Most organizations are keenly aware of the significant risk of cyberattack. They’re taking steps to prevent unauthorized access to their IT systems and data, and to detect malware and other threats.
Few businesses give as much attention to the physical security of their IT environment, however, physical security breaches aren’t as common as cyberattacks, so organizations may be more inclined to invest in logical security. Nevertheless, expensive IT equipment can be stolen, tampered with or sabotaged by intruders or malicious insiders. Physical access to systems and devices can give an attacker access to the corporate network.
That’s why many government and industry regulations mandate physical security controls. For example, HIPAA prescribes “physical measures, policies and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” The EU’s GDPR requires “appropriate technical and organizational measures” to ensure data privacy, which includes restricting physical access to systems.
Cloud data centers and SOC II-compliant colocation facilities have robust physical security controls, including video surveillance systems, electromagnetic door locks, and smartcard or biometric access controls. The most sensitive areas may have floor-to-ceiling turnstiles, mantraps and staffed checkpoints as extra layers of authentication. Access will be strictly limited to authorized individuals, and personal mobile devices will not be allowed in the building.
However, many corporate data centers are located in “multidiscipline” buildings that provide office space as well as IT space. These buildings will not have the same level of security as mission-critical facilities. Smaller data centers may not even have dedicated space, with equipment housed in IDF / network closets, store rooms and even spare cubicles. And with the edge computing trend, organizations are putting IT equipment in a wide range of remote locations.
It is at all possible, IT equipment should be housed in a space where access can be controlled — ideally by individual access cards so that entry can be logged and audited. Physical access lists and credentials should be managed properly and updated frequently as personnel and job roles change. Visitors should be escorted at all times and their activity logged. Video surveillance cameras should monitor entry doors and the data center space.
Locking cabinets can serve as a last line of defense —and the primary defense when IT equipment is housed in an office, warehouse or other area where strict access controls are impractical. Both the front and rear doors of the cabinet should have locking handles, and side panels should lock as well. Having doors and panels keyed alike enables quick and easy access to equipment, but keys should be stored securely and carefully managed.
Enconnex offers a line of high-quality server cabinets with solid steel construction and locking doors and panels. Our Office-in-a-Box and Advanced Office-in-a-Box are integrated solutions comprising a secure cabinet and rackmount cooling unit — ideal for offices, retail outlets, educational institutions and edge computing locations. Our multi-bay server cabinets are available in two-, three- and four-compartment configurations, with each compartment secured by a three-digit combination lock with key override.
When it comes to security and regulatory compliance, organizations are rightfully focused on logical controls. However, the most sophisticated security tools are useless if cybercriminals can enter the data center and access or tamper with equipment. Organizations should take steps to protect their IT assets by implementing the appropriate policies, procedures and physical controls. Enconnex can help.