The importance of data security, through the application of protection measures based on electronic and physical security technologies.
by Daniela García Vásquez - Stefanía Rotavista*
Data centers are infrastructures that must be safeguarded by the high influx of information they handle on a daily basis and the amount of data that moves there. Physical security must meet certain characteristics, so this article presents some best security practices for the physical security of these infrastructures.
It is then possible to define a data center as the physical facility where all the electronic equipment necessary for the processing of an organization's information is arranged (Víctor G., 2013). These teams must be located in special places that have security measures in place to avoid the loss of information.
Currently according to ODATA (2022), Colombia has become a focus for the creation of data centers since it has a technological infrastructure that positions it as the second country in the region with better connectivity, transmission and stability. In addition, due to its potential for expansion into new technologies that are still emerging, it is the third most important market in the Latin American region. However, this growth in turn entails a range of risks of various kinds, among these: natural (hurricanes, earthquakes, tornadoes, fires, etc.) or by human actions: theft and sabotage, among others; given the criticality associated with the stored information.
At this point the importance of data security emerges, through the application of protection measures; from the control of physical access against threats that can lead to hardware theft, malicious attacks, corporate espionage and unauthorized access to sensitive equipment. (Anixter, n.d.).
All of the above implies that data leaks are not exclusively carried out by a hacker or by technological means, since if an unauthorized person enters a data center violating security, they could access a server, upload a virus, cut a cable or generate a disconnection of these. In this way, security and personnel must have security protocols that harmonize the operation of physical and human measures for the mitigation of risks.
Among the main recommendations of one of the largest data centers is the implementation of a model for risk management, based on three key points (Anixter, n.d.):
• Create a battle plan: Establish procedures to defend against threats.
• Invest time and be informed: Being connected to the world of data center security is a priority for organizations since through these the latest detected threats and the possible ways to face them are shared.
• Total organizational commitment: An organization must actively participate and commit to the level of security that is required.
On the other hand, the COVID 19 pandemic enhanced the need to carry out multiple remote activities, encouraging the use of technological means and the growing mobilization of data, which generated that companies invested even more in these data centers. This was already a harbinger in which Colombia was positioned as a good place to invest in these infrastructures and their related services, due to its strategic location and the relevance given at the governmental level to the digital revolution.
Although it is well known that in Colombia the data center industry is representative and growing for the qualities already mentioned, it is important to clarify that the location of many of these is confidential, as the first principle of security. As for the customers of this type of services, they demand the existence of relevant security measures, to ensure that reliability, availability and integrity prevail adequately.
On the other hand, security planning must take into account the appropriate geographical location to avoid the threats of the region, as well as the energy conditions necessary for the proper functioning of the equipment contained therein. In the same way, the environmental conditions must keep the equipment in optimal condition, with adequate cooling and finally the broadband connectivity it offers must allow it to operate correctly. (Pacio, 2014)
Physical security measures
However, with regard to physical security measures, the different security principles must be applied, such as confidentiality, detection, delay, response, identification, validation and registration. Confidentiality refers to the least public information exposed about your location; detection refers to alarm systems for the identification of potential intruders; the delay refers to the passive measures that must be implemented to delay criminal action.
Regarding the response, adequate mechanisms and coordination with authorities or private security must be available to neutralize possible criminal actions; while identification, validation and registration, refers to the principles that access controls must have in their design and application.
According to Anixter (n.d.) among the main systems that must be considered for data center security, there are:
• Access control: These must have a secure opening system and sensors on the doors, as well as the registration of employees (according to their profiles) in the system to guarantee identity with access cards and biometric data. With respect to visitors, only previously authorized persons may enter, complying with positive identification and in-depth control within the facilities.
• Video surveillance system: It is recommended that this system has cameras inside and near the facilities, guaranteeing the recording of images in the necessary times and informing people of this activity.
• Security in the access to the racks of the servers: It can be through locks with key or access control readers in the doors, which allow to comply with the two principles previously seen: the delay and the identification, that is, the systems must have the possibility of identifying the users who have endorsed the entry and in case of sabotage have the necessary hardness to delay the criminal action.
• Fire detection and extinguishing system: The installation must have an aspiration smoke detection system or ASD and an automatic fire extinguishing system.
• Security personnel: It is important to have trained security personnel, whose presence and activity is 24 hours a day, both in access control and inside and outside the facilities.
• Administrative measures: All of the above must enjoy adequate planning, administration, procedures and clear assigned responsibilities in order to avoid that the same security systems are the main vulnerability of the system. At this point, auditing is important as a mechanism for continuous improvement.
To conclude, Colombia has places dedicated to the storage of information such as data centers, this industry presents a boom and diversification of services and functionalities to provide quality service to its users. The management of the physical security of the data centers must be properly planned, implemented and audited within the operations that are carried out there, so that the mitigation of risks is effective. For this, the measures adopted must consider the principles of physical security explained, so that the harmony in the operation of the systems is adapted to the risks of this important sector.
* Degree work of Daniela García Vásquez and Stefanía Rotavista, of the Occupational Health and Safety Administration career of the Nueva Granada Military University.
1. Pérez, H. (2022, 25 February). Data Center: Critical infrastructure for business. ODATA - Colocation. https://odatacolocation.com/es/blog/data-center-aprenda-todo-sobre-esta-infraestructura-critica-para-los-negocios/
2. Galván, V. G. (2013). DATACENTER A LOOK INSIDE (01 ed.). Indigo Editions.
3. Pacio, G. (2014). Data centers today - data protection and management in the enterprise (1st ed.). Alfaomega Grupo Editor.
4. Anixter (n.d.). Best practices for risk management. DCD Intelligence https://www.anixter.com/content/dam/anixter/resources/white-paper/anixter-buenas-practicas-gestion-riesgo-data-center.pdf
5. Orts, J. (n.d.). Security in Data Centers. GESAB. https://gesab.com/noticias/seguridad-centros-de-datos/
6. Lanfear, T., Berry, D. (2022). Azure installations, on-premises environments, and physical security. Azure. https://docs.microsoft.com/es-es/azure/security/fundamentals/physical-security