Protecting Your Data Center or Critical Facility From Terrorist Attack
In an information dependant world, data centers and communications networks are the hub around which the world functions. Without instant access to financial information housed at a data center, many of the activities we take for granted would stop. Imagine a world where you couldn't use any charge cards, ATM cards, access email, access voice mail or any of a dozen other activities that are dependant upon uninterrupted communication with a data center. Data center outages can also cost in the hundreds of millions of dollars and have a worldwide impact on financial markets. Is it any wonder that they are now being looked at as likely targets for terrorist activities?
Data centers and critical communications facilities are particularly vulnerable to disruption via terrorist attack. With a concentration of vital services in these facilities that a disruption can impact for days or even weeks, there is growing concern about their being targeted. While they have certain vulnerabilities that are inherent to their functions, there are a number of proactive steps that can be taken to lessen their vulnerability. Eliminating an attack by a determined terrorist may not be possible. You can however minimize the impact of an attack by taking the following steps.
The first step to preventing a terrorist attack is to raise the awareness of the possibility of attack among your employees. Suspicious persons, suspicious vehicles, suspicious activities all should be reported and investigated. Having employees who question behavior that seems out of the ordinary is the best defense against a successful attack. It may also prevent an attack, since alert employees and security staff may encourage terrorists to move on to a less security conscious environment.
Strike a balance between security and convenience
Every site needs a balance between levels of security that are necessary to protect a site and the convenience and ease of access for visitors. At many sites management is too concerned about inconveniencing visitors. They consider having visitors park further away from the building, escorting visitors at all times, verifying Ids, searching briefcases and purses, to be too inconvenient and too invasive. Having managed security services for a data center, I understand the temptation to relax some of the requirements to make admittance into a facility easier. However, if you don't control access, if you don't know what has been brought into the facility and you don't know where visitors are at all times, you don't have any security.
Provide a buffer zone between public access areas and your site
Many data centers are built with little concern about site conditions. Data centers are often built adjacent to busy streets, with no buffer zone between the data center and public areas. They are often put in high visibility, multi tenant buildings, with a parking lot shared by all tenants. The primary focus is on the availability of power and fiber. This is wrong approach from a security standpoint for selecting a site for a data center or any critical facility. Ideally, these facilities should be on a large, single tenant site, with the facility centrally located on the site. There should be large open space buffer zones between the facility and the public area. If your facility is located 15 feet from a public road, sidewalk, or parking area, I don't care how many cameras, fences or lights you've installed, you are much more vulnerable than a site with a buffer zone around it.
Take a zonal approach to security
Security should start at the perimeter and increase as you work your way closer to the facility. Wrought iron fences and gates are a great starting point. Having a guard booth at the entrance to the facility can discourage terrorists from even trying to attack your facility. They can also direct visitors to the correct parking areas, far enough away from the facility to minimize damage that could occur from a car bomb. Grass berms and strategically placed planters and bollards will also help protect your facility from anyone trying to crash a vehicle into the facility. Electrical rooms, central plants, cooling towers, should all be located behind block walls, in an area inaccessible to the public and to most employees. A zonal approach that increases the levels of security, as you get closer to the facility is an important step.
Harden the exterior of your facilities
Guards located behind bulletproof glass, hardened lobbies, man traps or revolving doors, exterior emergency exit doors that are specially designed for security and contain no hardware to open them from the outside, are all steps that can increase the security of your facility. Forcing your way into a properly designed facility should be extremely difficult. A hardened exterior with highly visible security systems may discourage a terrorist from even trying. While data centers used to rely on anonymity to help keep them safe, that tactic no longer works in today's environment.
Cameras, (and someone to look at them)
Having cameras on the exterior of the building so that all activity outside the building is being monitored is critical to protecting your facility. How the cameras are sequenced and who is looking at the monitors is just as critical. The monitors used should be large enough that security guards can get a clear picture of the activity that is taking place on the exterior of the building. Security guards who are trained in the use of video monitoring systems and dedicated to that function is an essential part of exterior security. At many sites, the security guards have multiple functions and simply can't watch the cameras at the same time they are signing in visitors or issuing badges.
Build in redundancy
Redundancy should be designed into all systems. Electrical, mechanical, security, fire protection and communications are essential elements common to all critical facilities. Having multiple communication carriers, redundant entrance facilities and diverse routing for the fiber, can help prevent a single incident from shutting down your facility. Fault tolerant designs in all of the critical systems can keep your facility on line after one or sometimes multiple events.
Have a disaster recovery/business continuity plan in place and tested
In the event of any sort of disaster or terrorist attack that takes your facility off line, having a disaster recovery/business continuity plan that staff is familiar with, has been tested and is ready to implement is critical. A well thought out, well-tested plan could be the difference between being down for hours, versus days or even weeks. In some cases it can be the deciding factor as to whether a company survives. This plan should include a risk assessment and analysis as well as an ongoing audit and assessment program.
As the world trade center attacks have unfortunately proven, terrorist attacks are a reality that the business community can no longer ignore. Data centers and critical communications facilities are an inviting target for someone looking to have the maximum impact with their actions. However, there are proactive steps that can be taken to lessen the risk and to minimize the impact. While you cannot prevent a determined terrorist from attacking your site, you can by following the suggestions in this article, limit the damage they can do and minimize the impact of their actions.