The data center from hell, Part 3: Lessons learned

The long view of security strategies for your network.

In the previous two columns (see: Part 1 and Part 2), security specialist Jan Buitron reported on a horribly non-secure facility at which she worked some years ago. Today she summarizes her conclusions about the state of facilities security at this dreadful site.

In medieval poet Dante Alighieri’s (1265-1321) conception of hell, the eighth ditch of the eighth circle of hell is reserved for fraudulent counselors. [See “The Physical Structure of Inferno”] It seems to me that the people who managed facilities security for the company in question deserved to be in that particular ditch! I think that readers should examine their own facilities with a critical eye in light of this case study.

* * *

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In the previous two columns (see: Part 1 and Part 2), security specialist Jan Buitron reported on a horribly non-secure facility at which she worked some years ago. Today she summarizes her conclusions about the state of facilities security at this dreadful site.

In medieval poet Dante Alighieri’s (1265-1321) conception of hell, the eighth ditch of the eighth circle of hell is reserved for fraudulent counselors. [See “The Physical Structure of Inferno”] It seems to me that the people who managed facilities security for the company in question deserved to be in that particular ditch! I think that readers should examine their own facilities with a critical eye in light of this case study.

* * *

Observations and Recommendations

The company needed to move the data center! There were moving plans in place when I left the company, but the plans were verbal. The underlying reason for the move was partly to improve the data center’s situation, and also the data center manager’s commute would be shorter (!).

Common sense and industry experience tell us that this case study illustrates the following principles:

* A data center site should be located in an area with well-maintained streets and adequate street lighting and storm drainage.
* The building must be away from multi-lane highways, train tracks and train tank cars full of flammable liquids.
* The data center central processing area should be located in an area central to the building with no exterior walls adjacent to critical computing equipment.
* A motion detection alarm system should protect all areas of concern including access doors, circuit breaker access and control rooms.
* The surrounding area must contain no oil refineries or chemical plants. A suitable site should be away from industrialized areas.
* The area should be away from transmission towers and sources of high-frequency radio waves.
* A data center site should include redundant power feeds to the central processing area.
* A data center site should have the ability to quickly connect to a back-up T-1 line in the event the primary line is severed.
* Circuit breakers, electrical equipment should be maintained in separate rooms with restricted access.
* The walls surrounding the central data processing area must act as complete partitions from the floor to the roof. This design prevents an intruder from climbing up and over a partial partition by lifting ceiling tiles and climbing over the wall.
* Electronic badge access should be installed for access to the server rooms.
* For personnel safety and building security, the exterior lightning should be designed for maximum visibility with reliable lighting.
* For personnel safety and site security, the parking lot should be adequately lit, well maintained and free of debris and hazards.

Conclusion

The company’s strategic planning should include a comprehensive site-security and infrastructure-security assessments as well as a disaster-recovery plan. The company’s verbal plans to move the data center included using the original processing site as a hot backup site for disaster recovery; in this case, if the move ever was completed, the original processing site should have been moved as well. All of the items listed above should be taken into consideration when selecting a new backup site.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.