Pasco County CIO Todd Bayley wanted to make sure his new data center had a strong physical security strategy in place when it opened.

Sep 24 2015
Security

Getting Physical: Controlling Access to the Data Center

Governments deploy an array of technologies to keep intruders out.
by

Jacquelyn Bengfort is a freelance writer based in Washington, DC. A social anthropologist by training, she writes on topics from education to the military, gender to fictional post-apocalyptic worldscapes.

Today, everyone knows that hackers are ready, willing and sometimes able to breach networks in search of information to misuse. Administrators, though, recognize there is more than one way in.

That’s why when Pasco County, Fla., opened a new data center last fall, it had a strong physical security strategy in place. “For us to do our job right, we have to protect not only our employees’ data, but our citizens’ data,” says CIO Todd Bayley.

Physical security seeks to guard against threats such as burglary, theft and terrorist attacks, but also fire and natural disasters. In hurricane-prone Florida, the first line of defense was selecting a protected site.

“Sixteen miles inland, on our highest-tiered ridge, is where this data center sits,” says Bayley. Additionally, the center was constructed to meet some of the highest modern building standards and employs multiple generators and uninterruptible power supplies.

With those precautions in place, Pasco County was ready to layer on protective technology.

Local Governments Keep Close Observation on Data Centers

While many state and local governments are moving away from maintaining their own data centers, Multnomah County, Ore., has good reasons to keep one.

“Control and site location: That’s what the advantages are,” says Multnomah County CIO Sherry Swackhamer. She takes a hybrid approach by employing cloud computing whenever possible and using a third-party colocation site, in addition to maintaining a small data center.

When the county prepared to open its data center in 2012, Swackhamer turned to a Portland CIO alliance to find a data center design consultant who could assist in both the physical design and security plan for the center. “They were experts in data centers, and brought in all the best practices and past experience,” she says.

Pasco County, Fla.'s Data CenterThe $11 million, 57,000-square-foot Pasco County, Fla., data center opened in 2014.

Photo: Jensen Larson

In Pasco County, Bayley used Payment Card Industry physical security standards and the state of Florida’s best practices guide for 911 centers to aid his thinking as he developed a physical security plan for the data center. Layers of technology ensure that only authorized personnel can gain access to most sensitive areas.

The locked door access has an outward-facing video camera equipped with two-way communication, so that visitors can be challenged even before they enter the facility for further screening. Meanwhile, cleared county employees can access the facility through the use of a proximity badge. Additionally, pan-tilt-zoom video cameras cover the freight and administrative entrances and all four corners of the building 24/7, Bayley says. Infrared and low-light capture technology allows the cameras to record clear video at night.

Pasco County houses the video footage in a controlled-access room, which itself is monitored with yet another camera. Add in well-lit parking areas powered by solar cells and, Bayley says, “we have no blind spots or dark spots.” 

The data center also features an Emerson Network Power SmartRow system of independently locked and keyed cabinets for a final layer of physical security.

Choosing the Right Technology for Data Centers

The city of Altamonte Springs, Fla., houses its data center in a repurposed 770,000-gallon, ground-level water tank, says Lawrence DiGioia, the city’s information services director.

As in Pasco County, Altamonte Springs employs a combination of robust video recording technology and access cards to provide the right level of physical security for the site. DiGioia partnered with the city’s law enforcement and facilities departments to create a physical security strategy and select the right technology for the job.

“It’s a combination of fixed and some pan-tilt-zoom multimegapixel IP cameras,” says DiGioia. “The ones that are outdoors are rated for all kinds of weather, with anti-fog lenses and so on.”

To enter less sensitive areas of the facility, employees need only a proximity badge, while more restricted areas require employees to also enter a PIN. Depending on the time of day, even authorized access will generate an emailed alert to administrators that someone has entered certain parts of the data center.

“There’s transparency as to what’s going on,” DiGioia explains.

To reduce the costs of physically securing a site without compromising standards, Swackhamer located her data center in the basement of a secure facility to provide a first line of defense. “There aren’t just people wandering around,” she says. All visitors to the building are already screened and are escorted while on the premises.

Multnomah County backs up the security measures in place with video monitoring, badge access for an intentionally small staff and intrusion alarms on all external doors. Round-the-clock staffing and an understated presence also contribute to physical security.

In fact, building visitors may never even realize the data center is under their feet.

“We don’t have any visible signs anywhere,” Swackhamer says. “We try to minimize awareness.”

Emphasizing Data Center Security

Above all, IT leaders understand how important physical security is to the mission.

“Protect the citizens’ data,” advises Bayley. “Don’t take any shortcuts.”

For Pasco County, the no-shortcuts approach entailed adding an additional, nontechnological element: a dedicated security officer. “We put someone full time to monitor, to watch the logs, and to not take anything for granted,” says Bayley.

Thanks to a robust security strategy and a multilayered approach to monitoring, surveillance and access control, Pasco County’s IT department can focus on the harder problem of preventing electronic intrusions, confident that their data center is defended against physical threats, both human and environmental.

Protecting the Data Center

Government I.T. leaders share their top strategies for data center physical security:

Social engineering is always a threat. “Train, train, train,” recommends Lawrence DiGioia, information services director for Altamonte Springs, Fla. Make sure employees with access to the data center understand the procedures for visitor access. For example, intruders may try to gain entry by pretending to represent vendors there to service equipment.

Tap into all available knowledge bases when formulating a security plan. “Hire people who are experts and get their advice,” advises Sherry Swackhamer, CIO for Multnomah County, Ore. “Call peers who are building data centers to find out what best practices are.”

“Security starts with yourself,” says Todd Bayley, CIO for Pasco County, Fla. Screen and evaluate employees who are granted badge access to secure areas. This is a necessary step in protecting the data with which the government has been entrusted, such as Social Security numbers or home addresses.

Don’t just put the technology in place and forget about it; use it. “We review the surveillance camera footage periodically,” Swackhamer says. “If you’re going to have all this security, monitor it.”

Consider the specific threats you face. While plenty of general physical security guidance is readily available, “you also have to understand your local environment and what the threats are for you,” says Swackhamer. Facilities should be built to withstand the most likely natural disasters to occur in the region.

Jensen Larson

More On

Related Articles

Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT

Subscribe Now