Secure Data Center Access With Biometric

Having recognized the efficiency of IT implementation and automation, and how it can supercharge business growth, people are looking at it for their business transformation. Organizations are not only taking up IT implementation for their core operations, now they are even taking automation and robotics into consideration. From small scale businesses to multinational enterprises, are keen to take their operations to automation or IT based systems, which are manual yet, but have potential to be automated. According a report by The Guardian, inclination towards robotics and automation, has started claiming jobs. Day is not far when robotics shakes hands with artificial intelligence and start taking even the skilled jobs. What is behind all this change? It is the power of speedy processing, connectivity and most importantly Data.

In a report, The Economist calls data “Fuel of future” and tells how data is shaping up world economy. If data is considered as fuel, data centers become their refineries and both produces crucial feedstock that makes world economy move. Just like the world economy will fall apart without products produced by crude oil refineries, data centers will also have more or less same impact on economy. Without data centers, holding up economy will be as impossible as without fuel. Data centers make the connected world possible, which is crucial for the business. From a Facebook photo upload to real time updates of stock markets or weather report; data centers play their roles behind the scenes.

Today, IT giants like Amazon, Alphabet (parent company of Google), Apple, Microsoft and Facebook has hold of petabytes of user and their activity data, and that’s what makes them so powerful. These companies have control and monopoly over the market. Despite monopoly, services offered by these IT giants have made everyday life somewhat easy. How many of us will choose a life without Google Search, Amazon One Day Delivery or the Facebook news feed. While these services seem free, users unintentionally pay by giving their personal data. This data is refined in their data centers and used for commercial purposes, so nothing is free after all. Just like a refinery, which will come to complete cessation without crude oil, data center has no purpose to serve without data. However, mining data is not as gruelling task as boring an oil well. Most companies do it simply by offering a free service and people are all up with their personal and activity data.

A Data center facility can house networked computer system, telecom equipment and data communication systems and power backup. It also has environment controls in place like air conditioning, temperature control, fire suppression and air filtration. Concept of data centers began to get popularity during 1990s, when microcomputers began to grow and made mainframes to look for space in a separate room. These server rooms could be called first data centers, however, they were entirely different from current setup of a data centers.

In 2002, Amazon started development of its web services, which was the suit of different IT infrastructure services on cloud, including storage and computation. Amazon’s efforts made its services to launch for commercial offering in 2006, in the form of web services. During this time cloud computing had started taking attention of enterprise business. Backed by the immense power of its data centers, Google started offering browser based application in 2009 for commercial as well as personal usage, which was the another milestone in cloud computing. In 2013, Google invested a sum of $7.35 billion to expand its global data center network. It was perhaps the largest capital expenditure in the history of data centers.

Role of data centers in everyday life generally goes unnoticed. Data centers work behind the scenes day and night, so the world around us look connected, efficient and ordered. To achieve this order, it took decades of efforts to manage flow of information. Despite this growth, the fact that remained unchanged is security of data is the utmost priority. Google initially collected user data for advertising purposes and in the beginning its potential went unrecognized. Later with the expansion of services, new products, analytics and intelligence, this data became the most valuable asset to Google. That time, nobody would have realized that time how big the profit based on personalized advertising could be. Do a quick search for a product on an e-commerce website, and that product will be following you on every online ad and on the websites you visit. This is the power of data gone through complex algorithms running day and night in data centers. Data processing algorithms can read our mind by processing our online activity data.

What’s on your mind? That question is not asked unintentionally on your Facebook account home page. Just put there that what are you up to and advertises related to your plans will be flooded on your web pages. Feeling like taking a vacation in Italy? And have shared your plans on Facebook with a few quick searches on Google? Well, that would be enough for travel plan, air ticket, tour package and hotel advertises to shine your webpages and they will be following you all over the internet. It feels good and scary at the same time. Day is not far when billboards start showing personalized ads. With digital footprints processed in data centers they know everything about you and what you are up to. Nowadays, probably no commercial website is an exception when it comes to sniff your digital footprints. Data produced by millions of users’ digital footprints is stored and processed in data centers to offer products and services. Other than the commercial services, huge volume of data is also produced by weather sensors, satellites, nuclear reactors, financial transactions, military operations and other government endeavours. Many predictions and forecasts are based on processing this data. All this is made possible by intelligent programs running on data center servers.

