KEY Facts About Data Center Security and Compliance

 

How easy is it to gain access to a data center cabinet? One “key” fact will give you pause if data center security and compliance are important to your organization.

Possession of the data center cabinet override keys from three major manufacturers, not difficult to obtain by anyone that does business with those companies, can open an estimated 70% of the data center cabinets in the US. That’s one of the interesting facts shared with us by Aldon Blackwood, former product manager for E-Line by DIRAK, a manufacturer of smart handles for data center cabinets.

Aldon speaks with end users about data center security on a daily basis, and has a unique perspective on the security and compliance needs of enterprise, corporate and government clients. He shares his thoughts and experiences on various forms of multiple factor security, with a specific focus on the ability to create an audit trail reporting on who actually gains access to servers and other IT infrastructure at the data center cabinet level.

Transcript

Kevin O’Neill, Data Center Spotlight: This is Kevin O’Neill with Data Center Spotlight, and this podcast interview today is a key story about data center security, and I have with us today Aldon Blackwood. Aldon is with the E-Line by DIRAK, he’s the product manager for the E-Line by DIRAK data center security solution. Aldon, thanks for joining us today.

Aldon Blackwood, E-Line by DIRAK: Thanks for having me, Kevin.

Data Center Spotlight: Aldon, tell us a little bit about E-Line by DIRAK and what it is you folks do.

Aldon Blackwood: So, E-Line by DIRAK has been around for roughly 15 years, and we manufacture asset control and physical security devices, specifically designed to integrate into data center cabinets, and data center racks.

Data Center Spotlight: That doesn’t sound like a bad business to be in right now.

Aldon Blackwood: It’s not too bad. The understanding and the need for this type of physical security is honestly growing day by day. 15 years ago, probably wasn’t in the mindset of a lot of people but now people are finding it’s kind of the last vulnerability in their otherwise seemingly perfect solution for their security.

Data Center Spotlight: Now, when I talk about you having a key story about data center security, it involves the keys themselves. I’ve done some work with you guys over the past few years, and one of the more interesting things that you’ve taught me, Aldon, is that there are I think about three override keys, or skeleton keys if you will, from the top three data center cabinet manufacturers, and these keys are not difficult to get your hands on if you’re doing business with them, and if you have those three keys from the manufacturers, you can essentially get into more than half of the data center cabinets that are out there right now, is that an accurate statement?

Aldon Blackwood: Yeah, it’s honestly probably more around 70% of cabinets have an easily overridable key. There are standard keys that really cross over all the cabinet manufacturers, which is very interchangeable, so it doesn’t give you an increased level of security if you mix and match your cabinets because they’re all keyed pretty much the same, and even the ones that aren’t keyed the same, usually have a master key which can override everything.

Data Center Spotlight: If I’m responsible for the security of a data center, and I know that there’s a 70% chance that someone with these three keys that is inside of my data center can get into any cabinet I have, it would probably make me a little bit uncomfortable.

Aldon Blackwood: Well, it should. The approach has typically been bury your head in the sand, and then hope that nothing happens. We would like to hope that people strive for a little bit better than that.

Data Center Spotlight: Let’s get into the specifics of your security solution in a little bit, but first I wanted to talk to you about, what are some of the mistakes companies make in regards to their data center cabinet security? I know that you see a lot of different layouts, and a lot of different data centers. What are some typical mistakes in the design and operations of a data center that compromises the security of that data center, particularly if you’d like to focus on the cabinet levels, since that’s where you guys do focus?

Aldon Blackwood: I think the best place to start would be really, people need to focus on the basics first. What cabinet are you purchasing? A lot of cabinets have been getting thinner and thinner in terms of the sheet metal used, which creates a lot flimsier design. Most people might think that this isn’t a big deal, however it leads to wide variances in tolerance of the cabinet which can make it very difficult to operate a traditional security system because those tolerances don’t lend themselves well to putting things like door contact sensors, and other sensors which will alert you when people open that cabinet door. The other thing people should really think about is, how many points of latching are on that cabinet door? A lot of manufacturers have stripped down just to the bare bones single point cam, which really doesn’t give you a lot of security, since it’s easy to pry it open from either the top or the bottom.

Data Center Spotlight: And when you talk about the ability to get in, let’s move away from that and let’s talk about even if you did have a key security solution, if someone can just get open a key, unlock it, open it, and close it again, it strikes me that it doesn’t really help you from a compliance perspective, because in a lot of industries right now, it would certainly be necessary to know who is getting access to your IT infrastructure, and your servers, when they had access to it, etc. Is that the case?

Aldon Blackwood: A lot of people satisfy those compliance standards by building a lot of cages and really space-invasive kind of products to isolate their servers and their equipment away from the general population and so they can mandate access to those areas but they don’t necessarily control who goes into which specific cabinet in that cage.

Data Center Spotlight: I would imagine that would be a fairly significant issue if there are different areas of a company sharing the same data center infrastructure. I would imagine it would certainly be an issue in a multi-tenant data center environment.

