To Live in LA

Thinking about using a data center to ensure that you have optimal security? You might want to think again. A visit to a data center in Los Angeles reveals that physical security is marginal at best.

by Jim Thompson [January 27, 2005]

When data centers first appeared on the scene, they were touted as marvels of high technology secured within bunkers that could, in theory, withstand just about anything short of a direct nuclear blast. Back in those early days, I visited a few of these server security lockers and found an environment that would have made James Bond feel at home. Man traps, motion sensors, carded entry systems, cages, and steel doors were in place to keep prying eyes out and servers secure.

Considering that the last time I was at a data center was nearly six years ago, I decided it was high time to see what new security marvels have been added. I assumed that concerns about terrorism from abroad and identity theft at home would have led to the implementation of even more stringent security than was typical during the pre-2000 boom years.

But I learned otherwise.

My first obstacle was just getting one of the major data centers to give me the time of day. I called Level3, Navisite, and C I Host in the hopes of visiting all of them. Although I have worked with Level3 in the past, the company was completely unresponsive. I tried for nearly two months to get them to just answer my calls or e-mails, but without success. I finally concluded Level3 was simply not interested.

My next call was to Navisite, who expressed interest in letting me visit the company's data center in Los Angeles. Unfortunately, that visit never happened.

By now, I was beginning to wonder if all these delays were part of the 'security' system or if the companies might just be hiding something. In the old days, anyone in a business as competitive as a data center would have jumped at the chance to have their company profiled by a member of the press.

In all fairness, someone from Navisite did send me an e-mail just a few days ago (before this article appeared), saying they were sorry for all the delays. Once again, I received the promise that an appointment for a visit would be setup, but I never got the appointment.

Just as I was ready to forget about any story on physical security at data centers, I got a call from C I Host, a company with data centers in Los Angeles, Dallas, and Chicago, and others being built in London, the New York area, and San Jose. We set the appointment time and I prepared myself to be dazzled.

Security is in the eye of the beholder
The C I Host LA data center is located in the Wilshire area of the city, not far from downtown in a high-rise office building. I was surprised. Heck, I expected them to be in some sort of bunker or, at least, in an isolated building surrounded by grim, professional, military grade security.

Sure, there were guards in the lobby, but this was no different than any other building in a major city like Los Angeles. I saw no evidence of them being armed. In fact, the guards on duty when I arrived seemed more interested in when the donut shipment was going to arrive than in anyone who might want to sneak into the data center on the seventh floor.

C I Host's data center manager, Matthew Rapoport, was not only pleasant, but also very knowledgeable about the technical aspects of data centers, servers, and software.

He took me into the data center, which is located in one of the standard offices in the building. Once again, I was surprised. There was no steel door, no iron gate, or even a man trap guarding the entrance. In fact, the door was what you would find on a standard office or in your own home. My impression was that a hard kick would have brought it crashing down.

There was a lock requiring a card with a magnetic stripe for entry, but this hardly seemed like a major security obstacle for even the most unsophisticated thief.

Once inside, we were confronted with a cage with a magnetic lock encircling the 3,000 to 4,000 square feet of server space. "The lock is the same type used in prisons. It would be nearly impossible for anyone to pick this lock," said Rapoport.

I had no doubt that what he said was right. Still, I wondered how long it would take a couple of beefy guys with bolt cutters to get through the cage.

Rapoport pointed out that they do have cameras allowing staff members to monitor the room and the servers from their office down the hall. Additionally, 12 motion detectors stand guard over the room. Those who want additional piece of mind can have their equipment put in a locked cabinet.

"We do have strong security and we are always vigilant about making sure that all of the servers are secure," said Rapoport. "But, even more important is to insure that all of the systems are up and running all the time and that we have sufficient bandwidth for our clients. I would say that most of our money is spent for high speed lines -- we have three DS-3's here in the Los Angeles center - and backup power. We also have someone on site 24 hours a day, seven days a week who can take care of any problem that might come up."

C I Host's Los Angeles office, which offers a full range of services from colocation to dedicated and enterprise hosting, has three DS-3 lines using redundant carriers (Cogent, Broadwing, and PacBell). They also promise the capacity-load-ratio of their network connectivity is at least 3 to 1. Currently, they have 60 to 70 dedicated severs in their Los Angeles facility. Diesel powered generators and UPS systems keep servers running in the event of a power outage.

The price of insurance
Given the nature of the equipment being secured, the question is just how important are high tech security gadgets? Is anyone really interested in breaking into a data center? It would seem that most thieves would have little or no interest in a break-in.

Computers simply aren't that expensive anymore.

The bigger threat would seem to be from hackers and even the biggest steel door in the world won't keep them out. In an effort to limit attacks, C I Host offers clients a free suite of six software programs that not only provide firewall, automatic backup, pop-up elimination, and anti-adware services (BackupNow, PopUp Killer, CustomFirewall, Ad Blocker, PrivacyProtect, and SuperFTP).

The company also takes a proactive approach to stopping the latest virus, worm, and trojan attacks. C I Host says it was among the first to detect and root out such malicious code as Sasser. "We patched and blocked it at our firewalls and stopped it in its tracks," says Christopher Faulkner, CEO of C I Host. The company also touts its success in blocking the MSBlast (Lovsan) worm, Code Red, and the MyDoom virus, among others.

The company works hard to alert customers about potential threats with white papers and news releases explaining how to stop attacks before they happen. With prices that start at $99 per month, this is a cost effective security system delivering a low price to customers.

It makes you wonder whether physical security is really worth spending money on.

When choosing a data center, you might want to ask how much physical security you really need. If you run a site for a major corporation which has sensitive financial data on the server, then you will definitely want to make sure the data center you use has the latest in security. In that case, be sure to visit the data center before you commit to a contract. There are plenty of data centers around and many of them offer extremely high levels of security.

If, however, you don't think Bond, Goldfinger, SPECTRE, or even Maxwell Smart are out to get you, then slightly less security might mean better connectivity or more bandwidth at a lower price.

—End