Key control is critical to data centre cyber-physical security, writes Tim Purpura, VP Global Sales and Marketing, Morse Watchmans.
Data centres keep the digital economy running around the world. Every app you use in the cloud, every dollar spent at your favourite retailer, every patient record at the hospital and every message or call relies on the physical infrastructure of racks, servers, storage cabinets, networking gear, power and cooling equipment – and the facilities that protect them.
Virtual servers might float in the cloud, but the digital services tied to them remain reliable and secure only when a physical facility keeps them up and running.
Customers and vendors spend millions to digitally secure their data centres against cyber-attacks by deploying firewalls, segregating networks, encrypting data and continuously monitoring systems for suspicious activity.
However, when it comes to physical security, one piece of data centre security is often left out: Key control.
Organisations are under increasing pressure to prove their accountability, meet compliance standards and build trust with customers and partners.
Now, more than ever, key control needs to be considered an essential part of every cyber-physical security strategy.
The weak link in the security chain
Much of the cybersecurity discussion these days centres on external actors attacking companies.
Hackers can use phishing campaigns, brute force attacks or stolen credentials to compromise systems from anywhere in the world.
Physical access is different. Once an attacker is past the front door of a facility – whether by stealing credentials, tailgating through an open door or bribing an employee – they can wreak havoc.
Physical intrusion allows an attacker to circumvent cybersecurity controls entirely by accessing storage devices directly, installing malware on servers, stealing sensitive documents, disconnecting monitoring systems or even vandalising equipment.
In 2009, Heartland Payment Systems became one of the largest recorded payment card data breaches to date.
Spyware was installed onto the company’s systems and used to steal credit card information from millions of transactions. Years later, defences are still being developed to prevent this type of attack from happening again.
Keys hold the kingdom
Inside a data centre, keys most often provide access to the infrastructure that houses the most sensitive and critical components of the business.
Physical keys are often used to secure server racks and cabinets, network equipment enclosures, power distribution panels, backup generators, cooling units, surveillance equipment and even security operations centres.
In many facilities, electronic security access controls are deployed at perimeter doors to grant employee access into the building.
However, most facilities also rely on physical keys to secure the hardware and infrastructure inside, typically in the form of server racks, cages and infrastructure cabinet keys.
In colocation facilities where multiple organisations can reside under one roof, the physical security challenges around key control can become even more complex.
Each organisation will have its own employees, contractors and vendors providing services within the facility.
If key management policies are left up to individuals maintaining “key cabinets” with sign-out sheets or drawer locks, there is no guarantee that keys will be handled appropriately.
Whereas you can revoke digital credentials, physical keys cannot be recalled once lost or stolen.
Key control systems turn security vulnerabilities around physical keys into credentials you can monitor and audit.
Putting accountability behind every key
Electronic key management systems take physical keys back and convert them into digital assets that can be closely monitored and managed.
Key cabinets are secured with electronic locks that allow only authorised users to retrieve individual keys, and every interaction with the cabinet is automatically logged.
Users must authenticate with the system using credentials such as PIN codes, access cards or biometric scans to unlock the key cabinet.
Once a user selects the keys they need, the system logs who accessed the cabinet, which keys were removed and the time they were taken.
Users are then responsible for returning the keys they use to the key cabinet.
All keys taken from the cabinet are logged upon return. If keys are not returned within a pre-determined timeframe, security personnel can be automatically alerted that keys have not been returned.
Maintaining visibility and control over who has access to keys at any given moment is critical for security and for compliance with standards and regulations.
The National Institute of Standards and Technology’s Physical Security Controls for Information Systems publication is just one example of a security framework that emphasises the importance of physical security controls as part of an organisation’s information security program.
Key management systems provide needed visibility and documentation of who has access to keys.
Preventing data breaches starts with physical keys
With key management systems, administrators can enforce policies requiring users to authenticate before accessing a cabinet – and every action is recorded.
Not only can key management systems prevent data breaches caused by stolen credentials, but they can also address insider threats.
Malicious insiders with physical access to facilities can cause significant damage to businesses by stealing intellectual property, sabotaging systems or causing expensive downtime.
Insider threats, whether accidental or malicious, can come from employees, contractors or third-party vendors who have access to facilities.
Key management systems provide additional layers of accountability and security by requiring users to authenticate before accessing a key cabinet.
Physical security through key management systems provides a layer of security that’s independent of your primary network security.
Key cabinets operate on independent networks, so if your security systems are breached, keys will remain secure.
Additionally, if there is a network outage or a system failure, keys will remain locked inside the cabinet.
Since keys are physical objects that cannot be remotely hacked, when properly managed with a key management system, they provide an additional layer of security that aligns with your cybersecurity programs and policies.
Helping operators understand how facilities are used
Monitoring and logging when and how keys are used can help operations teams understand how infrastructure is being accessed.
Are there certain racks that are accessed more often than others? Do certain racks only seem to be accessed by specific teams? Are there trends you can identify during peak and off-peak hours?
Access data can be referenced to understand how facilities are being used and by whom.
This data can help with staffing decisions, capacity planning and gaining a better understanding of how your infrastructure is being accessed.
Access data can even be used by colocation operators to ensure clients are only accessing the infrastructure they are paying for.
This information can be leveraged in ways that not only provide security, but also a better understanding of general business operations.
Securing distributed data centres starts with the keys
Cloud deployments are expanding and edge computing is quickly becoming a new target for attacks.
With the growth of distributed infrastructure comes an increase in security risk; if someone can gain unauthorised access to data centre, the threat expands to your entire operation.
Many edge facilities are unmanned or located in remote locations that pose unique security challenges.
Regardless of the size or location of a data centre, centralised key management allows security teams to maintain control of physical access, no matter where the infrastructure is located.
Key cabinets can be monitored remotely by security teams, and access permissions can be modified.
Security teams can be automatically alerted if keys are not returned or if suspicious activity is detected.
Helping operators keep their facilities secure
As cyber-attacks continue to make the news each day, it’s critical that organisations take a layered approach to security that covers both cyber and physical protections.
There are many components that go into properly securing a data centre: Perimeter protection, electronic security access control, cybersecurity technology, environmental monitoring and key management solutions.
Physical keys provide access to the most sensitive components in a data centre.
By integrating key cabinets into your overall security strategy, you can extend access control beyond the front door of your facility down to each individual piece of infrastructure.
Securing the foundation of the digital economy
Data centres are the foundation of our modern digital world, but they’re only as secure as their weakest link.
Cybersecurity gets most of the focus when thinking about data centre security, but physical security truly bridges the gap between cyber and physical security.
If you can gain physical access to a data centre, you can threaten cyber assets and vice versa.
Both cybersecurity and physical security should be part of an overall cyber-physical security strategy that protects your facilities and customers’ data.
By maintaining strict control of keys with a key management system, you can help secure your critical infrastructure and build a foundation of trust with customers and partners.
