First published: 31st January 2008
A recently revealed incident that occurred last October has raised the question of whether most datacentres are adequately protected against armed robbery. In the incident, armed thieves entered a datacentre in Chicago, and coerced the lone IT working into scanning his fingerprint and revealing his PIN to allow them full access to the facility.
Security blogger Christopher Faulkner, said that the incident shows how the majority of IT managers have inadequate measures in place to counter the threat posed by violent burglars. An alternative view would question whether the majority of datacentres have assets that are attractive to armed robbers. Armed robbery is a high-risk crime, so it should offer high rewards. Datacentres have hardware and data assets. In most cases, the hardware is generic equipment that is falling in price, and the specialised hardware might be valuable, but it will be traceable and hard to sell. The data may be valuable, but the value might be dependent on the theft being concealed - for example, credit card numbers that could be misused until the bank cancels them. There would probably be denial of service aspects, but those should be addressed by disaster recovery plans. It might be appropriate to implement full-disc encryption, so that, even if the servers are stolen, the data is inaccessible. This also protects the data from copying by unauthorised staff with access to the datacentre.
So, for most organisations, "adequate measures" are a policy that armed robbers should be given what they want, and the Police called afterwards. Introducing armed guards into the datacentre of an otherwise unarmed organisation is greatly increasing the risk of death or injury, and increasing the costs of security unnecessarily. As always, security is about balancing costs against protection.