Tip

Security and data center planning : Two sides of the same coin

Data centers have become a primary target for theft and attack. Data centers, especially those assembled quickly during the economic boom of

Shiva Shankar, VP and Head of IT Infrastructure, Reliance Tech Services

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

the 1990s, were rarely built with an emphasis on security. In today's troubled times, the mindset has to be different, hence security planning and control need to be incorporated right from the design or planning stage while developing a new data center.
 
A data center is a mission-critical facility. Therefore, the security team should be involved right from the data center's design stage. Every potential threat must be identified, and the cost to provide security for the data center must be evaluated. Let's have look at some of the key imperatives for security and data center planning in this context.   

Physical security: The physical security and controls are a crucial part of creating secure environments for a data center. A data center should be designed to withstand everything from corporate espionage to terrorism to natural disasters, so:
More stories on data center security
Fast Guides:  Data center physical security:

Let's get physical: Data center security

The security value of a hosted data center

Does SAS 70 certification mean better data center security?

Build on the right spot. Build your data center away from airports, chemical facilities, power plants, earthquake fault-lines and areas prone to cyclones and floods. The location should be away from large urban areas, high crime and traffic, and potential high-profile terrorist targets. While enhancing the structural building design, blast mitigation can also be factored in.

Have redundant utilities. The data center should have two sources of utilities such as power, water, voice and data.

Landscape for protection. Trees, boulders and galleys can hide the building from passing cars. Obscuring security devices (such as fences) can also help keep vehicles from getting too close.

Plan for bomb detection. For data centers which are specially sensitive or likely to be targets, have guards use mirrors to check underneath vehicles for explosives. As an alternative, provide portable bomb-sniffing devices.

Limit entry points. Secure access to the data center by establishing a main entrance, as well as one at back for the loading dock. Surveillance cameras should be installed around the perimeter of the data center at all entrances and exits.

Secure air handling. Make sure that the heat, ventilation and air-conditioning systems can be set to re-circulate air rather than draw in air from the outside.

Ensure two-factor authentication. Biometric identification (such as with hand geometry or fingerprint scanners) is becoming standard for access to sensitive areas of data centers.

Logical security. Logical security at the data center should start at the lowest level, the OS, and move up with securing the desktop functions and usability of applications (this is also called 'hardening' a system). The logical
To Do list for security and data center planning

-Organizational security and policies
-Asset classification and control - Personnel security
-Physical and environmental security
-Communications and operations management
-Access control
-System development and maintenance
-Business continuity management & compliance

security will involve setting up perimeter access control, network security, Web application protection, and operations and inner security layers. While setting up security for a new data center you will also need to consider vulnerability assessment, access security, data and software availability, encryption of confidential information, system protection through deployment of firewalls, and deep-defense intrusion prevention systems.

If your data center houses the data, applications and access critical to the success of many businesses, the data center must be secure and resilient enough to keep running to protect your profitability, productivity and reputation. Considering the ever-evolving security demands, secure your data center with an end-to-end security solution.

People and processes are very important in implementing effective security for a new data center, while technology is the least important component. This is because technology only provides a means to implement an organization's policies, while policies form the foundation of security in the data center. Educating users about security awareness is a great way to build a security-conscious environment. Security and data center planning needs to be considered as a pervasive, ongoing process of reviewing and revising based on the changes and challenges facing the environment of the data center.

Administrative policies must be well-defined, especially for the people who are working on confidential information, or in jobs involving access to sensitive information. These policies may include background verification, job rotation, multiple people in a confidential (or sensitive) job role, and audit.

Processes must have privacy compliance, quality service and client care. They should be aligned to provide timely results while ensuring that there are preventive, detective and corrective measures in place.

About the author: Shiva Shankar is the VP and Head of IT Infrastructure, Security - Ops & Engineering for Reliance Tech Services. Shiva is responsible for Reliance's IT infrastructure and security operations. He has extensive experience in managing large data centers, systems operations support, database operations, infrastructure planning & engineering along with security domain. Shiva ensured implementation of ITIL framework across the group's IT operations.

(As told to Dhwani Pandya)

This was first published in May 2010

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.