INF.2 Data Center and Server Room
Today, almost all strategic and operational functions and tasks are significantly supported by information technology (IT) or cannot be carried out without IT...
Description
Introduction
Today, almost all strategic and operational functions and tasks are significantly supported by information technology (IT) or cannot be carried out without IT. As a result, the demands on the performance and availability of IT systems and their connectivity to the network environment are constantly increasing. To meet this performance demand, to maintain adequate reserves, and to operate IT economically, institutions of all sizes concentrate their IT landscape in data centers.
A data center (DC) is defined as follows:
- If an IT-using institution has only one central IT operations area, it together with the necessary support areas is in principle always to be treated as a DC in accordance with the relevant protection needs. “IT operations area” refers to rooms in which hardware is installed and operated that provides services and data. In addition to the IT operations area, the DC encompasses all other technical support areas (e.g., power supply, cooling, suppression systems, security technology) that serve the intended operation and security of the IT operations area.
- If the institution’s IT is distributed across several areas within a building or premises and these areas are connected to one another and to IT users via in-house LAN connections, at minimum the functionally most significant of these areas is to be treated as a DC. Furthermore, areas on which 50% or more of IT users depend for proper operation, or from which 50% or more of services and data (measured against the total of all areas) are provided, are to be treated as a DC.
- If the IT-using institution is located at several spatially separate sites interconnected by other than in-house LAN connections, each site is to be considered and treated separately in accordance with (1).
- An IT operations area in which IT required for critical business processes (processes whose disruption or failure would lead to significant impairment of an institution’s primary mission) is located is always to be treated as a DC, regardless of size or the proportional rules in (2).
- IT operations areas from which services or service deliveries are provided for third parties are always to be considered part of a DC. It is irrelevant whether this is done for payment or not.
- If there is a justified interest in treating an IT operations area together with its support area as a server room, deviating from the foregoing rules, this must be justified along with the resulting reductions in security requirements.
The listing of six points does not mean that all points must be satisfied simultaneously for an area to be considered a data center. Rather, various possibilities are described for when an area is to be regarded as a DC. If a data center deviates from this definition, the IT operations area in question is referred to as a server room. This definition is based exclusively on the significance of the IT structure for the institution’s mission and is thus in methodological alignment with DIN EN 50600.
If a server room is to be secured, the requirements of this building block may be reduced accordingly. However, this must be justified in a sound and comprehensible manner (6) and at minimum the basic requirements must be implemented.
Objective
This building block is aimed on the one hand at institutions that operate a data center and wish to verify within a review whether they have implemented appropriate security measures. On the other hand, the building block can also be used to estimate the security measures that must be implemented when IT is to be centralized in a data center. The primary goal of the requirements described in this building block is to ensure the secure operation of the data center.
Scope and Modeling
The building block INF.2 Data Center and Server Room is to be applied to every data center and every server room.
This building block is not suitable for small information domains with, for example, only one or very few servers or IT systems. An example is a small institution with few IT workstations and a server operated in a separate room. In such cases, it is often sufficient to implement the building block INF.5 Room and Cabinet for Technical Infrastructure.
Requirements for buildings and cabling in general are not part of this building block. These are found in the building blocks INF.1 General Building and INF.12 Cabling, which are always to be applied to rooms and buildings or cabling respectively.
In order to keep this building block manageable, technical details and planning parameters have been deliberately omitted. Relevant standards and further BSI publications provide more detailed information.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular relevance for the building block INF.2 Data Center and Server Room.
Faulty Planning
If a data center is designed without considering how to protect it against elementary threats, the risk of failure is very high. For example, site risks such as air traffic, earthquakes, or flooding can jeopardize operational safety and availability. It can be equally serious if insufficient bandwidth is available or the power supply at the chosen site is inadequate due to faulty design.
Missing or Inadequate Access Controls
If access controls are absent or inadequate, the risk increases that unauthorized persons enter the data center and cause damage through negligence — for example due to lack of specialist knowledge — or deliberately. Attackers can, for example, steal sensitive data, remove equipment, or manipulate servers. Inadequate access controls thus affect the availability, confidentiality, and integrity of data and IT components.
