Best Practices for Data Center Risk Mitigation in 2023

Cybersecurity may get all the headlines, but protecting physical data centers against unauthorized access is equally important

Tom Langer
Abdul Khader Aslam
Best Practices for Data Center Risk Mitigation in 2023

Today’s IT leaders dedicate much of their time and resources to protecting against cybersecurity threats, and for good reason. Despite how important cybersecurity is, it would be a mistake to not also consider the risks facing your physical data centers. Physical security is a major component in the protection of the information systems that make your company’s digital presence possible. Cybersecurity and physical security must work together as part of a holistic protection strategy.

In this blog, we’ll share six best practices that can help you mitigate the risks facing your physical data centers:

  1. Establish a multi-layered security perimeter
  2. Institute robust physical and logical access controls
  3. Conduct continuous monitoring
  4. Perform regular testing to understand risks in context
  5. Empower people to be a part of the solution
  6. Design data centers for built-in resiliency

How to evolve your physical data center to a modern operating model

Enterprise operational and deployment models are reaching beyond public cloud to include hybrid cloud-based platforms for on-premises as-a-service offerings.

View Analyst Report
In the Modern Data Center: IT Engineer Installs New HDD Hard Drive and Other Hardware into Server Rack Equipment. IT Specialist Doing Maintenance, Running Diagnostics and Updating Hardware.

Establish a multi-layered security perimeter

The server, storage and networking equipment in your data centers is extremely valuable to your business, but only if it remains online. This means you need multiple layers of protection between your equipment and all those who may wish your business harm. It’s a very simple concept, but it can be deceptively hard to execute.

At all Equinix sites, visitors are required to pass through five layers of physical security before they’d be able to access customer equipment:

  • Front door to the security lobby
  • Security desk for physical check-in verification
  • Mantrap
  • Door to the colocation floor
  • Gate to individual customer cages or cabinets

These layers provide multiple opportunities to identify unauthorized visitors and deny them access. At all sites, perimeter fencing and/or lobby access is strictly controlled. At the security desk, visitors are required to verify their identity using a valid government-issued photo identification, and confirm their pre-authorization to visit the site. They’re also required to sign the access log with their name and the date/time of their visit; this gives you detailed information you can refer back to in the event of a security incident or for audit scrutiny.

The mantrap is used to control ingress and egress from the facility, and thus prevent “tailgating”—when an unauthorized visitor attempts to access the facility by following a legitimate visitor in.

Institute access controls

An effective approach to data center security acknowledges that there must be a balance between keeping equipment protected and not making things too difficult for those who do have a legitimate reason to access the facility.

For this reason, you must integrate your physical security strategy with your logical security strategy. Anyone with a valid reason to visit the data center should be able to request authorized access in advance using a clearly defined process. They should be able to make an appointment to visit the facility at a particular time; this helps ensure that security personnel will be expecting them, and that they’ll be able to pass through the previously mentioned security measures without unnecessary delay.

Regular authorized visitors who come to a particular facility frequently can utilize secure and encrypted access readers based on their stored biometric profile, allowing them to quickly pass access controls during any subsequent visits.

Equinix does not directly provide authorized access to customer equipment. Since we are a colocation provider, this access must be granted by our customers. However, once our customers have granted access to visitors, we can help ensure these visitors quickly get access to the equipment they need to access—and only that equipment.

The Equinix Smart Hands® tech support service provides one example of what this looks like at our sites. Customers can create requests for on-site support, with 24/7 availability. When a customer creates a request, it automatically provides authorization for our own technicians to access the customer’s equipment.

Conduct continuous monitoring

Physical data center security can also take a pointer from cybersecurity through the concept of zero-trust security. Zero trust does away with the idea of only trusting network perimeters. Instead, all entities are subject to recurring authentication challenges and constant monitoring, regardless of whether they’re inside the perimeter or outside.

...you need multiple layers of protection between your equipment and all those who may wish your business harm."

In a similar way, your physical security efforts shouldn’t end once a visitor is through the door. Just because someone is trusted to enter doesn’t mean they can be trusted to do whatever they want inside the facility. Instead, you should deploy monitoring technology to prevent unauthorized access—whether intentional or unintentional. All Equinix sites use CCTV cameras, motion sensors and additional biometric scanners placed at different points throughout the facility, thus ensuring visitors only access the specific customer equipment they were authorized to access.

Environmental monitoring techniques help protect our data centers against threats both from malicious actors and from other sources, such as fires. This is extremely important at a time when several recent data center fires have caused significant disruption for the affected companies.[1]

Perform regular testing to better understand risks in context

Conducting testing and drills at regular intervals can help you better understand the vulnerabilities in your data center, and how you can address them. This would include tabletop exercises (TTXs) and penetration testing, which simulates an attacker trying to sneak their way into the facility. These tests help show that having the right monitoring and access control technology is only one part of a comprehensive physical security strategy. There’s also a human angle to account for.

