Cyber risk is a top concern for CIOs and CISOs around the world, but the risks to data and IT infrastructure aren’t all in cyberspace. Physical security also plays a crucial role in protecting data and ensuring business resilience. So says Jacques de Jager, COO of leading data centre provider Digital Parks Africa (DPA), who says physical security measures are as important as cyber security in mitigating business risk.
“Robust physical security in data centres is vital for ensuring uninterrupted service, protecting client equipment, and maintaining trust. In a data centre, there are numerous direct and indirect threats that could put customers’ data and business operations at risk. Best practice measures to mitigate these risks in data centres include multi-layer access control, surveillance, and advanced monitoring,” he says.
“The security guard needs to be monitored by the NOC, the NOC needs to be monitored by a third party, and the third party needs to be monitored too. Modern data centres should use a variety of advanced digital technologies to monitor the perimeter, premises and individual pods and racks,” he says.
These include advanced dual NOC monitoring round the clock, CCTV cameras, object detection, biometric access control, and multi-factor authentication. He explains that a dual NOC system in which an external NOC is the only one that can open the gates, addresses the risk of on-site staff becoming familiar with who comes and goes, and possibly becoming complacent about security.
“Another best practice physical security measure is to make people pre-book their access to the facility to allow for proper vetting,” he says.
“To ensure security and compliance, the data centre should be ISO/IEC 27001 certified for data protection assurance, with PCI DSS payment card industry certification where necessary, and external auditors to ensure the data centre follows best practice standards and guidelines,” de Jager says.
In addition to aligning with global best practice, data centres should proactively mitigate risk throughout the value chain, he says.
“Every process should have risk mitigation built in,” he says. “For example, the diesel required to run the generators must be carefully secured and tested for contamination. Any diesel that is delivered must be held in a receiving tank first and sent for microscopic analysis.”
DPA implements all physical security best practice measures, with additional layers of security built in.
Each security protocol and standard operating procedure has checks and balances by means of automatic performance reporting. DPA’s operational teams review these reports on a weekly basis and information is transparently shared with customers to ensure external oversight.
To further reduce the risk of unauthorised people gaining access to the data centre, DPA includes access logs in its monthly reports to customers.
“We send customers the access records of everyone entering and exiting their pods or during that time. We also do a monthly check on designated individuals nominated by the company who should have access to our environment and who needs to be revoked.”
In addition, DPA’s pod design means each customer’s infrastructure is secured independently within the pod, with multiple access control points, biometric access controls, and access control lists. Latest generation racks include biometric access control at rack level with a full electronic audit report on individual opening and closing.
This proactive, multi-layered approach to security has ensured that while there have been attempts to breach the existing security measures on the perimeter, none have been successful since DPA launched in 2017.
De Jager adds that while DPA offers comprehensive security and risk mitigation measures, it can also customise its approach with additional measures on request. “For example, if customers feel they want exclusive space or further segregation and containment, we offer that. We are modular and flexible by design, offering best practice, compliant security with a dedicated compliance team to ensure that our environment is not only secure but it also complies with regulations such as POPIA and GDPR.”