Site security – converging the cyber with the physical

In an exclusive interview with Nick Smith, Business Development Manager at Genetec, we explore why greater emphasis needs to be placed on physical security

Without a doubt, cybersecurity is one of the most widely discussed, pressing topics in the data centre industry right now. Understanding and mitigating these risks is one of the biggest areas of focus for providers – and with good reason. 

But, all too often, providers make the mistake of neglecting the physical aspects of security in favour of the cyber angle. 

We spoke to Nick Smith, Business Development Manager and physical security specialist at Genetec, to find out more about the current vulnerabilities in physical security protocols, and why cyber and physical security need to be perceived as a single entity. 

The greatest vulnerabilities in physical security

“Your greatest vulnerability and your biggest threat is always going to be the people. Ultimately, we're the biggest threat to any system,” Smith explains. 

Generally speaking, this threat takes two main forms – people attempting to gain access to areas where they are not allowed and the insider threat (where someone is allowed access, but they are there with malicious intentions). To address these key threats, a more sophisticated approach to physical security is required. 

“I suppose it's easy to spend a lot of money putting lots and lots of cameras around a fence line, installing fence line detection systems, razor wire, and really securing your perimeter, but it’s far more effective if we take what we call a layered approach,” Smith adds.  

“So, we look at the perimeter – and that's going to be typically what you see on most secure sites, with cameras, fence line detection, a gate in the middle, a guard hut, and somebody checking you in and out. But, then, once you're within the facility, you've also got other layers to then get access into individual buildings and from buildings into the halls.”

At the same time, these procedures need to be implemented while still considering the experience of people who are trying to get access.

“Ultimately most data centres have got customers and tenants. So, you need to be secure, but they need to be able to get to where they need to go, without it taking up too much time. So there's a bit of a trade-off.”

Smith explains that providers have to assess each one of those layers – and the threats present within them – independently. From a perimeter perspective, it's about minimising unauthorised intruders, while from an inside perspective, it’s about evaluating the building layers and the hall layers, and managing the insider threat through authorisation. Through technology, providers can build sophisticated tools to provide this high security. 

For instance, Genetec provides a ClearID identity management system. Typically, if you needed access to a cage within a data hall, you would need to email somebody so they could perform the required checks. This could take days. Or, if emergency access is required, the likelihood of human error increases due to the added pressure. Through the ClearID product, Genetec essentially puts that request back on the owner.

“Because it uses the cloud to leverage that whole permission process, the person who owns that area gets my request. They can then do their due diligence, they can authorise it, and then the access can be granted immediately. So what we're doing is taking that process away from a security control room, which doesn't know you as a requester and doesn't know the area as an owner, and bringing it back to the owner. In this way, we’re making it a seamless, immediate access request and authorisation by utilising the cloud and getting away from emails that sit in an inbox for days,” Smith explains. 

A systematically overlooked element of data centre security

Although it's the cyber risks and cybersecurity initiatives that are making the big headlines at the moment, Smith urges that physical security is equally as important.

“When you consider the current climate, we've seen geopolitical instability, we've got rogue states, we've got nation states with malicious actors, and we know that data centres sit under critical national infrastructure. They're a genuine threat or a genuine target for nation states.”

Data is being increasingly targeted. But despite this, Smith explains that physical security is systematically overlooked in favour of its cyber cousin.

“I think that physical security is overlooked 9 times out of 10,” Smith asserts. 

“For example, what's not so clear is what we should be putting into a site (in terms of the software platform, or from a device perspective, such as the cameras). And I think that's where you have to do the due diligence on the suppliers and understand, have they got the required ISO certifications? How do they deal with known vulnerabilities? Do they publish them? Do they take cyber vulnerability seriously? Do they go through independent cyber testing?”

“They're the things that give you the confidence that you're then working with a manufacturer or supplier who essentially is working from the same hymn sheet as you are, both from a compliance perspective and from a cybersecurity perspective.” 

The next wave of physical security technologies

Improvements in data collection and analytics capabilities, and the technology required to gather this information, are set to drive major advancements in physical security technologies. 

“There's a significant evolution with hardware. I think cameras are going to keep increasing in quality, but it's the intelligence that now you get with these devices where we’ll see the biggest impact,” Smith asserts. 

“So now they aren’t just giving you an image. Now, you're seeing analytics get a lot better within cameras. This means we're getting more information about what's going on, we can detect things, we can tell a video management system to look for specific things and set alerts for specific things.”

When it comes to perimeter detection, traditionally, video systems have been widely used to detect if somebody is going over a fence. But, the primary problem with that approach is false alarms. 

“The more false alarms you get from animals or wind, the more the integrity of those alarms diminishes. So, with technology like radar – and, more importantly now, lidar – being more accurate, becoming more cost-effective, and something that can be deployed at scale, we're seeing that these traditional technologies (such as fence-side detection and optical) are being replaced by lidar technology.”

These new technologies, coupled with more advanced data analytics capabilities, are driving far more efficient and effective physical security solutions.

“So, we're seeing those different types of technology now being used for security, we're seeing analytics being used for security, and we're seeing analytics becoming a lot more reliable. We're also seeing an aggregation of more data coming into physical security.” 

“There's a lot more information that we can take now, and we can give a far better view of situational awareness to operators, rather than just expecting them to look at 200 cameras on the screen and hope that they notice something's happening.”

While the wave of new data-driven technologies significantly improves security performance, in order to ensure the maximum degree of security in a data centre site, physical equipment needs to be evaluated for its cyber risks, too. 

As part of your software platform, you are essentially connecting all of these devices onto an open platform. What’s more, you will inevitably need to work together with third parties to install and connect these different pieces of hardware. When this happens, it multiplies the cybersecurity threat. 

“So, we have to build tools within our software to ensure that we are, firstly, ensuring that those products are up to date and don't have any vulnerabilities that we know of. Then, secondly, if they do, we can notify the data centre security department. So, we dynamically monitor these devices, to ensure that they are immediately patched, so that we don't introduce any major risks within the security system.” 

“Again, it's about ensuring that the systems that are in place are trusted. This means that the manufacturers are trusted, and the integrators (the people who are delivering that) are trusted. So, you have that full chain of custody, that full chain of trust.”

“There is no one silver bullet, but what I think we need to do is more due diligence on suppliers that aren't typically IT related. Sometimes, I think physical security is not seen as an IT platform, whereas in reality it's a fully IT system. It is part of the IT system.”


Featured Articles

Anna Pálsdóttir: atNorth’s New Chief Development Officer

atNorth’s data centre portfolio expands with the arrival of Anna Kristín Pálsdóttir, international development expert, to lead continued growth strategy

NTT DATA Celebrates Earth Day with Sustainability Strategies

For Earth Day, NTT DATA has launched its new corporate sustainability strategy, with three pillars focused on Prosperity, Planet and People

Start-up Greensparc Brings Renewable Energy to Rural Areas

Computing start-up Greensparc and IT Service Hewlett Packard Enterprise are supporting Alaska, with 100% renewable energy powered data centres

Equinix and PGIM Real Estate aim to Upscale US Data Centres

Blackstone's Vision for Hyperscale Data Centre Campus

Maincubes Bolsters Leadership Team with Martin Murphy as COO