There are some impressive security procedures in place at data centers, especially large enterprise facilities and colocation data centers. It is not uncommon to see vehicle checkpoints, tire spikes, armed guards, bulletproof windows, cement bollards, and other advanced protective measures.
But when was the last time you heard of an armed incursion of a data center? It is possible. But rather than repel an invading force, a military-grade level of security is largely in place to serve as a deterrent, as well as to make employees and customers in a multi-tenant data center or cloud hosting environment feel confident that the organization is committed to keeping their facility secure.
While a storming of a data center is unlikely to happen, there are some invasive events that happen. But not someone blasting through the gates. Instead, it is not uncommon that someone with some level of approved access misuses that access as they try to get closer to the actual data itself. Yet the security sometimes gets looser the closer one gets to the actual places where data can be accessed.
The majority of data center cabinets can be opened by universal skeleton keys, which are not exactly held under lock and key by the cabinet manufacturers. Yes, this closest ring to the infrastructure is frequently only modestly protected.
Who can get close enough to penetrate a cabinet? Contractors of all types are granted ready access to facilities, sometimes with minimal vetting or supervision, especially once their face becomes familiar in the environment. This is even true of the data center floor.
Security guards are sometimes ex-military or police, but other times are earning slightly more than minimum wage after being hired by outside vendors. It is no surprise that the level of professionalism and commitment frequently corresponds with the pay grade.
If you operate a data center or are a customer in a multi-tenant data center, don’t be lulled to sleep by impressive exterior physical security. Facility access control is important, but if contractors, employees, vendors, and visitors are not properly pre-screened and supervised, problems are likely closer to the heart of the data center, the IT infrastructure itself.