Insufficient Monitoring
If the IT and infrastructure operated in the data center are inadequately monitored and attended to, components can fail unnoticed. This can significantly impair the availability and error-free operation of the data center. Failures often occur gradually. Without active monitoring, these might be noticed too late. It may then no longer be possible to respond in time.
Inadequate Air Conditioning in the Data Center
IT components require specific operating conditions to function reliably. They also convert the electrical power they consume into additional heat. If the temperature, humidity, or particulate content in an IT operations area are not kept within the limits prescribed by equipment manufacturers, this can lead to technical components failing to function properly or failing completely.
Fire
Although fire is a hazard that occurs relatively rarely, when a fire does break out it usually has severe consequences, since fire and smoke can cause extensive damage. While electrical fires are the most common cause of fire within IT operations areas, a fire outside the IT operations area — particularly in support areas such as power supply (including generators and UPS) or air conditioning — can have numerous other causes. If the IT operations area or support areas as well as neighboring areas have no or only inadequate fire protection, a fire can spread rapidly. Additionally, fires starting elsewhere could spread to the data center.
Water
Water can enter the data center through leaking water pipes, flooding, pipe bursts, or defective sprinkler or air conditioning systems. This can damage equipment and render it non-functional. A short circuit may also be triggered, causing individual sections of the data center to fail or a fire to start.
Absent or Inadequate Burglary Protection
Even with a well-functioning access control system in place, unauthorized persons can break into a data center if it is not adequately protected against intrusion. Perpetrators could, for example, steal or manipulate IT components and gain access to confidential information. They could also destroy equipment or damage the data center as a whole.
Power Failure
When the power fails, the operational continuity of a data center — and thus the institution — can be severely disrupted. In the event of a power failure, IT services provided by the data center may suddenly become unavailable. Data can also be lost. Furthermore, a sudden power failure can damage IT systems, telecommunications systems, or monitoring technology.
Contamination
Dust and other contaminants in a data center can cause technical components (e.g., fans) to stop working. Contamination causes equipment to wear out earlier and fail more frequently.
Requirements
The following are the specific requirements of the building block INF.2 Data Center and Server Room. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO must always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. They should be filled where meaningful and appropriate.
| Responsibilities | Roles |
|---|---|
| Primarily responsible | IT Operations |
| Additional responsibilities | Employees, Planners, Data Protection Officer, Facility Management, Maintenance personnel |
Exactly one role should be Primarily responsible. There may also be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a specific requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural does not imply anything about the number of persons filling these roles.
Basic Requirements
The following requirements MUST be met as a priority for this building block.
INF.2.A1 Definition of Requirements (B) [Facility Management, Planners]
Appropriate technical and organizational requirements MUST be defined and implemented for a data center.
When planning a data center or selecting suitable premises, appropriate security measures MUST also be planned, taking into account the protection needs of IT components (in particular availability).
A data center MUST be conceived overall as a closed security zone. It MUST also feature different security zones. For this purpose, management, logistics, IT operations, and support areas MUST be clearly separated from one another. In the case of a server room, it SHOULD be examined whether different security zones can be established.
INF.2.A2 Formation of Fire Sections (B) [Planners]
Appropriate fire and smoke sections MUST be defined for the premises of a data center. The fire and smoke sections MUST provide protection for the technical equipment contained therein and its availability beyond the framework prescribed by building law. The spread of fire and smoke MUST be prevented. In the case of a server room, it SHOULD be examined whether suitable fire and smoke sections can be established for the premises.
INF.2.A3 Use of an Uninterruptible Power Supply (B) [Facility Management]
An uninterruptible power supply (UPS) MUST be installed for all operationally relevant components of the data center. Since the power demand of air conditioning systems is often too high for a UPS, at minimum the control systems of the air conditioning units MUST be connected to the uninterruptible power supply. In the case of a server room, whether operating a UPS is necessary SHOULD be examined depending on the availability requirements of the IT systems.
The UPS MUST be appropriately dimensioned. When relevant changes are made to the loads, it MUST be verified whether the existing UPS systems are still adequately dimensioned.
