Data Centers

How mantraps protect data centers from tailgating

When it comes to building security, data centers are more like Fort Knox than one might expect, especially if the facility incorporates mantraps.

 

Data_security_1600x1200_030314.jpg
 Image: iStock/maxkabakov
 

A huge heat exchanger spewing steam into the cold February morning air was the only thing distinguishing the building I was going to from other nearby buildings. This building was a newly renovated data center that a friend managed, and I was there to check out his toys.

As I walked up to the entrance, I noticed all the empty concrete planters spaced uniformly around the main door. Since this was Minnesota, they were just wide enough for two people or a snowblower to fit through. I remember my friend mentioning the architect called them, "Intrusion protection without sacrificing aesthetics."

While waiting at the front desk, I recalled my friend mentioning the security upgrades that were required due to the facility changing from a multidiscipline building to a mission-critical building. The differences being:

  • Multidiscipline buildings are designed to house a data center plus office space. These facilities can only obtain basic-security ratings due to people working in the building who have jobs that are not related to the upkeep of the data center.
  • Mission-critical buildings are single-purpose facilities. By limiting access only to those running the data center, and the increased physical security, these buildings can obtain higher security ratings.

My friend finally showed up and asked if I noticed anything different about the atrium. I did notice the floor to ceiling turnstile. Here is a list of what I missed:

  • All exterior glass is now bulletproof.
  • All window and door hardware is inside.
  • Fire doors are exit only.
  • Security cameras cover 100 percent of the building grounds.

The next step was signing in at the security desk. The guard asked me for two forms of ID, which I was told I would get them back when I left. My driver's license and credit card worked. I had to turn over my phone and any other electronics I had with me, so there went my idea of taking pictures. I was then issued a guest pass card (RFID) specific to me. I used the pass card to get through the turnstile. And I was in, or so I thought.

Mantraps

This data center requires three authentications to get to the most secured area. The first authentication was the turnstile. The next authentication step was the mantrap. To get into the most-secured part of the data center, employees have to get past biometric scanners.

Data_center_security030314.jpg
 Image: Courtesy of Texnokom.com

According to my friend, the mantrap was the key component to securing the data center. Mantraps usually consist of a small room with two doors: one connected to the unsecured area and the second opening into the secured area. To gain access to the mantrap from either the unsecured or the secured side requires using the pass card. If my pass card checks out, the door unlocks, allowing me to enter the mantrap. Once inside, the door shuts rather quickly—this prevents tailgating (i.e., having more than one person in the mantrap at a time). With the door shut, I waved my pass card near the reader, and the door to the secure area opened.

The mantrap at the data center I visited was a bit unique—it was what I imagine it would feel like being in a glass jar. Rather than having swinging doors, the glass door rotated out of the way.

I did not think anything of it when my friend asked me to carry a box through the mantrap, as he was carrying his notebook. Once inside, my friend took the box and gave it to his associate, and we proceeded with the tour. 

When it was time to leave, I held my pass card by the reader, and the mantrap door slid open. (Did I mention that I am slightly claustrophobic? Well I am, especially when I'm about to hop into something called a mantrap.) Once inside, the door slid shut. I waved my pass card by the reader, and nothing happened. I waved it again and still nothing. The door would not open.  

I looked up, and my friend had this huge smile on his face. I said something I cannot repeat here. Next, he started to call the security desk, because they were the only ones who could override what I thought was a malfunctioning mantrap. Finally, the door opened, and I jumped out.

After my friend stopped laughing, he explained the mantrap weighs the occupant as a secondary measure against tailgating. A side benefit being the scale is sensitive enough to tell if someone is leaving carrying more than they came in with or vice versa. Remember my carrying the box for my friend? Well, I did not have the box coming out, so the mantrap sensing a different weight prevented the door from opening, and alerted security personnel. I need better friends.

Final thoughts

I was impressed. I've watched movies where a super-stealthy spy tailgates into a secure facility and has the run of the place. That's not likely at this data center from what I saw. I can also see why bad guys, if at all possible, get what they want using the Internet.

 

 

About

Information is my field...Writing is my passion...Coupling the two is my mission.

