Future-Proof Physical Security of Data Centers for Progressively Growing (Legal) Requirements
Jan Sanders from Kentix talks about ensuring physical security for data centers in an evolving technical and legal environment.
dotmagazine: Which trends do you see for physical security in data centers?
JAN SANDERS: One major trend and very important for us is the growing awareness that compliance with requirements like GDPR and ISO 27001 is necessary and meaningful, and is becoming increasingly vital. A lot of customers approach us when they have been audited in one or the other programs, and they come to us with very urgent requirements for physical security.
We are seeing this more and more often, but we are also noticing that the requirements are increasing, and are being handled more strictly year by year. So if, for example, a complete 24/7 access documentation is a recommendation from an auditor who does the GDPR or ISO 27001 audit in one year, very often in the next year this has already become mandatory.
This means that it's very important for data centers operators to understand that they should not limit their choice of system too much to what they need today, but ensure that their systems remain expandable and scalable at all times. They can also achieve this by, for example, using open standards, firmware update possibilities etc., just to make sure that their system stays up to date and in line with their requirements, which are increasing.
When it comes to data center access, Article 32 of the European GDPR regulation clearly states that everything that is state of the art should be taken into consideration to make sure that systems that process sensitive data are secured. This means that, in the first instance, you want to keep everybody out of your racks, regardless of where the rack is. It could be in a big data center where you already have access control – you are physically present there. But a lot of data centers have requirements on colocation, for example, so the customers really want to know who has access, and when, and – if there's some leakage happening for whatever reason – then they have to document what happened. If they can't document this, then they have not followed the rules. We also now have an increasing number of really big projects where we see that single racks need to be secured from all sides, and that's the case throughout Europe.
And the reason for this – if I ask people what their pain point is – has been the audits. This comes down to ISO 27001, to the GDPR, to being classified as critical infrastructure – and we're not talking about only general data centers, but also companies and organizations running data centers. From what they’re telling us, it’s clear that GDPR is their major pain point.
For access purposes, in principle there's always some audit data tool or media, which is, in our case, very often the RFID card or token. This is the link with the person who owns the card.
dot: When it comes to access, do different data center types demand different types of solutions?
SANDERS: Access systems are required by all kinds of data centers – data centers of different sizes have, for example, an access control system from the outside to the inside, especially in colocation. We see a strong trend towards electronic protection of individual racks including – and this is a very important point – complete 24/7 documentation to meet the GDPR requirements. 24/7 documentation means that every single electronic lock needs to be online all the time, so that access data is not stored on some logs where you have to read it out, or on some tokens which could be lost, for example. So what we are really talking about is online locks. This is to prevent unauthorized access at any time, and this is documented 24/7.
But looking at different solutions in different data centers, they can differ significantly, especially in the way that access control systems are integrated into an overall system. In a large data center, for example, we see that there's very often a centralized system for the management of risks in which all relevant threats are visualized and managed, into which the access control system then needs to be integrated. These larger centers don't want to deal with single bits and pieces but to have an integrated solution. In the case of medium and small data centers and distributed infrastructures, we very often see that they solve this issue by monitoring via SNMP monitoring systems.
So yes, there are some differences – but we also see a growing trend currently that a lot of people are looking into how they can integrate solutions in the right way. There's a lot of differentiation here, I believe.
dot: What are the important elements for choosing a real future-proof system for access and documentation purposes?
SANDERS: Among many other factors, future-proof systems definitely must be highly flexible and always need to be easily integrated into third party systems. We are really living in a world where interconnection with different systems is getting to be vital.
In modern future-oriented system architectures, things like REST APIs, WebHooks, SNMP, LDAP, IOT, PoE, master/slave mode, simplicity by design, and so forth are not just buzz words, but are crucial tools to really create an efficient, flexible solution that will grow with the requirements. We do not believe that one big solution offered by one party is the best for the ever-growing data center of tomorrow, but the sum of the best available solutions simply and meaningfully brought together in one system. Therefore you need all these kind of future-proof standard IP tools.
