Standard-compliant planning of security systems in the data center

Data centers sometimes appear very spectacular and obvious, but much more often they are hidden somewhere and not easily visible to the public. Whatever the case, all these infrastructures need a holistic security and availability concept. While best-practice solutions were generally used until around 15 years ago, a series of standards has since developed into the state of the art which, among other things, regulates the topic of access control in a holistic and risk-based manner. We are talking about the EN 50600 series, which is now also becoming increasingly popular as the globally valid ISO 22237 series of standards.

Knowing more than just individual standards

In order to take a holistic view of access control concepts for data centers, it is not enough to know just the one individual standard that deals with security systems. Instead, the series of standards takes into account the structural, technical and organizational facets of the topic in several documents. For example, Part 1 of the series of standards, which describes general concepts, contains important specifications on the structure of protection zones and the design of the security architecture. Part 2-1 of the series of standards also deals with building design and consequently also focuses on access control. Finally, the technical aspects are dealt with in Part 2-5.

This heterogeneity may seem confusing at first glance, but it can be explained by the holistic nature of a topic such as access control. Anyone who does not clearly define the zone concept at the very beginning and does not implement zone transitions appropriately with structural measures can only plug holes with a technical access control system and thus only achieve inconsistent and unsatisfactory results. In this respect, the methodology described is only logical, as it ensures that a wide variety of structural and technical systems can map appropriate security processes in a homogeneous and coordinated manner. Incidentally, this applies not only to access control systems, but also to many other security and availability-related issues.

Risk-oriented approach

Specifically, EN 50600-1 describes the determination of the basis for all further safety measures. The standard is consistently based on a risk-oriented approach. This means that a risk assessment, which considers the effects of a potentially damaging event on the one hand and the probability of occurrence on the other, forms the basis for classifying the relevant site:

• for technical availability classes and
• for a safety-related protection class concept

All areas of a data center are assigned to specific protection classes regardless of their size, resulting in protection zones. The protection class classification then in turn has consequences for requirements:

• Protection against unauthorized access
• Burglary protection
• Protection against internal and external environmental events

This means that specifications for the construction of boundaries between the protection zones as well as requirements for active and passive measures to support the protection classes from a structural and technical point of view are provided right at the start of the planning process.

EN 50600-2-1 then quantifies and describes the topic by specifying the design of the identifiable physical barriers for protection classes 1 to 4. Each protection class is assigned corresponding qualities, which are derived from EN 1627 and the resistance qualities (RC classes) known here, as minimum requirements.

The description is divided into the two main categories of external areas and building construction. The distinction is important, as the referencing of fences and the like to EN 1627 is not entirely methodologically correct; EN 1627 actually applies to elements that are built into walls. However, the methodology of resistance times is deliberately projected onto fences and the like, which is a perfectly legitimate and comprehensible approach.

In the statements for both areas, the requirements are then roughly congruent: For the first two protection zones seen from the outside, in which protection classes 1 and 2 apply, the use of elements in resistance class RC 2 or its equivalent is recommended as described. For higher zones in protection classes 3 and 4, protection to resistance class RC 2 or equivalent is required and protection to resistance class RC 3 or equivalent is recommended.

Four Zuko levels

EN 50600-2-5 goes into more detail about the protection zones, specifically assigning typical areas to the protection classes:

• Class 1 therefore corresponds to public or semi-public areas.
• Class 2 corresponds to an area that is only accessible to authorized persons.
• This also applies to Class 3, although the number of authorized persons is reduced.
• This continues in class 4.

The increasing protection classes are associated with increasing access control measures. Areas that require the highest level of protection against unauthorized access are placed in the highest protection class. This corresponds to the well-known concept of the onion-skin principle.

In terms of specific access control measures, there are four levels of access control:

1. the identification
2. one-factor authentication
3. two-factor authentication
4. Preventing unauthorized persons from entering through separation systems

Various spatial situations that play a role in the access concept are also covered. These include

• Access roads
• Parking lots
• Separate access areas for employees and visitors
• Server cabinets and racks

Furthermore, the specific implementation of protective measures within the individual protection classes is specified in more detail. While the whole thing is still somewhat unspecific in protection class 1, specific technical access control measures are required from protection class 2 at the latest. Naturally, the measures become increasingly specific in the higher protection classes.

Technical requirements

A further chapter of the standard sets out requirements for technical systems. In addition to video surveillance systems, intruder alarm and hold-up alarm systems, access control systems are also treated as technical systems, but only on half a page. A reference to other relevant EN standards, in particular EN 60839-11, has been sensibly included here, but unfortunately without a direct reference to the various classes and categories that can be found in the aforementioned series of standards. Anyone familiar with the EN 60839 series knows how specifically systems can be planned. Ultimately, there is still a clear lack of substance here, for example by correlating the protection classes with various characteristics from the aforementioned standard.

The topic concludes with a list of the requirements to be taken into account, namely:

• Type of control
• Directionality
• Avoid repeated access and repeated use
• Alarm triggered in the event of an unauthorized access attempt
• Application of time-controlled access controls

Ultimately, it becomes clear here that a planner cannot simply read out his individual approach from a standard, but rather receives numerous points of reference as to which topics he has to deal with.

EN 50600-3-1 describes processes and procedures for the operation and maintenance of systems. Because these topics are the responsibility of the operator, it is all the more valuable that the inclusion of the topic in the series of standards ensures that the concepts and approaches are continued even after the planning and implementation processes have been completed. It is also always helpful for the numerous subsequent audits and certifications to be guided by the state of the art, which is definitely represented by the series of standards.

The bottom line is that the planning of access control systems in data centers in accordance with the aforementioned standards is essentially based on common sense. All measures, whether of a structural, technical or organizational nature, are justified by an initial risk analysis in which the probability of occurrence and potential level of damage are considered. From this analysis, a concept must be developed that applies holistically to all security measures. In particular, the boundaries between the individual zones must be equipped with specific structural and technological systems in accordance with the onion-skin principle, so that the most critical area is preceded by several other protection zones.

For experienced planners, this methodology is nothing new, but the series of standards now clearly represents the state of the art. In this respect, it is another important tool for consultants and planners of security systems and will become increasingly important in the area of high-availability IT infrastructure in the future.

About the author: Jörg Schulz is a safety consultant at VZM GmbH. He has been a member of various standards committees for the EN 50600 series for many years, including in the field of electrical engineering and security systems.