Chris Wellfair, Projects Director at Secure I.T. Environments talks about physical security and the importance of the LPS1175 standard.
Knowing what to make your next priority in the data centre has always been a case of moving parts, in fact usually spinning plates! But when designing or upgrading a data centre you approach the process in a much more rigorous and scientific way. Each DC has its own needs and goals usually made up of a combination of the following: flexibility, energy efficiency, power, security or redundancy. As a DC ages our needs definitely evolve and though no DC manager would admit it to ‘the powers that be’ that sometimes we have to take a Heath Robinson approach to squeezing that bit extra out of our investment.
There are some areas where that is hard to do and securing the data centre is one of them. Security is an area that we have seen steadily move up the priority list in recent years, where previously areas such as flood, fire and power contingency may have taken priority. In some ways this is because those features are just expected, but another reason is the volume of data and applications that a typical DC serves to its organisation. The size of the DC is almost irrelevant, its what the DC does for the organisation and the type of data it holds or processes.
For those taking a much closer look at the security of their data centre or in the process of designing a new DC, it would be wise to get very familiar with the Loss Prevention Certification Board’s LPS1175 standard (issue 7.2). The aim of this standard is to assess the physical resistance of security products when various types of unauthorised access tools are used against them. Depending on how a product performs it is given one of eight different grades, according to the time and tools likely to be used by somebody wanting to subvert those products to get at whatever they are protecting. Essentially the standard provides a buyers guide that those designing a data centre (or anything else that needs protecting) can use to ensure the selected products meet the level of protection they require.
For those that have not looked at LPS1175 for a while, or perhaps are coming to it for the first time, here is brief summary of the gradings most commonly encountered in data centre design, whether modular or purpose-built design methodologies are being adopted.
It is very important to note that individual categories of products have specific requirements for each grade of the standard, specifying both the tools and time over which they are tested for maintaining security:
SR1 – Products in the category are broadly secure against an opportunist attack by bodily force using minimal tools (e.g. screwdriver, knife or pliers)
SR2 – Again an opportunist attack but with tools of a higher mechanical advantage (e.g. those listed in SR1 plus bolt cutters, claw hammer or a drill, for example)
SR3 – Attacks at this level are deliberate forced entry of protected premises using bodily force and a selection of attack options (e.g. SR2 tools plus axes, chisels, crowbars or blow torches of some kind)
SR4 – Forced entry at this level is by experienced individuals that have planned an attack with stronger, possibly powered tools, such as a felling axe, sledgehammer, steel wedges, disc grinder or jigsaw
SR5 – Products at this level have to withstand serious attempts at forced entry with top end battery power tools used by fire and rescue teams (e.g. SR4 tools plus circular or reciprocating saws with specialist blades). SR5 is a significantly higher level of protection to SR4, covering specialist cutting tools.
The standard itself goes into a lot more detail than there is space to cover here, but those wanting to learn more should visit www.redbooklive.com. The current standard can be read at http://www.redbooklive.com/pdf/LPS1175.pdf. The Redbook Live is a website managed by the LPCB and contains a lot of useful information including listings of suppliers and products it has tested – making it an invaluable source for those specifying products to secure a data centre.