In mission-critical facilities, it’s obviously important to keep unauthorized individuals out, but it’s also important that authorized employees don’t venture where they don’t belong. The reason? That’s how bad things happen.
Consider this tidbit from the APC by Schneider Electric white paper, Physical Security in Mission Critical Facilities:
People are essential to the operation of a data center, yet studies consistently show that people are directly responsible for 60% of data center downtime through accidents and mistakes — improper procedures, mislabeled equipment, things dropped or spilled, mistyped commands, and other unforeseen mishaps large and small. With human error an unavoidable consequence of human presence, minimizing and controlling personnel access to facilities is a critical element of risk management even when concern about malicious activity is slight.
Plenty of technologies exist to try to help address this problem of keeping unauthorized or ill-intentioned people out of places where they don’t belong. IT managers generally know who should be allowed where. The challenge lies in deciding which of an array of identification technologies to apply in what combination in order to answer two simple questions, “Who are you, and why are you here?”
The second question often follows naturally from the answer to the first. “It’s Alice Wilson, our cabling specialist, who is here to repair that cable break.” In other cases, the “who” and “why” can be combined, such as in the information stored on the magnetic strip of a swipe card. In others, the “who are you?” doesn’t really matter, only the “why are you here?” does. Think cleaning people, who frequently change.
Let’s turn, then, to the various approaches to answer the question, “Who are you?”
Methods of identifying people fall into three general categories of increasing reliability and cost. The least reliable, is the “what you have” method, which refers to a key, card or token that provides identification. The problem with these is they can be easily stolen or borrowed for use by an illegitimate person. Next up the scale is “What you know,” meaning a password, code or procedure. While such things can’t be stolen, they can be shared or written down. The most reliable is “What you are,” which is based on something physically unique to you – your fingerprint, retina, voice or handwriting, for example. Such biometric features are the most reliable method because they can’t be lost, stolen or shared. However the systems do have a drawback, which is the possibility that they will fail to recognize a legitimate user, also known as a “false rejection.”
To protect critical resources, the best strategy is to use methods of increasing reliability, and expense, as users progress from the least sensitive areas to the most sensitive. For example, while entry to the building may require only a swipe card and PIN, entry to the data center requires a PIN plus biometric scan.
The APC by Schneider Electric white paper succinctly outlines the advantage of this approach:
Combining methods at an entry point increases reliability at that point; using different methods for each level significantly increases security at inner levels, since each is secured by its own methods plus those of outer levels that must be entered first.
Some access control devices —card readers and biometric scanners, for example —can capture the data from access events, such as the identity of people who pass through and their time of entry. If network-enabled, these devices can provide this information to a remote management system for monitoring and logging (who’s coming and going), device control (configuring a lock to allow access to certain people at certain times), and alarm (notification of repeated unsuccessful attempts or device failure).
To learn more about how to protect your critical resources, including an analysis of various forms of access control devices, check out the APC by Schneider Electric white paper, Physical Security in Mission Critical Facilities.