Last October, a data center in Chicago owned by Web hosting and collocation vendor C I Host was robbed by two masked men, who pistol-whipped a lone IT staffer working the graveyard shift and then held him hostage for two hours while stealing computer equipment.
It’s rare for data centers and their employees to be attacked in such a brutal way. Typically, IT facilities are designed with physical security in mind, featuring protections such as steel doors, security guards and electronically controlled access mechanisms.
But the armed robbery at the Chicago data center has changed how Christopher Faulkner, CEO of Dallas-based C I Host, views security. Faulkner said this month that he no longer thinks data centers are as secure as IT managers believe they are, and that he sees what happened at his company as a warning of what may lie ahead for other organizations.
“The second someone crosses the line to armed robbery — [risking] a 25- to 50-year prison sentence — to steal some servers, we’re in different realm of security now,” he said.
When Faulkner tours other data centers, he looks at their security measures with a much different eye than he did before the robbery at his facility. He imagines someone — a robber, or a terrorist — who is determined to steal or destroy the equipment there.
Most data centers don’t have metal detectors or bomb-detection systems, according to Faulkner, who also said that he has never been patted down by a security guard when entering a data center. “How do they know I don’t have five handguns on me, strapped down with explosives?” he asked. “They don’t know.”
There have been a few scattered reports of robberies at other data centers, including one last year in London. But William DiBella, president of AFCOM, an Orange, Calif.-based professional association for data center managers, said that he sees little chance of robberies becoming a trend at IT facilities.
Data centers are far from a low-hanging fruit for robbers, DiBella contended. “Most data centers are very well-hidden and secure,” he said. Moreover, he said, companies simply aren’t going to risk intrusions, for an obvious reason: “Lose data and you can lose the business.”
Nonetheless, Faulkner thinks that data center operators really haven’t planned for the worst possible occurrences, such as terrorist attacks. “Data center security, in the past five years, has been about the show for the customer,” he said. “If somebody is committed to dying, it’s going to be very hard to stop them.”
Since the robbery in Chicago, Faulkner has added new security measures, most of which he declined to specify. The hosting firm, which has two other data centers in Dallas and Los Angeles, also now trains its staffers on how to respond if a similar incident happens again. He said the training can be boiled down to this message: “fully cooperate” with any intruders.
“These are computer geeks,” Faulkner said of his employees. “I am not going to be in a business where I’m going to tell someone that their son, daughter or husband was killed for some computers.”
C I Host’s Chicago data center is in a leased building. The robbers used a hook to lower an old-fashioned fire escape on the side of the building in order to gain access. A guard from a security company wasn’t at his post, Faulkner said, adding that the robbers waited in a hall for the lone employee who was on duty at the time to leave the data center.
Once the robbers accosted and subdued the worker, they swiped his employee badge through a scanner and entered his security PIN code on a keypad outside the door to the data center. The security system then prompted them for a fingerprint scan, which the employee was forced to do, according to Faulkner.
The robbers stole servers and networking equipment that belonged to a collocation customer and that Faulkner estimated would cost between $50,000 and $100,000 if bought new. Police in Chicago haven’t made any arrests in the case thus far, he said.
Faulkner has hired a private investigation firm to conduct its own inquiry. One of the things the investigators are likely to look at is a break-in at the same data center in 2005. In that incident, someone broke into the facility during the night by cutting through a wall, an effort that may have taken seven hours to complete. At the time, the data center was managed at night; it was after the break-in that overnight staffing was added, Faulkner said.
One of the changes that Faulkner has made since the robbery in October is dropping the use of an outside security firm and hiring an armed guard who works directly for the company. “We can control more of what he does,” the CEO said.
But Faulkner added that he doesn’t feel entirely comfortable with the idea of having someone in the data center with a loaded handgun, and that he doesn’t know if even an armed guard could have thwarted the robbers.
John Watters, chairman and CEO of iSight Partners Inc., a Dallas-based security consulting and analysis firm, said that physical security improvements inside data centers haven’t changed much over the past five years or so and aren’t keeping pace with data and network security efforts.
“Physical security budgets aren’t growing,” Watters said. “As people have gone through extreme measures to secure logical access points to data, they have been remiss to provide the same level of tenacity to the human and physical aspects.”
Among the problems that Watters sees is the separation between physical and logical security at many companies. For instance, if someone swipes a card to gain access to a data center but doesn’t log into a system within a given time, that may be an indication that something is out of the ordinary. But if both types of controls aren’t part of an overall security management system, the data center staff may never be aware of such an anomaly.
And that could help open the door to intruders, according to Watters. “The good adversary attacks your weak link,” he said.