Welcome to the SecAware blog

I spy with my beady eye ...

6 Nov 2007

Chicago data center robbed, again

A Chicago shared data center (a "co-location facility") has been broken into and robbed for the fourth time in two years, despite claiming physical security measures that would put some data centres to shame.

Masked robbers allegedly broke in through a wall using a power saw (although this is disputed by customers who visited the site), tazered and hit the center manager, and made off with a hoard of servers worth at least $20k (presumably that's just the hardware cost: the data content could be worth rather more and CI Host customers whose websites are down are fast losing their customers). The following physical security controls are mentioned in the Register piece and on CI Host's website, although the existence of some is doubted by slashdotters:
- Multiple layers of 24x7 security cameras with 360-degree perimeter and roof surveillance and Facilities 24 hour DVR systems with 14 day video storage (foiled by masks and by allegedly stealing the CCTV equipment)
- Proximity card readers plus biometric access controls and key pads, with double-locking mantraps at data center entrance (bypassed by using a convenient hole in the wall instead of the doors)
- Reinforced walls (vulnerable to a power saw, so "reinforced" seems a bit of artistic license)
- On-site personnel 24x7 (perhaps only one person? It's not entirely clear whether he was already there or responded to an alarm. There's no mention of security guards or alarms being sounded, as far as I've read so far)
- Non-customers enter equipment area by escort only (presumably not the robbers!)
- All cabinets, cages, and suites have locking mechanisms (a.k.a. "locks") and security upgrades are available (padlocks? Cages? Bullet-proof Kevlar vests?)
- Physical audit trails on all entry points (visitor logs?)
- Anti-pass back and tail gating systems (passback is permitted through holes in the wall)
- 24x7 intruder, smoke, heat and fire alarms monitored by police and fire departments for instant reaction (for large values of "instant")
- No signage, nondescript building (the building's street address - 900 North Franklin, 3rd Floor, Chicago, IL 60610 - and photo is provided on CI Host's website, and of course the robberies make the news. Hardly what one would call discreet!).

Banks know a thing or two about physical security, yet bank robberies do still occur. Robbers naturally avoid the strongest controls but exploit the weakest, which often includes the employees. Bank employees are not, as a rule, expected to fight to the death to defend their employer's and customers' assets. Automated security controls such as time-locked vaults and silent intruder/hold-up alarms are designed to at least delay if not foil the robbers while the cavalry trot along. On top of that, many of the security controls in a bank are designed to protect the employees. Maybe CI Host should consider taking advice from local bank security people ... or moving out of Chicago?

No comments:

Post a Comment