However, one issue that hasn’t received much time in the spotlight lately is that if you take measures to protect your data against an online breach but fail to make sure your physical data center isn’t secure, you’re still susceptible to a data breach. After all, even data stored in the cloud resides in a physical data center.
Whether you store your data in a self-managed on-site facility or outsource it to a data vaulting vendor, you need to take adequate steps to protect the hardware containing your data against physical intrusions.
Restrict Access to Data Center
The Corporate Compliance Insight blog relates an account of a software company that went out of business after its backup tapes and a server containing all its database data were stolen. Over the weekend, thieves had jimmied the lock to the double front doors through a gap in the entryway. They simply entered the data center, which had been left propped open to provide better temperature control.
This company’s experience demonstrates that in the same way you encrypt data to deter cyber attacks, you need to ensure that the physical area in which your racks are stored is protected by secure door locks and make sure doors remain locked at all times.
Implement Rack-Level Access Controls
Data center security breaches don’t always happen after hours. One of the easiest ways to gain unauthorized access to a data center is by tailgating, where a visitor follows an employee into the facility.
For an additional layer of security, consider implementing access controls at the rack level. If you store your data at a colocation center that manages data for multiple clients, be sure you’re aware of how they secure the rack space containing your servers.
Take Precautions Against Insider Theft
In 2013, insider data breaches rose 80 percent as compared to 2012. To protect your data against physical security breaches, secure keys in a high-security electronic key control system that can restrict key access at both the user level and key level.
For example, some key control systems control user access through features such as fingerprint readers for biometric authentication, dual login requirements, motion-activated security cameras and manager-defined user permissions profiles.
At the key level, many electronic key control systems will sound an alarm or send a text or email alert if an employee attempts to remove a key they’re not authorized to have. Other systems, such as the KeyTrak Guardian, can even physically lock down keys so only authorized employees can remove them.
Use Automated Key Control Reporting
When performing routine physical security audits, key control logs are essential to determining how keys are being used and identifying potential security issues. Using an electronic key control system can automatically produce a 100 percent verifiable audit trail. This eliminates the element of human error that’s inherent in manual key control logs.
Automated reporting is also useful in that you can choose to receive an email or text alert in the event of a security breach, at which point you can run the necessary reports to investigate the issue.
For more physical security best practices, read our post "The Four Layers of Physical Security."