access Control
- Alarm Policies
- Surveillance Policies
- Equipment Control Policies
- Personnel Policies
Access control establishes policies like who has access to the data center, when it is accessible, how to monitor contractors, sign-in, management of keys/badges and handling suspected breaches. Alarm policies should specify what alarms are in place, what happens to access controls when alarms go off, and who gets notified (hint: it should not be just a local alarm in the data center). Surveillance policies should specify how cameras tie into access control and alarms, and who monitors the surveillance system.
Equipment control involves tracking all data center equipment, so engineers are aware of anything missing. Equipment control policies should pay particular attention to protecting the power and cooling equipment that keeps the data center running, in case of sabotage.
Personnel policies should include hiring and termination. One particular suggestion is to conduct an exit interview with all employees having access to the data center. Per BICSI, this can help the organization reinforce non-disclosure agreements, discover lingering issues in the security plan, and prevent equipment loss through checklists. The exit interview also lets leaving employees have a chance to air their grievances, making them less likely to sabotage operations on their way out the door.
The best way to know that an integrated security plan is working is to practice it and test it. Run through simulations to review your plan. Practice reactions to alarms or breaches. Also, set up a test exercise where an unauthorized person tries can gain access to the data center. Determine from the test whether your policies are really being practiced.
Please know with this post that I am preaching to myself while I share information. We have some of the security policies in place, but learning about them has shown me where we need more work. As we work on a potential data center redesign next year in my district, I will have our team integrate security planning into the design process. I am also looking at the operational security policies we just discussed.
Let me know where you are at the data center security planning, by commenting on the post.
Craig Williams is the director of information services for Illinois School District U-46 in Elgin, Illinois. He and his team are overhauling the district’s infrastructure and seeding technology into classrooms, to ensure the all of the district’s culturally-diverse students have the opportunity to expand their learning and achievement. His previous work with schools, first as a building architect, then as a technology design consultant, provides him with a broad perspective on planning for improved student learning. Williams currently serves on the Board with the Illinois CoSN chapter - Education Technology Council of Illinois.
Learn more now with materials from these toolkit and resource collections: