Data Centre Security: The Ultimate Guide To Protecting Your Critical Infrastructure

Over 8 million records were exposed worldwide during the fourth quarter of 2023, costing organisations an average of USD 4.45 million per successful breach.

And these losses don’t even cover half of it. Sensitive data and financial records exposed equal reputational damage and a loss of consumer trust. The fallout of a data breach can be so severe that many companies—especially small businesses—never recover.

Many imagine physical data centre breaches to be high-profile heists filled with explosions and helicopters. This isn’t usually the case. It actually only takes one malicious individual—a covert break-in or a criminal disguised as a maintenance worker—in conjunction with a bit of carelessness to facilitate the theft of sensitive data.

Modern businesses possess growing amounts of siloed, sensitive data stores. Coupled with the growing threat posed by attackers, it’s of little surprise that data centre security has taken the stage in recent years.

We write extensively on the importance of robust cybersecurity, but in this article, we’d like to take a different angle and talk about the physical elements that go into keeping your data secure. Let’s dive into it.

What is physical data centre security?

By physical, we really just mean the on-premises security that keeps a data centre safe from things like break-ins and unauthorised access. It is also a measure that protects against environmental concerns like natural disasters and fires.

What about cyber security?

Of course, physical security is just one puzzle piece when it comes to protecting assets.

As companies transition to private, public and hybrid cloud infrastructures, cloud applications, cloud data storage and cloud service providers, cyber threats are becoming increasingly frequent. Common attacks like malware, ransomware, phishing and hacking still make up the majority of successful breaches.

As such, businesses should ensure their data centres prioritise implementing layered cybersecurity and network security protocols.

Core measures include intrusion detection systems and intrusion prevention systems (IDPS), next-generation firewalls, data encryption, security access controls, network segmentation, encryption, multi-factor authentication (MFA), and regular risk assessments, to name a few.

Cyber security is essential, as you can see. But in this article we’ll primarily be focussing on the physical elements that go into keeping your data secure. Let’s dive into it by discussing the three most common physical threats a data centre faces.

Understanding the physical threats to data centre security.

Physical data centre threats are usually the result of malicious individuals or negligence and, in some cases, environmental factors. Let’s take a look at the three main physical threats.

1. Unauthorised access
   If malicious individuals can find an entry point into a data centre, they will. This could be through tailgating (following authorised personnel through secure entry points) or exploiting problems with security systems. People can also attempt to trick staff members into granting them access.
2. Insider threats
   Sometimes contractors and vendors could pose a security risk. Some may steal sensitive information deliberately. Others may expose information through negligence or carelessness.
3. Environmental factors
   Earthquakes, floods, fires, hurricanes, and tornados can disrupt operations and cause serious damage to stored data. These natural occurrences can also impact physical security systems, making it harder to keep data centre assets safe from criminals.

Security measures to protect against physical threats.

We’ve outlined the three core physical threats. Now, let’s look at the essential security measures that protect against them.

• Location: A data centre should be in a secure location that isn’t prone to natural disasters to ensure business continuity. The outside area should be non-descript and free from overt branding.
• Physical perimeter: A sturdy and tall fence is crucial. This should be augmented with constant video surveillance and crash-proof barriers or berms, as well as constant perimeter security.
• Entry points: Data centre facilities should ideally have only one exit and entrance to limit access points for malicious individuals.
• Staff: Security awareness training is a must. Staff must be aware of their surroundings and trained to identify suspicious activity.
• Segmentation: The data centre should be segmented, with access control systems safeguarding each layer. This is the idea of granular security—a core concept behind data centre design.
• Access controls: Having varied access controls for each layer ensures that, even if a malicious individual can bypass one segment, they have many more controls to pass.
• Access logging: On top of secure access controls, maintaining diligent access logs can help staff identify unusual patterns and discover risks.
• Monitoring system: CCTV monitoring should cover every area of the facility—including each server room and the exterior. And, of course, these cameras should be monitored regularly.
• Security Teams: Access controls and alarm systems are excellent. But oftentimes, the best deterrent is people. Visible 24/7/365 security goes a long way.
• Temperature controls: Fans, internal cooling mechanisms, and airflow management prevent overheating and keep humidity at the optimum level.
• Fire protection: Fire detection and fire suppression systems are two critical concerns for data centre infrastructures. Building robust fire alarm systems and having a fire extinguisher available in every server room is crucial.
• Disaster recovery: Data centres need fail-safes that protect against both natural and human-caused disasters.

We have now discussed the physical security controls that go into creating a robust data centre. But how does a data centre actually implement these security best practices?

Implementing data centre physical security.

We recommend a basic three-stage process for implementing security. The first encompasses actual security measures. The second and third focus on protocols, procedures, and staff.

Let’s look closely at each stage.

1. Take a layered approach to security infrastructure.

The best approach to data centre security is to picture the centre as having multiple layers. By protecting each layer individually, we ensure a granular approach to security whereby, even if a malicious individual makes it through one layer, they still have many other layers to pass.

Access controls.

Implementing various access controls at different layers, including PINs, electronic key access, biometric scans and multi-factor identification, is a solid place to start. It eliminates opportunities for a single key card or code to grant a malicious individual access to an entire facility.

Surveillance system.

