Risk
10 Physical Threats That Could Shut Down Your Data Center
It’s tempting to frame every data center threat as a cybersecurity issue — especially in a world dominated by malware, ransomware, and DDoS attacks — but overlooking physical security at the site that houses your organization’s computing power is a costly mistake.
Unauthorized physical access can be just as damaging as a digital breach, if not more so. Physical threats have the potential to cause extended downtime, data loss, and regulatory violations. Protecting your infrastructure means addressing both digital and physical vulnerabilities with equal vigilance.
Your data center is the nerve center of your organization. Such a critical asset must be protected.
10 issues facing data centers right now
Physical security is an important issue for data centers: Data center security encompasses physical security concerns as well as digital worries. Organizations need to make sure their data centers, or data rooms, are physically secure. That means ensuring the doors are controlled, the climate is controlled and the room itself is safe from issues like water leaks or other incidents that can damage servers. Don’t just focus on the cyber side of security.
Increased energy consumption: Driven by the growing adoption of AI, rack density is increasing. Current research places rack density at 16kW/rack compared to 7kW/rack in 2021, and experts expect it to keep rising. With more servers generating heat, data centers need to update cooling, airflow, and sensors to ensure that all servers keep working safely.
Supply chain issues: Data centers rely on complex, global supply chains for hardware as well as for energy. In some cases, supply chain problems have led directly to outages. In addition, concerns are growing over tampered or counterfeit equipment, embedded malware, or devices with backdoors installed before delivery.
Political unrest: Given their centrality to digital infrastructure, data centers are now more likely to be targets for protests, vandalism, or acts of civil disobedience, especially those owned by controversial companies or involved in politically sensitive industries.
Many organizations are complacent about access control: As a security consultant, the top problem I’ve seen in nearly every single organization with a data center is access control. Almost all organizations use the same access control on their data center that is used throughout the whole facility. The data center should be on a separate access control system, so that if the organization’s access control is compromised, the data center is still secure.
Power outages: You cannot simply rely on the electrical grid to power your servers. Make sure you have a backup power source, and a backup for that backup. Servers take a long time to boot up – and if your servers are down for a long time, that means a huge interruption of productivity and revenue.
Unvetted contractors: If you use contractors to service your data rooms, use the same vetting process you use for hiring employees, if not a tighter one. I’ve learned that many organizations don’t have a strong hiring process, and often, for contractors, it’s even worse. Don’t assume the company you’re hiring a contractor from has completed background checks or spoken to references. If they’re going to be in your data center, vet them thoroughly.
Companies don’t always consider hazards when they build your data center in. Ty Richmond, president of Allied Universal and a member of the CSO Risk Council, tells a story in the council’s book, A Culture of Risk, about a data center built in Georgia by a company based in California. The building was designed using Californian standards and didn’t take into account the fact that Georgia has cold, snowy winters. One winter, the pipes froze, burst, and soaked the servers. Know the area you’re building your data center in. Make sure it’s secured against any possible natural disaster. The best data center I’ve ever seen in my own career belongs to an insurance company. It’s a standalone building able to withstand an F4 tornado with two layers of access control, a man-trap system, and a room full of car batteries as one backup power source. This company had prepared for all foreseeable problems.
No cameras in server rooms: It’s hard to know who is tampering with servers if there are no cameras in your server rooms, however many companies don’t use cameras in server rooms because that may compromise security if the feed is hacked by a criminal. If your company has a policy against cameras in server rooms, make sure cameras monitor every ingress and egress points with a camera, so you know who has been in the room at all times.
Social engineering attacks: Social engineering attacks are more than simply phishing campaigns. A criminal can also con their way onto your site without using technology. Test your data center staff’s competency when it comes to checking badges, calling security on people they don’t know, and confirming whether or not a phone call or message is coming from a trusted source.
Data centers are assets. They should be protected.
If your data center goes offline, you’re likely to face significant problems, so physical security needs to be on organizations’ minds at least as much as cybersecurity is. Criminals don’t necessarily separate the two when they’re trying to gain access to your assets, so security leaders shouldn’t either.
By using the right assessment tools, you can properly assess and mitigate your data center’s risk. Digital security risk assessment software, like Circadian Risk, tracks all your organization’s risks and countermeasures. This includes inherent risk, like weather conditions in your areas as well as items like cameras and access control systems. By using a risk assessment platform, you can see, at a glance, the risk level of each data center in your enterprise.
Want more free educational content about your physical security risk?
Get your free 3-day organizational risk analysis email masterclass.
About the Author
