Data Center Access Controls at the Cabinet and Rack Level

As data center design continues to evolve, one stalwart piece hasn’t changed too much: cabinet or rack security and monitoring. After all, how complicated can a door lock get? While most every data center will have some form of lock on their racks and/or cabinets, especially colocation facilities as they have multiple clients accessing shared floor space, not all locks are created equal. Newer technologies allow automated access logs, biometric security, wireless unlocking, and more.

With different compliance standards and security requirements for various applications, some colocation providers will install custom locks for your cabinet if necessary. Physical security measures remain vitally important, as social engineering and theft can extend to hardware and not just data. How then do data center providers go about securing cabinets and racks?

Why Secure the Rack?

With detailed access records and logs generated from visitor RFID badges, biometric access, and written entry logs, plus video surveillance, why bother locking the individual rack or cabinet? After all, NOC or support staff can easily track down who had access to which data center floor at a given time.

While this is true, a visitor could impersonate someone with security clearance in order to gain access, making them impossible to track once they leave the facility. Outside of equipment theft, which is itself a leading cause of HIPAA breaches (and other security events), malicious intruders could also plant keyloggers, video cameras, or other tracking devices on the hardware itself before leaving the facility. They could bypass external network security controls by relaying from behind the firewall or switch. Or they could simply download the information on-site and leave with a hard drive full of sensitive data.

Are There Really Innovations in Rack Security?

Ultimately rack and cabinet security remains fairly low-tech. Traditionally racks have a handle and a manual key. They may also have keycode access in addition or lieu of the regular key, as on Green House Data’s modular containment pods.

Key management can be a time consuming process and all authorized personnel must be provided with keys in this case. Keycode access makes this simpler, and assigning specific codes to individuals or groups allows some level of access tracking.

High levels of access control and monitoring and remote controls can be enabled with electronic rack access solutions. These “smart locks” are starting to crop up in more data centers and are tied to either biometric, keycard, or pin code access right at the server rack or cabinet. They validate user credentials with a central server, responding with a signal to unlock the cabinet, or unlocking remotely when instructed by an authorized user.

Electronic locks can also generate logs, simplifying audits with a detailed activity record. Unlike many mechanical locks, they can be tied into facility-wide security systems, activating alarms or lockdowns and alerting security staff if credentials are invalid or access is forced. Security knows immediately which server rack is responsible for a breach in this case.

Smart locks can be set up to only allow access during certain time periods, like when an operations team member is expected to arrive and configure a new piece of equipment; they can also be configured to only open when the correct combination of users is present, like a supervisor and a contractor, for example. Specific change or access control protocol can even be tied to lock mechanisms, so if the proper process hasn’t been completed, the lock will not open.

While they are an additional expense at many colocation providers, electronic access control at the rack level adds significant levels of security and audit trails to your server equipment, and has many benefits over cages, which can also be quite expensive.

Posted by Director of Data Centers & Compliance Art Salazar