Three key Types of Security Controls to Consider when Assessing a Data Center


By Guy Albertini, Associate Vice President and Chief Information Security Officer, Rutgers University

Data centers are essential to modern businesses, as they provide the infrastructure necessary to store, process, and transmit data. Whether a data center is in the cloud or on-premises, it is important to consider a range of security controls to protect against threats to the confidentiality, integrity, and availability of the data stored within. In this article, we will outline three key types of security controls to consider when assessing a data center: administrative, physical, and technical.

Administrative security controls refer to the policies, standards, and procedures that are put in place to manage and protect a data center. These controls are designed to ensure that the data center is secure and that its access is properly controlled. Some of the key administrative security controls to consider when assessing a data center include:

1. Security policies, standards, and procedures: Data centers should have well-defined security policies, standards, and procedures in place to ensure that all employees are aware of their responsibilities and obligations when it comes to protecting the data center. Such policies, standards, and procedures should cover access control, network segmentation, data classification, incident response, and disaster recovery.
2. Training: All employees who have access to the data center should be trained on security best practices and the data center’s security policies and procedures. This training should be ongoing and should be updated regularly to ensure that employees are aware of any changes or updates to the data center’s security posture.
3. Incident response: Data centers should have a well-defined incident response plan in place to handle any security breaches or other security-related incidents. This plan should outline the steps to be taken in the event of an incident, including whom to contact, what actions to take, and how to communicate with stakeholders.
4. Disaster recovery: A disaster recovery plan should be in place to define how the organization will respond when a disaster occurs. This plan should be reviewed regularly, especially when the business undergoes a major change, such as a merger and acquisition.

Data centers are critical infrastructures that store and process large amounts of sensitive data. The security of a data center is essential to the confidentiality, integrity, and availability of the data stored within it.

Physical security controls refer to the safeguards implemented to physically protect the data center. These controls are designed to prevent unauthorized data center access and protect against physical threats such as fires, floods, and earthquakes. Some of the key physical security controls to consider when assessing a data center include:

1. Physical barriers: The data center should be protected by physical barriers such as walls, fences, and gates to prevent unauthorized access. These barriers should be sturdy and well-maintained to ensure their effectiveness in keeping unauthorized individuals out.
2. Location: Ensure the data center is not in a location where it is prone to subterranean floods or rooftop leaks.
3. Surveillance: The data center should be equipped with security cameras to monitor activity and identify any potential threats.
4. Security guards: The data center should have trained security guards on site to monitor access and prevent unauthorized entry. These guards should be well-trained and equipped with the necessary tools to ensure that they can effectively protect the data center.
5. Environmental controls: The data center should be protected from environmental threats such as fires, floods, and power outages. This can be achieved through the use of fire suppression systems, backup generators, and other protective measures.

Technical security controls refer to the measures that are put in place to protect the data center from cyber threats. These controls are designed to prevent unauthorized access to the data center and to protect against cyber-attacks such as malware, phishing, and ransomware. Some of the key technical security controls to consider when assessing a data center include:

1. Network security: This involves protecting the data center’s network from external threats, such as threat actors or malware. This can be achieved with firewalls, intrusion detection/prevention systems, and other network security measures.
2. Data security: It is important to protect the data stored within the data center from unauthorized access or tampering. This can be achieved by encryption, access control measures, and data backup and recovery systems.
3. Application security: Applications within the data center should be secured against vulnerabilities and attacks. This can be achieved using secure coding practices, testing, and the implementation of security measures such as web application firewalls.
4. Patch management: It is important to regularly update and patch software and systems within the data center to address any vulnerabilities or bugs. This can be achieved through the use of automated patch management systems and regular testing.

Data centers are critical infrastructures that store and process large amounts of sensitive data. The security of a data center is essential to the confidentiality, integrity, and availability of the data stored within it. When assessing a data center, it is important to consider a range of administrative, physical, and technical security controls to protect against threats to the data center. By implementing these controls and regularly reviewing and updating them, businesses can ensure the security of their data centers and the data they contain.