Constant monitoring and security protocols at each layer are vital. CCTV should cover all areas, security guards should patrol around the clock, and logs should be maintained on everyone who enters and exits each layer.

Environmental controls.

Temperature control, humidity control and fire suppression are vital. Every data centre must ensure it has the technology to keep servers at the right temperature to prevent data loss.

Similarly, electricity monitoring, such as tracking static buildup during dry conditions, will prevent power system surges that can cause severe damage. A raised floor can also protect against floods.

2. Implement security policies and procedures.

With the core physical security measures in place, the data centre should focus on policies and procedures to ensure it adheres to best security practices.

Above all, every procedure must be outlined in a data centre security policy. Every member of staff should understand this policy and its implications.

Access logging.

Access to each layer should be properly provisioned. For instance, a maintenance worker visiting the site should only be granted the access level to the area they need to enter. Visitor access should be logged and monitored. And when these visitors leave the premises, provisions should be in place for access to be revoked.

Data handling.

Protocols for data handling are paramount. Especially for sensitive information. Data centres should have strict guidelines for data classification and storage, as well as data transfer and disposal. Aside from ensuring security and availability, this supports compliance legislation like the GDPR.

Disaster recovery.

All data centres need a backup security plan regardless of how strong their security is. Even enormous cloud-native providers experience outages.

Having data backups and knowing where they are is a key first step. It’s also vital to ensure an authorised individual who has access to the data servers is on-premises at all times. Lastly, recovery point objectives and recovery time objectives must be outlined in the centre’s security policy.

Continuous monitoring.

Above almost everything else, the only way to maintain constant security is to always monitor the data centre. Security staff should be on site all the time. CCTV must be monitored either via remote access or on-premises. Regular security audits and penetration tests can help to find vulnerabilities. All of these things contribute to a strong security posture year-round.

3. Provide security awareness training for staff.

Despite the importance of physical security, a data centre’s staff members ultimately determine its security posture. Getting this part right is important—doing so will save a lot of stress and potentially even your reputation.

Staffing.

Data centres need the correct amount of staff to facilitate workload requirements—having enough security, technicians, and workers to act quickly if a security incident occurs. This ensures security threats can be prevented and resolved quickly.

Vigorous background checks are universal at this point, but they are especially important for data centres looking to find the right employees. This is helpful both for reducing errors and the risk of insider threats.

Awareness training.

Awareness training should be comprehensive. Provide information about security principles and how to spot suspicious activity. Staff should also understand security standards and procedures for data handling and adherence to access control policies.

Social engineering training.

Staff training also extends to outside of work. Data centres need to train employees not to disclose vital information when off shift. Consider a security guard who tells an acquaintance about his patrol patterns or reveals that access controls are down for maintenance. Understanding what cannot be shared is a vital component of effective security.

Maintaining a secure data centre environment.

Implementing a secure data centre environment is one part of the battle. However, maintaining it requires constant commitment and realignment on best practices. Here are a few things to consider.

Stay updated on security threats.

Threats evolve. The data centre that believes it has covered every avenue is the data centre that will eventually fall to an attack. Staying on top of risks is vital. Patch management software ensures all hardware is updated on the cyber side. With physical staff, it’s necessary to continually update training to ensure employees are prepared for advanced threats.

Stay abreast of compliance and regulations.

Similarly, compliance is always shifting. Legislation like the GDPR and CCPA update their requirements regularly in regards to data handling and transparency. Understanding the best practices needed to adhere to these regulations will help the data centre comply. These standards also provide a strong base point for effective security.

Create a unified security culture.

The number one piece of advice we can provide to any company with a data centre is to make security a culture. Everyone, from senior management to new employees, should adhere to policies by default. Training helps with this, as does allowing employees to contribute ideas and take an active role in maintaining security.

The future of data centre security.

What does the future hold for data centre security? We’ve spoken about the evolving threats. But how are data centres fighting back?

One exciting new development is AI-powered security threat detection. Advanced algorithms can predict and detect security breaches faster than any human. That means faster response times and the opportunity to stop threats before they ever occur.

The decentralised web may also hold the key to better security. The characteristics of blockchain lend themselves particularly well to the data centre. Once a transaction is recorded, it can no longer be altered, eliminating the possibility of tampering.

Similarly, smart contracts can be used to manage access controls without human intervention—reducing opportunities for insider threats or simply human error.

Summing up.

The need for data centre security is no secret. Threats are evolving. Million-dollar fines and a loss of reputation are commonplace for those who fail to keep pace.

By layering security, ensuring suitable access controls are in place, implementing policies, providing the correct training, and committing to continuous improvement, a data centre can put itself in the best position to prevent and respond to physical threats proactively.

Want to learn more about this crucial topic? There’s a reason the Australian Federal Government trusts Macquarie Data Centres. Our leading colocation facilities and hyperscale cloud data centres make trust, security, and compliance the default. Read more about our data centres here:

• Macquarie Park Data Centre Intellicentre 2
• Canberra Data Centre Campus Intellicentre 4
• Canberra Data Centre Campus Intellicentre 5
• Sydney CBD Intellicentre 1
• Sydney CBD Intellicentre 2
• Sydney CBD Intellicentre 3

You can also check out our blog, where we report on all the latest insights into data centre management and data security. Have any questions? Contact us. We’ll be on hand to support you with all your data centre needs.