Hands off! Securing colocation centers

Products and methods deployed inside a colocation center can prevent other customers from damaging or compromising your equipment.

May 1st, 2004
Th 149441

Products and methods deployed inside a colocation center can prevent other customers from damaging or compromising your equipment.

Colocation—the housing of network equipment for various customers—exists in a variety of business models and sizes. Some colocation centers own and lease equipment to customers, while others provide either reliable space, power, and network connection for Web server hosting or offer complete outsourcing and disastery recovery solutions. Despite the business model, quality colocation centers strive to provide reliability, scalability, and fail-safe security.

Disaster recovery issues

"The amount of security required really depends on the business model and specific clientele of a colocation center," says Andrew Graham, director of data center solutions for Westwood Computer Corp. (www.westcomp.com), a provider of data center consulting and design services. "Centers that provide low- to middle-tier Web hosting typically do not need the higher-level security required for those that host entire IT infrastructures or replicate critical data for disaster recovery purposes."

According to Graham, the need for physical security is increasing because more companies are setting up disaster recovery sites or outsourcing their entire IT operation at colocation facilities. "Maintaining a data or disaster recovery center can be a costly measure for companies whose main focus is not IT, but is in making a product or selling a service."

Because hundreds, or even thousands, of customers could pass through a colocation center, security measures typically include some form of access control, surveillance, or a combination of both. Although the most common access control method is card access, some centers have increased security by deploying biometric access control, sign-in sheets, CCTV cameras at entrances, and mantraps (hallways with secured doors at each end to prevent an unauthorized person from following a customer through a doorway). But even in the most secure colocation center, the possibility still exists for customers to damage or compromise other customers' equipment—maliciously or accidentally.

"While customers need to look at building and facility access, they should also be concerned with physical security inside the center and at the cabinet level," says Graham. "In a colocation environment, shared access is inevitable. Even if only authorized customers gain access to the facility, it does not necessarily guarantee protection of data and equipment."

Lockable alternatives

Within the colocation center, secure cabinet solutions combined with surveillance methods help ensure that customers only have access to their specific equipment. "Even in smaller colocation environments, we've seen open racks migrate to lockable colocation cabinets due to a heightened concern for security," says Scott Steele, VP business development and marketing, NER Data Products, Inc. (www.nerdata.com).

According to Steele, most colocation centers require greater security than a standard cabinet key lock: "A cabinet key lock system is typically a 3- or 4-pin system, so there is still the chance of a key opening another cabinet."

Security at the cabinet level is implemented with a scaled approach, and colocation centers need to determine the cost advantages between standard keyed systems or higher-end electronic locking technologies. "If the center is only looking to make it a more difficult to get into someone else's cabinet, a standard cabinet key lock is fine," says Steele. "But if security is more of an issue, then independent keys with one master key is the next option."

Keypads and swipe cards are implemented for even better cabinet security and, according to Steele, the keypad is the first level of being able to understand who was in the cabinet. Stand-alone keypad locks can let facility managers download a certain number of events at the cabinet, while higher-end electronic locking systems can be networked to a monitoring station. "We've had some requests to investigate biometrics at the cabinet level, but the highest cabinet security right now is electronic card access tied into a network system," says Steele.


Available for its MegaFrame family of cabinets, Chatsworth Products' electronic locking systems include keypad locks or AC-powered swinghandle locks with keypad or proximity card reader.
Click here to enlarge image

Chatsworth Products, Inc. (www.chatsworth.com) offers electronic locking systems preinstalled on both the front and rear doors of their MegaFrame cabinets as an alternative to the standard keyed lock. "The Digilock electronic keypad is a self-contained, fully programmable lock that can be opened with a user code, electronic user key, or combination of both," explains Ian Seaton, market develop manager. "The battery-operated locks can be managed with an optional software programming kit that allows for recording access events and setting specific access schedules." Available with a keypad lock or proximity card reader, Chatsworth's AC-powered Dirak Electronic Swinghandle lock can be operated individually or networked for remote operation or real-time monitoring.

Cabinet confidence

Locking solutions are the obvious method for cabinet security in a colocation center, but cabinet features such as overall robustness, locking side panels, hidden hinge mechanisms, and secure cable and thermal management also play a role in providing physical security. "I've seen cabinets where a locked door can be lifted off the hinges and rotated to provide access to the cabinet, and that's why hinges must be hidden inside the cabinet," says Seaton. "There is a trade-off, however; with outside, exposed hinges, users get a 180-degree door swing—but we don't recommend that design for any high-security environment."

