An armed attack on a datacentre in Chicago last October has put the physical security of datacentres in the spotlight like never before, and prompted the affected firm to call for a rethink about the risks datacentres face.
The attacked datacentre, which was owned by web hosting and collocation firm C I Host, was targeted by two masked men who pistol-whipped a lone IT staffer working the graveyard shift and then held him hostage for two hours while stealing computer equipment.
While it is rare for datacentres and their employees to be attacked in such a brutal way, IT facilities are already usually designed with physical security in mind, featuring protections such as steel doors, security guards and electronically controlled access mechanisms.
However, the armed robbery has changed how Christopher Faulkner, chief executive of C I Host, views security. Faulkner said this month that he no longer thinks datacentres are as secure as IT managers believe they are, and warned that what happened at his company was a warning of what might lie ahead for other organisations.
"The second someone crosses the line to armed robbery, [risking] a 25- to 50-year prison sentence, to steal some servers, we move into a different realm of security," he said.
When Faulkner tours other datacentres, he looks at their security measures with a different eye from before the robbery at his facility. He imagines someone who is determined to steal or destroy the equipment there.
Most datacentres do not have metal detectors or bomb detection systems, according to Faulkner, who said that he had never been patted down by a security guard when entering a datacentre. "How do they know I don't have five handguns on me, strapped down with explosives?" he asked. "They don't know."
There have been a few scattered reports of robberies at other datacentres, including one last year in London. But William DiBella, president of AFCOM, a professional association in California for datacentre managers, said that he saw little chance of robberies becoming a trend at IT facilities. "Most datacentres are very well-hidden and secure," he said, adding that companies were not going to risk intrusions for fear of losing the business.
But Faulkner thinks that datacentre operators have not planned for the worst possible occurrences, such as terrorist attacks. "Datacentre security, in the past five years, has been about the show for the customer," he said. "If somebody is committed to dying, it's going to be very hard to stop them."
Since the robbery in Chicago, Faulkner has added new undisclosed security measures and trains staffers on how to respond if a similar incident happens again. Training could be boiled down to the following message, he said: "Fully cooperate" with any intruders.
"These are computer geeks," Faulkner said of his employees. "I am not going to be in a business where I'm going to tell someone that their son, daughter or husband was killed for some computers."
The robbers stole from C I Host's Chicago datacentre a number of servers and some networking equipment that belonged to a customer, estimated at between £25,000 and £50,000 if bought new. Police in Chicago have not made any arrests in the case so far, he said.
But John Watters, chairman and CEO of iSight Partners, a security consulting and analysis firm, said that physical security improvements inside datacentres had not changed much over the past five years or so and were not keeping pace with data and network security efforts.
"Physical security budgets aren't growing," Watters said. "As people have gone through extreme measures to secure logical access points to data, they have been remiss to provide the same level of tenacity to the human and physical aspects."