Digital infrastructure and physical data security: understand best practices

Information security has been a widely debated topic throughout past years, if not decades.  As of the second half of last century, business models and even people’s lifestyles have become increasingly dependent on electronic equipment and digital information.  

Practically everything we do today leaves a track of bits and bytes which can be used positively or negatively. For companies, this data becomes a critical asset and losing it may even cause a company to shut down its activities. 

This naturally creates many concerns in terms of ensuring information security, whether for protecting businesses or people.  Movies and news reports put great emphasis on logical data protection, frequently showing hackers in a glamorous fight between good and evil.  Terms such as BCP (Business Continuity Plan) and DR (Disaster Recovery) are discussed within companies. 

However, a warning is in order! In day-to-day business, physical protection is as important as logical protection, although this topic doesn’t usually receive its due attention. 

What is needed to ensure the physical security of information? 

Physical security of information aims to ensure continuous operations, access control, and environment resilience. Digital infrastructure must respond adequately and protect its data based on the following principles: 

– Environmental security: Directed at protecting equipment from natural incidents, such as floods, storms, earthquakes, or even human errors, such as strikes, road accidents or any kind of impact that can interrupt services due to the loss of carrier access or of capacity from the infrastructure’s operations. This includes duplicity of facilities, if necessary.   

– Availability security: Related to ensuring redundant means for energy supply, equipment refrigeration, fire protection, and data transmission links, including IT infrastructure, such as redundancy of storage components, switches, load balancers, servers, etc. 

– Physical security of the perimeter: This is to ensure that only authorized teams have access to equipment and infrastructure facilities. 

The topic seems simple and obvious, but it’s not.  There are several and different certifications in the market to align and ensure best practices in infrastructure security. Some are even specialized by business segment. 

In terms of perimeter security only, for instance, we can expand the topic into different sub-items and processes: 

– Management of access requests: With defined processes and a system for managing and storing history requests, it aims to ensure that all authorized access to the infrastructure is vetted and approved according to their motives and capacities.  

– Authorization of entry: This is the basic entry access but depends on the previous step being well executed to specify who can receive authorization. It demands steady hands to endorse information and execute the authorization of entry correctly. 

– Reception and referral: Mainly in more complex infrastructures – such as large data centers – this is the stage where visitors are received in premises and accompanied to the spot where they should work or have access.  This stage ensures that a person authorized to execute a specific service is unable to access the entire location, which might cause incidents in other places inside the facilities. 

– Access control and monitoring: Biometric sensors, smart doors with volume and weight identification for entry and exit, cameras, and security teams must be used to prevent anyone – through malicious intent or human error – from removing or placing equipment in the infrastructure without proper control. 

– IT equipment lifecycle control: Analyzes the expected energy consumption as of the entry request; uses IoT technologies and automation, such as RFID, to control the equipment’s position inside the data center, registering and monitoring from entry, deployment, and operation usage up to the entire deactivation process, including data cleanup and certified equipment destruction, with less environmental impact. 

How and how much to invest in the physical security of digital infrastructure? 

A safe digital infrastructure may demand large volumes of investment.  We could say that the sky’s the limit, but it will never be possible to create a fault-free environment.   

The investment in physical security, then, will be inversely proportional to the business dependence on data. To lose last trip’s photos may make someone unhappy, but it won’t cause great harm.  On the other hand, losing customer and billing information may represent shutting down a business.  For a legal office to spend hours without internet access can cause a lot of headache but only a few minutes without access generates immediate financial impact on an e-commerce. 

Therefore, the amount invested in physical security and digital infrastructure redundancies is, in general, directly proportional to the financial volumes involved in the business and inversely proportional to an acceptable recovery time. 

That is, the greater the volume of money involved, the greater the concerns about infrastructure, as can be observed in the financial segment.  And the less time a business can afford to remain inoperable means greater concerns about security, as described in the e-commerce example. 

Cost, however, is not the only impact on an infrastructure’s security. Time and experience also count.  Building walls, power and cooling structures takes time.  Defining processes and control systems demand a learning curve.  

It may be tough to measure this time precisely as a cost, but it can be monetized as loss of business opportunities due to delays in going to market or even because of exposure to already existing business risks. 

A good way to shorten these times or adjust the cash landscape for the necessary investments in digital infrastructure is to contract infrastructure as a service from a reliable cloud or data center provider. 

These providers have facilities and processes already in operation, as well as certifications that testify to their qualifications, and a history of customers and incidents that allows them to validate and improve the necessary controls and redundancies to maintain operations at reliability levels that would be unfeasible for other ventures.  

If your IT team is still worried about understanding whether the electric generator will support the load in case of a power failure or if the LTO (Linear Tape-Open) will remain legible to recover backup, maybe it’s time to learn more about the processes and operations of a professional data center, to help you ensure the security of your business.  Cirion has the best data center structures and strict security protocols, endorsed by a series of certifications, not to mention a highly skilled team to support your company’s daily business. 

Author

Heubert River
Head of Data Center, Cloud & Security Operations,
Cirion Brazil

Heubert has more than 20 years of experience in leadership positions in data center operations in critical, high-capacity, and high-performance environments. He is responsible for Cirion’s Data Center Operation in Brazil since 2013.

He has an MBA in IT governance from USP/IPT, several technical and methodology certifications, as well as broad international experience, having led operations in more than 10 countries in Latin America, USA, and United Kingdom.