access door to server roomWith the spate of recent news articles about major breaches into the data processing centers of American corporations, the issue of who can gain access to a corporate data center, both physically and remotely, is paramount in peoples’ minds.  There are many, many aspects to this problem, but one of the most important comes down to identity management – verifying who someone really is, and then allowing (or disallowing) access as appropriate.  One critical objective is of course foiling imposters, who might be an employee “borrowing” another user’s password, or a true hacker trying to pass themselves off as someone else. Both internal as well as external threats must be carefully guarded against.

It is broadly recognized that codes and logins and passwords present a great vulnerability.  Any data center access control system which relies only on an easily-communicated piece of information is in jeopardy.  That is why basic security requires the implemention of at least “2-factor” authentication, requiring both “something you know” and “something you have”.  The first, knowable, item may be a secret code or a regularly-updated password.  The second, a physical object, is very often a photo ID card with a securely encoded chip in it.  Other items you have could be a “token” which generates a one-time password, or a cellphone which receives a secure single-use code. “2-factor” greatly raises the barrier of keeping intruders out of a data center, both physically and remotely.

If even more security is warranted, then “3-factor” authentication is called for.  To the two other items we add biometrics, of which there are numerous options.  Most common are fingerprint readers, but other options include iris scan, vein pattern, hand geometry, facial recognition, etc.  Used in conjunction with a code and/or a card, biometrics can bar entry to all but the most sophisticated attacker.

There are methods of implementing 2-factor and 3-factor authentication both for physically securing the doors into data centers, as well as remote access over the internet.  Deployment normally entails a non-negligible investment cost, since “quick-and-dirty” barriers will be much easier to overcome.  But well-designed systems will not make daily access by legitimate users more inconvenient, which is the most common complaint heard about enhanced access control systems.  Complaints which, by the way, suddenly cease after the first major breach.