Modern Data centers are no longer data storage facilities complementing the IT infrastructure for businesses. Data centers have evolved as the core operational hub of most businesses handling real time business data. As the need for such data centers have grown exponentially, so has the security threats and the need to have an absolute secure center.
Why does physical data center security matter?
I want you to take a minute and think back to 2004 when Omar Gonzalez jumped the fence at the White House and made it into the building - all because nobody locked the front door. Imagine your business gets hacked and you had to explain to all your customers, investors, and the general public why you were hacked. Imagine just how awful appearances would be if that explanation was, “we didn’t lock the door.”
The news of another hacked website or database stolen with credit cards and social security numbers occurs so frequently you probably tune it out. It’s true; those types of hacks happen daily. But what happens if somebody gains access to a building holding all those servers? It’s simple; a bad actor can easily compromise the data on ALL the servers in a building. One little device can capture incredible amounts of data that can destroy a business and its reputation.
Where does physical data center security fail?
In the last 15 years, I've helped operate data centers, managed service providers and cloud companies, and the security of the infrastructure inside those data centers has always been one of the biggest challenges.
Typically the most significant risk isn't because of nefarious actors or the inability to keep the buildings locked from people who shouldn't be in the buildings but usual human courtesy. Our human instinct is to hold the door open for a colleague or friend and training to prevent and reteach norms aren't often successful. Their instinct is to look at somebody and say, "I know who that is, he's the COO" and hold the door open. Their instinct is to open the door and keep walking without ensuring the door closed behind them, thus allowing somebody to piggyback on their card swipe.
A terminated employee may not have returned their badge. If the entire company doesn't know that person doesn't work for the company, social engineering potentially exposes your datacenter to that employee putting on their badge and walking into the building by asking their former colleague to let them in "because my badge isn't working." Our innate human instinct to help another person is dangerous to datacenter security. While all data centers should have routine training for accessing various parts of the data center and office buildings, human instincts often step in and allow people to access secure areas where critical infrastructure such as power systems or servers reside.
Data center mantraps and government regulations
In a typical data center, we build mantraps to restrict access. It's a simple concept. There is a door that leads to an empty room. To enter the empty room, you must gain access via your badge, fingerprint, pin, retinal scan, etc. Once you are in the room, there is another door to give you access to the datacenter. You have to use your same badge, fingerprint, pin, etc. to open the door to the data center; however, the second door won't open unless the first door is closed and locked. Why do we do that? It helps prevent piggybacking which is an unauthorized person from grabbing the door behind you and walking into the datacenter.
Mantraps are a fantastic tool and used in most data centers around the world. What many folks don't realize is some local governments ban the use of mantraps as a potential fire hazard and not allow you to exit through all egress points without a delay. In cases like that, your options are limited and datacenters tend to rely solely on humans to protect access to the critical infrastructure.
What do you do about it?
As technology has progressed and AI has expanded, companies like Oloid have filled the gap where needed. Facial recognition takes away the need for insecure physical badges that can be lost, stolen, or reproduced easily and used as part of social engineering.
The ability to use facial recognition throughout the datacenter helps drastically reduce risks social engineering but also allows security teams to be alerted to people in an unauthorized space. The key to the usage is to expand your thinking beyond just ingress points to the data center but also use facial recognition via your cameras throughout the building. Technology now allows you to monitor faces in secured areas - so if somebody is able to bypass your physical security and gain access to a secured area, the facial recognition system can highlight an unauthorized face for your security team to immediately take action.
The great thing about an AI-based software-centric approach is that one can add triggers and rules dynamically. The computer vision models identify the face of the person who gains authorized access, but you can use additional logic for tailgating detection. If a person attempts to tailgate behind an authorized person who has just scanned their face to gain access, the AI software can capture the face of the follower and execute the appropriate security protocol. If the follower is not permitted, appropriate action can be triggered, such as notifying the physical security team and/or (temporarily) disabling the access to the data center until the alarm is cleared.
It is still nascent days for the application of computer vision in the world of data center security. As solutions such as Oloid develop more sophisticated business rules around identity and access authorization, it is reasonable to assume that it is not long before physical security will become proactive, agile and automated like the world of cybersecurity.
Vik Patel is a driven entrepreneur and executive with 15 years of experience building client-focused cloud computing, data center, and software development companies in addition to strong leadership teams. He has a wide range of experience spanning technology such as strategy, infrastructure, compliance, operations, and mergers and acquisitions.