Penetration testers help identify areas where guards or other employees may be the weak link in the security chain. For instance, if an employee were to leave a fire door propped open while they step outside to take a break, it could undermine the security perimeter mentioned earlier.

In addition, threat monitoring can help you understand the risks facing your data centers in advance. In the case of Equinix, we have a threat intel team that performs constant monitoring using global security data sets to help us keep track of potential malicious actors “in the wild.” Any time our monitoring turns up a credible threat against one of our sites, we act immediately to ensure we’re protected against that threat.

Empower people to be a part of the solution

...your physical security efforts shouldn’t end once a visitor is through the door."

You can account for the human angle by empowering employees to play their part in the overall security strategy. To do this, it’s important to give them the right training and industry certification opportunities.

Penetration testers will often try to talk their way into a facility using props, a convincing story and an air of confidence. Just like phishing attempts in the cyber world, these kinds of low-tech attacks can be surprisingly effective because they prey on human nature. Some employees are preconditioned to be as helpful as possible, which is good in most situations, but problematic in the context of data center security.

Interacting with penetration testers helps get security guards accustomed to enforcing access controls in a manner that feels true to life. If they do ever find themselves interacting with a real attacker, they’ll know how to push back, and they’ll gain a sense of confidence that the company will support them for doing so.

In addition, certifications help ensure employees understand and know how to apply industry-accepted best practices for physical data center security. They can also be helpful to demonstrate compliance with applicable data privacy regulations in your local jurisdictions, and to provide assurance to any customers whose sensitive data you may be responsible for.

Equinix IBX® data centers are built and operated in accordance with numerous industry standards and certification programs, including Trusted Site Infrastructure (TSI). The TSI program helps ensure we’re applying current state-of-the-art guidelines for data center security and availability.

Design data centers for built-in resiliency

It’s not always possible to ward off every risk facing your data center. Because of this uncertainty, it’s important to design data centers in a way that provides built-in redundancy. This would include power redundancy, geographic redundancy and network redundancy.

All Equinix IBX data centers offer fully redundant primary power feeds, backup generators, and uninterruptable power supply (UPS) systems—both for the data center and critical mechanical equipment. Our customers can connect their equipment to these redundant power systems via dual power circuit feeds, allowing for seamless failover in the event one of the circuits goes down.

Although protecting individual data centers remains essential, globally distributed enterprises also need to implement redundancy across sites. A global data center platform such as Platform Equinix® can help provide geo-redundancy; with redundant digital infrastructure running in different metros, you’ll be able to shift traffic from one metro to another should the need arise.

However, implementing network redundancy can be complex, as it requires businesses to partner with multiple third-party network service providers (NSPs). The Equinix partner ecosystem enables this by providing access to 2,000+ NSPs in locations around the world. Equinix Fabric®, our software-defined interconnection solution, makes it quick and simple to connect with those NSPs on demand.

In addition, the Equinix Business Continuity Program is regularly reviewed and tested to make sure we’re prepared to respond to any threats facing our data centers, including natural and man-made hazards, infrastructure failure, fuel/power shortages, health threats, economic/political unrest and more.

Learn how to evolve your physical data centers for the future

As this blog shows, mitigating risks in physical data centers is a multi-faceted undertaking that requires the right combination of strategy, architecture, technology and processes. Enterprises can protect their private data centers by following the best practices outlined in this blog, but this may not be the best use of their time and resources.

This is particularly true at a time when having secure access to a globally distributed digital infrastructure is so important to enable digital transformation. Working with a leading colocation provider like Equinix could be a more cost-effective way to get digital infrastructure when and where you need it, freeing you up to focus on your day-to-day business operations.

Physical security is just one example out of many showing how data centers need to evolve constantly to help businesses thrive in an uncertain future. To learn more, read the Gartner report “How to Evolve Your Physical Data Center to a Modern Operating Model.”[2] You’ll get a closer look at how you can integrate your physical data centers into a digital infrastructure model that also includes multicloud access, as-a-service offerings, digital ecosystems, and more.

 

[1] Heesu Lee, “Fire Disrupts Services at South Korean Tech Giants Kakao, Naver”, Bloomberg, October 15, 2022.

[2] Jason Donham and Jonathan Forest, “How to Evolve Your Physical Data Center to a Modern Operating Model,” Gartner, ID G00749388, March 29, 2022.

You can account for the human angle by empowering employees to play their part in the overall security strategy."
Tom Langer
Tom Langer Vice President, Global Operations Enablement
Abdul Khader Aslam
Abdul Khader Aslam Director, Information Security, Risk and Compliance
Subscribe to the Equinix Blog