Webinar Recap | New Year, New Security

Summary

“This is going to be a slightly uncomfortable topic,” Bill Kleyman, Program Chair of AFCOM and Data Center World, said at the start of our January webinar. “It might make you squirm. But it’s an important one. And we do need to talk about it.”

And Kleyman is right: while it can be difficult to acknowledge your data center’s security weaknesses and vulnerabilities, it’s far better to deal with that discomfort compared to the discomfort felt after losing thousands of dollars and dozens of hours of critical uptime due to an avoidable security breach. According to Genetec’s Mark Fielder, 60% of security failures result in at least $100,000 of loss, with 85% of those failures caused by something simple like employee errors or flaws in the security process.

Fortunately, more and more of the C-suite have started to acknowledge an urgent need to upgrade and bolster their existing physical security systems. AFCOM’s forthcoming “State of the Data Center Report,” for example, highlights that physical security has shot up in terms of perceived importance for a data center’s daily operations. As guest speaker David Ellis of Genetec put it: “Physical security has finally arrived at the C-suite.”

But is it a case of “too little, too late”? “I mentioned that physical security needs in the data center space are changing,” Kleyman said, “but that’s not quite right. They’ve already changed.”

And, during this January webinar, both Bill Kleyman and David Ellis discussed the key ways in which your data center’s physical security must evolve to adapt to these ever-changing security needs.

Merging Cyber- and Physical Security

“What we’re now seeing is a shedding of the old ways and an adoption of the new,” Ellis began, referring mainly to the growing pains that many data centers have experienced as they attempt to seamlessly integrate physical security systems with their cybersecurity counterparts. Much like the trial-and-error process that most companies experience as they attempt to merge physical data center processes with the cloud, the act of seamlessly “hybridizing” your cyber- and physical security systems can be tough to accomplish within a tight timeframe.

The key first step to this process, Ellis argued, is for security directors to take a thorough look at their existing infrastructure and identify which security gaps need to be filled ASAP. Often, this so-called “gap” exists not due to a lack of detection capabilities, but rather due to user error. In short, physical security systems tend to be quick to detect but slow to react. And that might be due to an existing skills gap, talent shortage, and overall burnout experienced by employees in the physical security space. “Right now, I’d say the shelf-life of a standard physical security officer is about six months,” Ellis claimed.

So, in many ways, the simplest and yet most effective thing that data centers can do to start improving their security is hire the right people who have the know-how to merge physical and cybersecurity, and provide existing employees with the knowledge and resources they need to make smart and secure choices in their daily work routines. Consequently, employee policies might also need to be updated. “For example, it’s important to look at who has access to critical areas in the data center, and see how I’m monitoring them whenever they do visit these areas,” Ellis said.

Integrating Efficiency with Efficacy

The process of integrating new physical security measures should also be seen as a means of improving efficiency in other areas of a data center’s daily operations. David Ellis cites as an example the incorporation of edge networking and automation (including a modbus, OPC, BACnet, or other protocols) in a particular data center, and the effect it had on a security guard’s daily routines. While the edge offered increased detection and data-gathering abilities for the data center, the data center didn’t bother to update its current physical security policies in response, creating enormous amounts of redundancy.

“I saw this security guard go around every day and record the temperatures of, like, 40+ different racks,” Ellis explained, “while the technology the data center recently installed was already doing that for them! So this security guard was taking a huge detour from patrolling the data center’s perimeter for no reason at all.” According to Ellis, the guard could’ve saved over two hours of his time if his supervisors had changed his daily security tasks accordingly.

How do you prevent oversights like this from occurring? Both Kleyman and Ellis recommend not skimping when it comes to hiring a security consultant, who will be able to identify such gaps or redundancies as part of their overview of the data center’s physical systems.

Kleyman also recommended “Federation” or “Identity Federation,” which can help create a highly unified architecture out of a bunch of disparate systems, including license plate analysis and other surveillance methods. While, traditionally, the idea of “Federation” or “Federated Architecture” isn’t usually associated with a data center’s physical security, it’s becoming increasingly popular as a tool to adopt when incorporating many new and emerging technologies into your security systems and processes.

"Education Isn't Enough"

The time for mere “security awareness” is long past, both Kleyman and Ellis declared at the end of the webinar. While, of course, educating employees on proper security protocols is essential, it isn’t enough to thwart any and all potential security breaches. “I cannot emphasize enough: do your homework,” Ellis explained. “But make sure you follow through with actual actions.”

Indeed, a common theme throughout this chat was the fact that the data center industry is relatively quick on gathering and analyzing data, but relatively slow on reacting to it. It isn’t enough to be aware of the gaps in your security. Those gaps need to be filled immediately. Even outside events, such as a substation blackout, can have devastating ripple effects on your data center. It’s important for your security to be appropriately fortified to resist any type of possible breach—and information alone won’t be enough to accomplish that.

If you have the security-related information you need, but need to learn more about the options and actions that you can pursue in order to make your data center a safer place, check out the full recording of this webinar on AFCOM’s website.

AFCOM has made a full recording of this webinar available to AFCOM members. To view it, simply click here.