Regulatory compliance drives – and complicates – government rack access strategies

This audio was created using Microsoft Azure Speech Services

Regulatory compliance remains the most common top priority for federal IT decision makers when it comes to securing equipment racks in data centers.

Almost always part of an overall physical security strategy, ensuring that only authorized personnel and third-party contractors receive access to data center racks can present myriad challenges, with the first being variations in the verbiage of the regulations themselves.

FISMA demands that “organizations must limit physical access to information systems, equipment and the respective operating environments to authorized individuals.” HIPAA calls for “physical measures, policies and procedures to protect a covered entity’s electronic information systems and related buildings and equipment.” The payment card industry’s PCI-DSS wants systems “appropriately restricted.”

(Less common than compliance but an intriguing driver nonetheless: rack-access security as a potential revenue stream. For example, the Retirement Systems of Alabama notes online that it “boasts over 300 secure card access racks. … The data center contains a secure area for telecommunications carriers and providers to hand off circuits and various other connectivity.”)

One of the biggest trends Schneider Electric is seeing today is an increased emphasis on rack security in protecting audit trails. Security systems are being required to identify each person accessing a rack; time and date of entry and termination of access; and activities performed, including those that could modify or bypass security safeguards. The goal is to protect the audit trail from activity that would negate its forensic value.

Log books, card-access logs and timestamp cameras are the tools of the trade here, with dual-factor authentication methods and biometrics – fingerprints, retinal scans, breathalyzers – becoming more commonly used.

Clients are increasingly finding situations where their needs call for a combination of these technologies in order to provide the desired level of security. For example, a card reader and camera will be combined so that you have both the access log that says you had John Smith using his card to get in and a picture of John Smith getting in.

Systems managers are also combining technologies to provide local authentication and remote control, so if you have a remote site and a contract worker out there in his truck, he’ll use his card key to get in and then call someone authorized to remotely give him access to a specific rack.

A final consideration – and this one cannot be stressed enough — is user acceptance: the nuisance factor. Ease of use and reliability of data center rack-access technologies are important in preventing the system from becoming a source of frustration and, even worse, a temptation for subversion. If you make these systems an unacceptable annoyance for the people who are supposed to use them, human nature dictates that they will find a way around the systems. And if an individual finds a way around security, the rack is open for everybody else.

Tags: , ,