

This Is How You Handle Data Center Security - SRSimko
http://blog.virtacore.com/blog/2010/7/26/this-is-how-you-handle-data-center-security.html

======
Construct
I once toured a similar facility, complete with hand scanners and airlock-
style double doors throughout the facility. After going through countless
layers of security we reached the deepest, most secure section of the data
center where the most sensitive servers were housed. On the opposite side of
the room there was a fire escape door propped wide open, leading straight
outside into the sunlight.

Our tour guide, who was an investor in the facility, explained that the
employees really hated going through all of those scanners and double doors,
so in the morning they just prop the back door open. If a customer or
potential customer comes for a tour, they make sure to close the door.

The other highlight of that visit was the generator room, complete with some
truly massive diesel storage tanks. Our guide (the investor) proudly explained
that they could run the facility for several days in the event of a natural
disaster which knocked out power to the facility. Out of curiosity, I knocked
on the side of one of the tanks, only to be greeted with a hollow echo sound.
The investor then explained that the tanks are mostly empty, but they'd fill
them up if they thought a natural disaster could occur.

~~~
ratsbane
I wondered, reading the original article, how many of the security measures
were to impress potential clients and investors and how many were really there
to keep bad people away from the boxes.

~~~
andfarm
I'm guessing it's mostly the former. The sort of attack which involves -- for
instance -- fake IDs and/or ninjas crawling through the ceiling is relatively
rare, especially compared to online attacks (which are a more serious threat
anyway).

------
moe
That guy apparently hasn't been to many datacenters.

Hand-scanners are pretty standard, as well as RFID photo-cards + pin, video
surveillance and a good anti fire system. It's pretty much the baseline of
what you'd expect for a building that houses several millions worth of
hardware.

The man-trap does indeed seem extra (haven't seen one myself), but I'm a bit
wary about the value it adds beyond certain james bond scenarios...

Moreover if you're really paranoid about physical access then you'd better go
to one of the underground facilities like those in abandoned bank caves or
bunkers.

Your standard warehouse-type datacenter usually has walls so thin that a
dedicated thief could trivially flex through them in a minute, after climbing
over the (often not very high) fence. Sure, he might set some alarms off in
the process, but I wouldn't bet my $treasure on the single underpaid guard
that commonly serves the nightshift in these buildings...

Yeah, got a bit carried away here, but we were talking James Bond scenarios,
right?

~~~
SRSimko
Yes, I would agree for first class data centers this is ground breaking but
not all services are hosted in such facilities. How many DIY data centers have
dedicated security?

------
aarongough
I _really_ don't like biometric authentication. As has been said before it's
kind of like using your username as your password. Simple ownership is
presumed to be enough data to prove you belong.

Additionally I (personally) think it's a problem that the authentication
method can't be changed. You can have new keys cut, you can change your
password, but it's unlikely you'll ever get new handprints.

For me there's also the factor that it places the access holders at additional
physical risk. I read an article a while ago about a guy that had a car with a
fingerprint scanner installed... Carjackers wanted his expensive car, so they
cut off his finger, stole his car and left him. Personally I would rather
someone just took my keys.

------
absconditus
Years ago I worked for a company that used Exodus and the facility in which we
rented space was very similar. The only problem was that all of their security
could be bypassed if one entered through the delivery doors, which is how one
brought new equipment into the facility. There was no man trap there and if
one brought a cart of equipment in someone might even hold the door open.

------
sloak
Is there no weakness in depending on the same hand scan systems so many times?
It appears a single point of failure.

~~~
SRSimko
One cannot gain access to the facility with a hand scan alone. Their are
special badges and challenge requirements.

~~~
pavel_lishin
> challenge requirements

I'm imagining an American Gladiators room.

~~~
trafficlight
I'm starting a petition to add a tennis ball cannon to my datacenter. When you
pull into the parking lot, the cannon starts shooting until you get to the
door.

------
eli
Seems kinda gimmicky. Is securing a datacenter terribly different from
securing any other sensitive building?

~~~
datasink
The article mentions the same firm that designed the security system for this
data center also designed the security system for "the Federal Reserve
System".

It's gimmicky, but I have to imagine it impresses potential customers.