22 comments
mcijeffb
mcijeffb

While I appreciate the measures to keep undesired guests out, I resent the cell phone and credit card activities.  You REALLY need to trust your poorly paid desk personnel to trust them with valid physical credit cards, including the security code printed on the back.  Taking my cell phone does absolutely nothing to prevent malicious photography from pens, watches, etc, does not prevent USB devices hidden as every day devices from entering, it sounds like a tablet can enter, so computing devices aren't forbidden.  What REAL purpose does using "honesty: as a way of prohibiting cell phones accomplish?  Please don't radio signals from these devices as a dishonest rational. 

anonymous3214
anonymous3214

theare wase wan time I sawe a reare luking object floating kained of far and it Luket like a trainggo and it's colar was black it was not flashing litghs like odar rear object s but I know I was luking at the enfront of the rear object and of cors it's a ufo I believe and wen I sawed it I cudent belief my oun ayes it was ane expected and was salient that I sawed on the deay light and I think deay wearer spaying my wen I wass gease thinking a bawted :-o

l

wendygoerl
wendygoerl

I find this kind of security more disturbing that reassuring. Always worrying about whether you're carrying too many papers--or drank too much coffee-- annd getting caught in the mantrap . . the good guy getting caught my a glitch while a good hacker gets through. . .

Seriously, if it's digital, it's defeatable to someone determined enough, while the human watchdogs get complacent by their "foolproof" security.

And unfortunately, it's the kind of security that government will likely want to push on lower and lower-risk facilities, so the odds of an employee having to deal with it are only going to increase.

aos168b
aos168b

Hi Michael,

Is there a provision for emergency egress from such a secured building, in the event of fire, earthquake or some other disaster? It would seem like the local Fire Department would require such egress, that does not allow slowing people down from mantraps.

Craig_B
Craig_B

I used to work at a safe deposit vault that had a mantrap, of course they also had an armed guard who decided to let you out of the mantrap and proceed or let you stay in there while they called the police if things were not correct. 

jp-dutch
jp-dutch

So if you have to take a leak, while visiting the facilities you have a probleem too :)

protectandaccess
protectandaccess

I know data center security is good and hard to break. But i can't say i am satisfied. I always suggest "biometric" security for sensitive area like data centers. I read books about biometric security like finger print, retina check etc will an excellent for your friend’s data center.  There is almost   o% chance of vulnerability or theft. Best of luck have a good day.


quantumpcsupport
quantumpcsupport

I am also impressed. A data center’s security must be like this, because the data or information of companies or organizations is invaluable. I really liked the functionality of

Mantraps, I heard about that but had no idea how it operates. This brief but to the point explanation made the conception clear. Breaking such storing security check is next to impossible and i think they guy must be a genius in technology. I hope if such person exists he will not be involved in such unethical activity.

angry_white_male
angry_white_male

They have these mantraps at the exit of the concourses at the Syracuse Hancock International Airport.  This way they don't have to pay TSA people man the exits.  Walk in, door to concourse closes, slight pause, door to main airport terminal opens.  


Nahuel Arosemena Siburu
Nahuel Arosemena Siburu

Facility planning and strategic planning. Forecasting needs and future tools for design the equipment.

gep2
gep2

presumably the "mantrap scales" allow for enough variability to account for drinking fountains, restroom visits, and the like...!

Michael Kassner
Michael Kassner

@wendygoerl  


Good points, Wendy


I've looked but have not found any reference of a data center physically broken into. So, I am assuming that what they are doing is good enough. Or, the bad guys can get what they want via connections to the Internet. 

thecactusman17
thecactusman17

@aos168b  Per his statements in the article and per standard building fire codes in the United States, there would be emergency exits.  However, they would likely be one-way so as to prevent someone from trying to enter the facility through them.  In an emergency, there are usually alternative means of allowing emergency personnel into the building, such as unlocking particular routes into the building remotely for firemen or EMTs. These routes can then be monitored to prevent unauthorized access.

Michael Kassner
Michael Kassner

@jp-dutch  


Funny you should ask. My friend did tell me that they do have completely separate bathrooms for guests. If I understand correctly that is a regulation they had to abide by in order to get certified. 

Michael Kassner
Michael Kassner

@gep2  


That is a good point. If I had to guess the box weighed close to ten pounds. I'm sure my friend had it figured out so it would be enough to make sure I'd get a surprise. 

mcijeffb
mcijeffb

@Michael Kassner @wendygoerl  It happens with an incredible frequency, whether malicious or not.  The one thing that is virtually impossible to secure against is a person with physical access.  ANY security plan needs to start with physical security.


Editor's Picks