In multi-compartment colocation cabinets ideal for smaller Web-hosting environments, separate thermal and cable management can help ensure compartment security. Compartmentalized colocation cabinets achieve thermal management from front to rear, rather than the top to bottom approach seen with single compartment cabinets. Chatsworth Products' compartmentalized E-Series ISP Colocation cabinet, for example, features patented enclosed raceways for each compartment that run between the equipment mounting areas and side panel.


NER Data Products and Chatsworth offer HID Corp.'s Dirak AC-powered swinghandled lock with proximity card reader. HID Corp. is the largest manufacturer of access-control readers and cards for the security industry.
Click here to enlarge image

During the "dot-com" craze, several cabinet manufacturers introduced multi-compartment colocation cabinets because many customers only needed rack space for two or three pieces of equipment. "Compartmentalized cabinets were once the rage, but that has waned," says Brian Mordick, RCDD and senior datacom product manager for Hoffman (www.hoffmanonline.com). "Although servers have gotten smaller, full-size single compartment cabinets are more central to the colocation center market. Customers still don't feel secure sharing a cabinet, and nobody wants the top compartment because it sees most of the heat from the network equipment below."

Hoffman's Proline cabinets, available with either single or multiple compartments, can also be configured with a choice of handles, key locks, keypads, and electronic locks to meet customer security needs. "Customers continue to demand security options at the cabinet level," says Mordick. "Our exterior panels are also secured with tamper-proof fasteners."

Alternate solutions

According to NER Data Products' Steele, remote access control and environmental monitoring solutions offer several benefits and support a physical security aspect for colocation centers by reducing the number of people entering the facility.

"It used to be that when there was a failure, the customer had to go into the data center," says Steele. "With remote software solutions, users only need to enter the center if it's a hardware issue." NER Data Products, for example, provides IP solutions that let customers manage their systems from a remote location, even to the bios level.

Steele says that more colocation centers are providing separate monitoring rooms for customers to access their equipment without needing physical access to the cabinet: "A dramatic shift in the density that people place in their cabinets has led to cabling, power, and thermal management issues, and remote access and monitoring also allows users to check load balancing, current draws, temperature, and activity taking place in the cabinet."


Hoffman's Proline-CL colocation cabinet can be configured with one to four separate and secure compartments, and are available with various key lock options.
Click here to enlarge image

Hosting and maintaining Web sites for customers like Boeing, the NFL's Seattle Seahawks, and University of Washington Medical Center, Adhost (www.adhost.com) implements another level of physical security. "For maximum security in our center, our customers do not have keys to their cabinets," explains Kurt Widmann, Adhost sales manager. "We physically escort each customer from the front security desk to the cabinet and unlock the cabinet for them. This policy has been maintained since the company's inception, and we combine it with perimeter and interior electronic access control, video monitoring, and 24/7 data center staffing."

With secure cabinet options, CCTV, and other physical security measures helping prevent customers from accessing others' equipment, network security remains more of a concern than physical security among colocation customers.

"In most colocation environments, you need a card to gain access to the facility, then you may need a card to get into your specific area, then you need a key or code to get into your cabinet, and all the while someone is probably watching you on CCTV," says Steele. "When you look at it from a physical security standpoint, the likelihood of someone gaining unauthorized access to your equipment is much less of a risk than viruses or someone hacking into the system."

Reliability and business continuity have been reported as the main concern among colocation customers, with scalability and ease of implementation a close second. "Security is really a part of the number one concern," says Steele. "If I have a great concern about business continuity, then I also need to be concerned about proper security at every level—including the network, the building, the facility, and the cabinet."

Betsy Ziobron is a freelance writer and regular contributor to Cabling Installation & Maintenance. She can be reached at: bziobron@comcast.net


Standards and data center security

The TIA TR-42.1.1 subcommittee is developing a data center standard that deals mainly with facility, network, and cabling design for data centers, computer/server rooms, and similar spaces. The second draft of the standard, which will become TIA-942, was released for industry ballot in July 2003, with final approval expected sometime this year or next. Its purpose is to enable planning during the early stages of data center development by providing specifications for data center cabling, pathways, and spaces.

"Data center standards have to make sense and be application-based because not everyone is doing the same thing—it's amazing to see the differences among colocation centers," says Scott Steele of NER Data Products. "My concern is that we may acquiesce on certain areas, which ends up affecting the ability to properly design a center based on each center's specific business model."

The current TIA draft standard provides several best-practice facility specifications but does not appear to include specific security requirements for colocation centers. Some consider that a plus. "Security specifications in the standard would offer little benefit since security issues vary from customer to customer," observes Hoffman's Brian Mordick. "What the CIA, NSA, and Department of Defense require is completely different than what the medical and financial industries require, and many of these industries will not likely share their confidential specific security standards."—BZ

More in IP Security & AV
Connectivity
ComNet adds 10GigE managed switch