What is also very important, as I already alluded to, is that sooner or later, no one will be able to avoid real 24/7 documentation of access. This requirement stems from the GDPR, for example, and we see a growing demand for such documentation.
What companies and data center operators require is real-time online access system in which authorizations can be changed centrally and are immediately available to every access point throughout all sites, wherever you have installed the system – even worldwide – with just a click. This must be a distributed system, so that changes can be taken care of remotely, without physical presence on the site. And, of course, the same thing applies to the documentation, which must be fully accessible in real time at all times, without you needing to access media or doors to read out the data. Future-proof systems are fully online, available all the time, and also have the right architecture and interconnectivity.
When we talk about our Kentix solution: We are quite clearly an IP system through and through, and in principle we're just following all the IT standards and also IT security standards which are needed to do this kind of thing. Looking at bigger organizations, they have virtual LANs throughout the world. So in this case, you set up your system with the help of these virtual LANs and, in principle, you get interconnection with all the individual devices throughout the world. That's essentially what IoT also stands for. And that's exactly the concept and the architecture behind our solution.
dot: What innovations do you expect to see in the coming years?
SANDERS: What I see is a trend towards the interconnectivity of different systems, which will definitely continue to grow strongly. We also see strong growth in IoT solutions for the B2B business environment – we call them Industry-IoT. The precondition for this – and that's more the innovation behind it – is really delivering on open and standardized interfaces such as REST APIs, Webhooks, and SNMP, which we already provide as a standard today. Following such an approach is the only way to make it possible to simply integrate a solution into a large variety of systems.
We also see high-level service applications suitable for different kinds of data centers. Such service applications could provide users with central access authorizations via physical or mobile access media, such as mobile phones. In this way, we believe that multi-biometric authentication could also be defined and, if necessary, executed by the user via their mobile phone.
This higher-level service application is more like a middleware which is managed by the data center operator, and used via open interfaces. The middleware is effectively the central point where you manage everything. And then our system – but also other suitable systems, or even your mobile phone – comes into play. So what we see is all about interconnection.
dot: What is the level of security awareness among the operators of small and medium sized data centers?
SANDERS: In principle, through ISO 27001 and the GDPR, the awareness has been significantly sharpened. But it definitely also depends on the size of the data center we see, and the type of core business you are in. So, for example, if you're not really directly linked with the IT industry, you would have a different focus on these mission critical issues.
We still see some data centers where it seems that they only learn through pain – through outages or data leakages, or maybe a fine.
Outages are one of the most expensive things that can go wrong in a data center, because everything is mission critical. From that point of view, every outage will cost you a hell of a lot of money. So I think people learn with the pain. I also see a lot of heads of IT departments who are very well aware of all the risks, but sometimes are not supported by their management. But I think overall awareness is definitely increasing and people are already doing quite a lot.
We haven’t yet spoken about physical security as a whole. This is very often – mistakenly, from my point of view – given a lower priority than cyber security. It has been proven that 50 percent of all hazards really result from physical causes, like overheating due to air conditioning failures, or fire as a result of cabling or human errors. Maybe this is because cyber attacks are more spectacular. But physical threats are no less damaging to an organization. The awareness has to increase in this context, to understand that physical security is also very important, not just the latest firewall.
We recommend that every company should take this very seriously and also address these kinds of physical threats quite clearly, to avoid both substantial damage and also audit problems. This can be achieved with relatively small investments using our Kentix equipment. We can also give a lot of very good advice on how to deal with these topics, and also do so in live demos where we can not only individually discuss requirements, but also demonstrate how we can solve issues with a Kentix solution that really fits with your demands.
Jan Sanders is an International Sales Leader with experience from different company structures and industries. Today, his focus is on progressing sales structures and internationalization of the dynamically growing KENTIX business. Before KENTIX, he directed DACH and European sales teams at MOBOTIX.
Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.