Aldon Blackwood: It’s a huge issue in both. You often see for healthcare industries for example, their IT budgets aren’t huge, so their data centers are more of a data closet setup and there’s wide ranges of people that are allowed access to it, and have assets in that area, but they don’t really offer much control as to who’s going into what equipment outside of letting people in and out of the door.

Data Center Spotlight: And I remember talking to a military customer of yours, a federal customer of yours that had a facility that had a lot of people coming and going. The design of it wasn’t ideal at all, but there’s nothing they could do about it. The facility was what it was, they had a fairly important data center right in the same area as some other important stuff they had going on, and the vast majority of the people in that environment didn’t really belong in the data center and shouldn’t have access to the data center, and he seemed to be pretty pleased with you guys. Can you tell us a little bit about that situation, and the solution that you were able to offer him, and what it did for him? Because it struck me as maybe being a fairly similar situation to what a lot of people are dealing with when you talk people have a data center closet, or otherwise have data center and IT infrastructure that are intertwined with an office or operations environment.

Aldon Blackwood: It’s really a cost-benefit analysis, for the most part. They looked at the cost of, well, can we make an addition on the building? That’s pretty expensive. Can we put the cages in? No, we don’t have the floor space to put the cages in. Can we occupy greater space in the building? No, that space is already reserved for other people. So, when you look at all the factors, the problems that they had, the solution solved pretty much all their problems because we could go in and retrofit our access control product to their entire existing cabinet line, that was in place. There was no re-racking involved, and it was a very minimally invasive deployment, but they got to maintain individual cabinet control regardless of who entered the actual wide space floor.

Data Center Spotlight: Let’s talk about a multi-tenant environment, that’s a single user environment with a lot of people coming and going. I had someone with a multi-tenant, I’ve heard versions of this story two or three times, including fairly recently. Multi-tenant data center operator, a contractor shows up to do some work on company’s IT infrastructure, servers or whatever, and they say, all right, here you go. They give them access to a cabinet that is actually occupied by a company with a similar name, but not the same name. The guy goes in and does some work on a server. It’s not exactly what he expects to do, but he thinks he’s able to work it out. So a company has work done on their infrastructure that’s not theirs, in a multi-tenant data center in a colocation environment. Obviously, that’s a significant issue. How can someone address that issue using your product?

Aldon Blackwood: We try not to tell people that our product offering is a security product only. We try to encourage our users to really incorporate the access control parameters into all aspects of their change management, so that in your scenario where the escort leads them to the wrong cage and the wrong cabinet, if their change management was done correctly with our access control platform put in place, then they would have tried to approach the cabinet and show their RFID badge and enter their PIN, and they would have been rejected, and they would have went back to the main desk and figured out why, and realized that they were going to the wrong cabinet.

Data Center Spotlight: That’s just something that if I’m in a multi-tenant data center, or I’m operating in a multi-tenant data center, you can easily see how that would happen. Are you getting some traction in the colocation environments?

Aldon Blackwood: It’s growing, for the most place, we’re seeing the colocations are starting to understand that by using a cabinet level security product like ours, they can eliminate all of the cages and optimize their cooling, optimize their floor space usage, easier distribution of equipment. It just makes things a lot nicer than cutting your whitespace up into so many different sections.

Data Center Spotlight: We’ve got a couple of different environments, we talked about the military example that they couldn’t retrofit what they were doing to give them the level of security and control that they needed. We talked about a multi-tenant data center environment. What are some other data center environments that your product that you’re finding a lot of use for? Even in private data centers, or even cloud data centers with only a single tenant that are owned and operated by those people, are they utilizing your product, and if so, why are they doing that?

Aldon Blackwood: We’re really seeing the whole spectrum. We see everything from Fortune 500 companies who are looking to protect critical assets and intellectual property, financial institutions, really everything. There’s no one catch-all problem that gives people the reason to install our product, which is why we’ve had to create a versatile enough product to solve a myriad of problems, so we can solve everything from the secure military facility like you mentioned, to the colocation provider that’s really only trying to give their customers an audit log of everyone who goes into that cabinet.

Data Center Spotlight: When you talked about the audit log, I would imagine the growing compliance demands on everybody, is probably creating some demand for your product as well.

Aldon Blackwood: It definitely is, we’re seeing more PCI regulation leaning towards something like this, HIPAA is leaning towards something like this. No regulation at this point is specifically saying, you need a 1:1 audit log on data center cabinets, but I wouldn’t be surprised if we didn’t see that in the near future.

Data Center Spotlight: You mentioned in the process of utilizing your product, it sounds like you can’t just show up with an ID card to get in. It sounds like it’s a multi-factor approach where they have to do a couple of different things to show that they belong in that environment. Is that the case?