People working in a crude oil refinery know the importance of security. They understand how a single spark can blow up the entire facility that may not only incur huge losses but also cost human lives and environmental aftereffects. Just like a refinery, a data center can’t make compromises with security. Data would not catch fire like oil, but a spark of breach in security can bring an entire system to its knees, affecting millions of people, costing human lives or even compromising the national security. For example: NSA has a huge data related to national security of the United States of America, if it gets compromised may cost human lives. Another example: If a malicious user gains access to a nuclear reactor control system and manipulates the safety procedures, it can turn out to be next Chernobyl.

All data center security measures are actually implemented to secure data. Data security is the core reason of all security efforts. According to ISO (International Organization for Standardization), a security incident is:

Physical security is crucially important and should be implemented as a first degree countermeasure to safeguard a data center from threats. Physical security not only drives back potential intruders but also protects the facility and resources against natural disaster, terrorist attack, cyber-attack, vandalism, theft, sabotage and other malicious acts. A well implemented physical security perimeter ensures end-to-end protection against potential threats and breaches. Physical security works better when implemented in layers, so that a possible threat has to go through different layers of countermeasures before gaining access or control of the resources.

External threats are posed by an outside entity or person, who does not have a legitimate access to a data center or its resources. If external threat is coming via a computer networks (e.g. the internet) it may originate from anywhere in the world. Security measures should have capability to trace the threat and mitigate it to prevent future occurrence. External threats can be mitigated with a risk based approach to physical security where all threats and losses are analysed with their potential likelihood to occur.

Physical security also takes care of internal or insider threats but insider threats, when occur, can pose a greater risk to a data center security. Internal threats are usually posed by a person who already has a certain level of access in the facility. Internal threats may not always be intentional. An employee or staff member may compromise sensitive information without even knowing about it. According to US Computer Emergency Response Team (US-CERT), around 40 percent of breaches in IT security are committed by internal people. Security countermeasures should be able to address both intentional and unintentional incidents of threats.

Data centers often go without seeking much attention, low-height buildings without much windows and decoration, not even signage. But when it comes to security, data centers cannot compromise with it. Identification, authentication and a limiting the level of access is a mandatory process for staff people, employees and visitors of a data center. All personnel have to wear a badge for identification and to display their level of access. For employees and staff members, this level of access and authentication is already established, and they are provided with the means that let them go till their defined level of access. Entries and exits of all personnel are recorded including video records by surveillance cameras.

Identification and authentication plays a vital role in whole security implementation effort of a data center. To enable people access a facility, they may be provided with means of authentication, which can be:

PINs, passwords, security questions, lock combinations come under this category. They are cheap to implement but poses risk unauthorized access if someone else acquire this knowledge.

Swipe cards, keys, badge and access cards fall under this category. This method could be employed for accessing less sensitive facility. Downside of this authentication method is that people may lose what they have as authenticator, which can be used by an unauthorized person to access the system or facility.

Physiological or behavioral characteristics are unique to a person and can be used as an authenticator, for example: Facial structure, iris, retina, fingerprints, DNA, typing rhythm, voice, and gait. Authentication method, based on any of these or combination of these, is called biometrics.

Biometrics can dramatically improve whole authentication and identity management practice in a data center security. Biometric authentication does not depend on a possession of information or things like passcodes or access cards. It is a unique natural measureable pattern that doesn’t change with time and can be used as a trusted authenticator. Duplication of physiological and behavioral characteristics is a near impossible endeavour so they have least probability of being tempered with, unlike other authentication methods.

Biometrics can be used at all layers of security where identification, authentication or a lock-unlock procedure is required. From building access to room access and server racks to cabinets, biometric access controls system are available. These control systems comes with ability of real-time monitoring of locking / unlocking attempts, security alerts and ability to generate audit trails. Biometric access to server racks can help prevent insider threats. Taking it further, biometrics can even be implemented at the logical level, for example: to login a server or user account. Biometric scan is always required entering a controlled area or system, if scan matches what is stored, person gets to access the facility. Biometric identity and authentication system not only secure the facility but also help achieve regulatory compliances if data center belongs to a regulated industry like healthcare or finance.

World is now driven by data and without data centers, managing this massive volume of data produced each day, will be impossible. Data centers not only house this data but also help making sense of it. Weather sensors and satellites produces huge amount of data and only after processing this data, weather predictions are made. If hurricanes and tsunamis reach us unpredictably, they will cost human lives and huge losses. Our dependence on data and information produced out of it make it very crucial that data centers keep functioning, without them the economy will fall. For this importance, data centers become a target to intruders, so security of data centers becomes exceptionally important.