Server rooms can be among the most critical areas of a site. Their security is paramount, so FMs should understand the threats posed to servers and other IT hardware - and what can be done to protect them, says Mike McColl.
20 May 2014
Corporate espionage. Theft. Sabotage. Terrorism. These are all reasons why criminals could target server rooms.
And why it's vital to ensure that the physical security of these areas is high on the facilities manager's agenda.
The consequences of a physical security breach in a server room or similar IT facility can be catastrophic, with damage caused to high value equipment, operational capability and a company's reputation - not to mention its balance sheet.
In 2011, for example, thieves broke into the exchange facility of a major telecomms provider in Basingstoke to steal networking equipment and IT hardware and damaged routing equipment in the process. It resulted in thousands of people being unable to make phone calls or send text messages - and uncertainty over whether personal data had been compromised.
Protecting servers, data and critical IT infrastructure from physical attack is therefore a key challenge for FMs.
Protecting the perimeter
Traditional security measures, of course, still have a part to play in protecting a facility - and these should form part of a multi-layered approach to safeguarding a site. Externally, perimeter fences, barriers, CCTV cameras and security staff can all prevent a physical breach.
Internal affairs
Internally, CCTV, integrated access control systems, appropriately rated security doors and alarms all form part of the defence. Keeping the number of potential entry points to a minimum is also good practice.
But these measures may not be enough to stop a physical security breach in a server room. That's because more traditional partitioning methods will often be used to form such enclosures, using materials such as plywood, plasterboard and insulation held within a timber frame.
These solutions are not certified by an appropriate security body and offer little or no resistance to an attempted breach by determined criminals using high-impact tools such as sledgehammers, disc grinders, jigsaws, and high-powered cutting devices.
Standard brick or block walls are also vulnerable, as their joints can act as points of weakness. Because of onsite delays and the requirement for wet trades, the implementation of these traditional building methods can create huge disruption to a facility and hinder operations.
Any physical security measures - such as wall panels, ceiling panels and locking systems - used to protect critical areas in a facility should be certified by the Loss Prevention Certification Board (the standard is LPS1175) and/or approved by the Centre for the Protection of National Infrastructure (CPNI) to guarantee their quality, suitability and level of certification.
Barrier methods
But even when high-security rated products are used they are often combined with measures that can easily be breached. A door rated to LPS1175 Security Rating (SR) 4, for example, can itself withstand attack from implements such as a felling axe, sledgehammer or drill. But when it is fitted in a poorly specified 'single skin' block wall its level of resistance can be rendered irrelevant.
Facilities managers should therefore carefully consider the quality of a prime barrier when protecting servers, data and IT hardware. A certified, approved system - whether it's a full modular room or partition - will not only protect critical areas, but will also help its operators to comply with insurance requirements.
Security rated composite panel systems can also address the security concerns created by co-location premises, allowing tenant companies to compartmentalise to an increased level of security and protect their IT hardware and data from unauthorised access from elsewhere in a site. After all, companies in co-location premises may have no control over who their neighbours are during the duration of occupancy; so securing partitions may offer them peace of mind.
It is also important to ensure that security measures such as panelling have a hygienic, easy-to-clean finish, as this minimises the exposure of sensitive hardware to dust.
In recent years we have observed refinements in the design of new build premises and retrofit alterations that identify 'mission critical' areas in a site.
These have helped industry decision-makers to simplify the product evaluation process by determining the correct and most viable building methods to be used in a particular environment, and this should be welcomed by facilities managers.
The inner sanctum
All too often, an 'inner sanctum' containing servers, sensitive data and expensive equipment can be left vulnerable to physical attack by haphazard planning, poorly designed security methods and materials that are not fit for purpose. Many of the systems that have been built up on-site may provide the façade of being secure, but may have never been tested - and thus can offer no genuine reassurance.
Just as facilities managers would ensure that a perimeter fence is in good condition, that an entrance door is properly secured, or a CCTV system working correctly, so should they also take the necessary steps to install the best level of protection possible to safeguard server and data rooms. Anything less, and they will leave the most important part of their site extremely vulnerable.
Mike McColl, managing director of Securiclad