Aldon Blackwood: Sure, we have single-factor authentication handles where you simply present your card, your credential, and it’ll scan it and let you into the cabinet if you have granted authorized permission during a given time of day, day of week, week of month, things like that, but we also have multi-factor handles as well where you have to show your card, and also enter your PIN, as well as a two-person rule where two people have to enter their set of credentials before the cabinet will open.

Data Center Spotlight: That takes it to another level for a particularly secure environment.

Aldon Blackwood: Yeah, I think it’s also important to mention that our handles completely eliminate that key problem we were talking about earlier. We’ve built in enough backup redundancies into the handle from a localized storage aspect as well as an external power component to it, and so we don’t have a key override on our handle, because our handle functions when the network’s down, and when the power’s down. It seems a little absurd to me that people would replace an existing key, or key and combination handle to an electronic one, that still has that same risk which is a manual override key.

Data Center Spotlight: Another thing your product does, which I found to be interesting, is it can give the manager of a facility with a dual factor authentication full access into all the cabinets for the person who runs it, and in a multi-tenant facility it can give up a single cabinet, it can give people different levels of access as well. It can give the contractor who shows up on Tuesday afternoons, it can give him access only from 2 to 6 pm local time on Tuesday. I thought that was pretty compelling, can you tell us a little bit more about some of the different levels of access, and the different permutations that you can create to protect a data center cabinet?

Aldon Blackwood: Sure, not to get into a full product spiel, but yeah, the solution is highly granular in the sense that you can pretty much infinitely customize it to whom has access to it at what times, and what days. You can get down to making special requirements for holidays, and things like that. It meets pretty much all the checkboxes that you would expect out of a robust security platform. We do have two different ways of managing the handle, we can have it managed through security, through their typical building management system. We find most data center managers want to control the access to the assets that they’re in charge of themselves, so we have a turnkey software as well is really tailored towards data center managers, so that they can incorporate this into their change management and really own the assets that they have.

Data Center Spotlight: I would imagine you’re talking to a wide range of people, with a wide range of responsibilities within organizations, so are you dealing more with operations people, are you dealing with security people, are you dealing with legal? Who are the people you’re largely dealing with?

Aldon Blackwood: It’s really anyone and everyone, I kind of said earlier that we can’t tell people what the problem is, they need to really think about their organization, what their risk is, and we’re approached from all of those you listed.

Data Center Spotlight: Well Aldon, in talking to these people with these varied responsibilities within these organizations, what’s new? In 2016 so far, what are people concerned about, and asking you about? What are the trends and the concerns of companies regarding their IT infrastructure and their data center security?

Aldon Blackwood: We hear it over and over again, and it’s honestly probably the simplest answer, and that is, I want to know who and when people go into my cabinets, and it’s not an unreasonable expectation.

Data Center Spotlight: No, it’s not an unreasonable expectation, I would imagine you hear some interesting stories about what people have pulled off in a data center, without any names or companies, or organizations attached to it, can you tell us of a story that you’re privy to that would be a little interesting?

Aldon Blackwood: I have more horror stories than you can imagine. A recent would probably be a video surveillance company, they have all of their equipment in a rack and they did not have a proper access control system set up so an unknown individual entered the facility through the loading dock and found where the video cameras were stored in that rack, and he opened the rack right up with a key, and then he turned off all the video recording equipment and then lo and behold, $200,000 worth of equipment and material from the warehouse has gone missing. In that instance, the company had no idea that the rack had been opened because they were more of an after the fact forensic monitoring unit, and not-

Data Center Spotlight: They didn’t have someone sitting there looking at 20 monitors, 24/7/365.

Aldon Blackwood:   Sure, yeah, exactly.

Data Center Spotlight: It’s interesting, the entirety of this conversation, I’m thinking about the intellectual property loss, and the operational problems that can come on with accidental entry. I’m thinking of data loss, and that sort of thing. I’m not even thinking about some of the physical theft that can take place, and the financial damage that would happen there.

Aldon Blackwood: It’s one of those things where it really encompasses both physical loss as well as data loss. We focus as an industry so much on cyber, eventually physical will become the weak link, and the person that wants to harm you, or steal something from you is going to look for the weakest link in your system.

Data Center Spotlight: That is an excellent point, and that is a point from someone who is talking to a lot of people about the security and the compliance of their data centers on a daily basis. Aldon, I appreciate your time today, you’ve taught me a lot over the past couple years about data center security, and buttoning things up at the cabinet level, and using it to support your audit and compliance needs, and I appreciate the time you’ve spent with us today. If someone wants to have these conversations with you, what’s the best way for them to get in touch with you?

Aldon Blackwood: Best way is probably to reach out to us on our website, it’s elinebydirak.us.

Data Center Spotlight: elinebydirak.us, and it’s Aldan Blackwood at E-Line by DIRAK if people want to connect with you on LinkedIn.

Aldon Blackwood: Yeah, exactly.

Data Center Spotlight: Aldon, thank you so much for your time today, I look forward to having discussions about this issue with you again in the future.

Aldon Blackwood: Yeah, until next time.