In order to keep the risks of physical damage as low as possible, it is mandatory that IT racks, as part of critical IT infrastructures, are adequately secured. This applies both on the part of the IT basic protection compendium of the Federal Office for Information Security (BSI) , as well as through the standard for security systems in facilities and infrastructures of data centres (DIN EN 50600-2-5) and on the part of the General Data Protection Regulation.
The BSI’s IT basic protection compendium points out in module INF.2 that the risk situation increases if access controls are missing or inadequate and unauthorised persons can thus gain access. DIN EN 50600-2-5 also states that mechanical access controls and monitoring should prevent unnecessary or unwanted access to server cabinets.
The General Data Protection Regulation, on the other hand, requires the physical security of systems, as sensitive personal data is both processed and stored in IT racks. Companies are therefore obliged to protect their data from manipulation, unauthorised access and force majeure. By complying with these requirements, companies equally ensure the maintenance of operations as well as the functioning of socially and business-critical processes. But what are the concrete factors that need to be taken into account when securing a rack?
Three options for access authentication
First, the rack lock itself should essentially have three authentication mechanisms.
- The most common method is currently authentication by means of RFID transponders. Currently, the “Mifare Desfire Standard EV2/3” is often used here. The advantage? This often means that only one type of transponder is needed to operate several doors.
- A 4-digit PIN code can serve as a second mechanism, which is often combined with the RFID transponder for two-factor authentication.
- The third option is authentication via the system management software, a smartwatch, a mobile app or a personal digital token. With this authentication option, persons who have already been verified in advance can carry out documented remote openings.
Real-time logging of access
In order to meet the aforementioned regulatory requirements, real-time logging of authorised as well as unauthorised access is enormously important. Only in this way can responsible persons guarantee the immediate traceability of all accesses in the event of future incidents.