For UPS systems with battery as energy storage, the battery MUST be kept within the required temperature range. For this purpose, it SHOULD preferably be located in a separate space from the UPS power electronics. The UPS MUST be regularly maintained and tested for functionality. The maintenance intervals specified by the manufacturer MUST be adhered to.
INF.2.A4 Emergency Power Shutdown (B) [Facility Management]
There MUST be appropriate means of de-energizing electrical consumers in the data center. Care MUST be taken as to whether and how an existing UPS is spatially and functionally integrated into the power supply. If conventional emergency stop switches are used, care MUST be taken that they do not shut down the entire data center. The emergency shutdown MUST be meaningfully partitioned and targeted. All emergency stop switches MUST be protected so that they cannot be operated inadvertently or without authorization.
INF.2.A5 Compliance with Air Temperature and Humidity (B) [Facility Management]
It MUST be ensured that the air temperature and humidity in the IT operations area remain within the prescribed limits. The actual heat load in the cooled areas MUST be checked at regular intervals and after major renovations.
Existing air conditioning MUST be regularly maintained. The parameters of temperature and humidity MUST be recorded at minimum in such a way that it is possible to determine retrospectively whether limit values were exceeded and to support the identification and rectification of the cause of any deviation.
INF.2.A6 Access Control (B) [Facility Management]
Access to the data center MUST be controlled. Access rights MUST be granted in accordance with the requirements of the building block ORP.4 Identity and Access Management. For persons working in the data center, it MUST be ensured that they do not gain access to IT systems outside their area of activity.
All access points to the data center MUST be equipped with access control systems. Each access to the data center MUST be individually recorded by the access control system. In the case of a server room, it SHOULD be examined whether monitoring all access points is appropriate.
It MUST be regularly checked whether the regulations for use of an access control system are being observed.
The institution’s requirements for an access control system MUST be documented in sufficient detail in a concept.
INF.2.A7 Locking and Securing (B) [Employees, Facility Management]
All doors of the data center MUST be kept locked at all times. Windows SHOULD be avoided already in the planning stage if possible. If they do exist, they MUST be kept locked at all times just like the doors. Doors and windows MUST offer protection against attacks and environmental influences appropriate to the security level. They MUST be fitted with privacy screening. It MUST be noted that the structural design of all room-forming elements must be equivalent with respect to the required level of protection.
INF.2.A8 Use of a Fire Alarm System (B) [Planners]
A fire alarm system MUST be installed in a data center. It MUST monitor all areas. All signals from the fire alarm system MUST be forwarded in an appropriate manner (see also INF.2.A13 Planning and Installation of Hazard Detection Systems). The fire alarm system MUST be regularly maintained. It MUST be ensured that there are no particular fire loads in the rooms of the data center.
INF.2.A9 Use of a Suppression or Fire Prevention System (B) [Facility Management]
In a data center, either a suppression or fire prevention system complying with the current state of the art MUST be installed, or through technical measures (particularly comprehensive early fire detection, see INF.2.A17 Early Fire Detection) and organizational measures (trained personnel and response plans for early fire detection alerts), it MUST be ensured that alerts from early fire detection are responded to immediately (within a maximum of 3 minutes) with damage-minimizing measures.
In server rooms without a suppression or fire prevention system, portable fire extinguishers with suitable extinguishing agents MUST be available in sufficient number and size. It MUST be noted that additional fire protection requirements under building law regarding the provision of portable fire extinguishers remain unaffected. The fire extinguishers MUST be placed so that they are easily accessible in the event of fire. Each fire extinguisher MUST be regularly inspected and maintained. All employees who are allowed to enter a data center or server room MUST be trained in the use of portable fire extinguishers.
INF.2.A10 Inspection and Maintenance of Infrastructure (B) [Maintenance personnel, Facility Management]
For all components of the structural-technical infrastructure, at minimum the inspection and maintenance intervals and requirements recommended by the manufacturer or stipulated by standards MUST be adhered to. Inspections and maintenance work MUST be logged. Fire barriers MUST be checked for integrity. The results MUST be documented.
INF.2.A11 Automated Monitoring of Infrastructure (B) [Facility Management]
All infrastructure facilities, such as leak detection, climate, power, and UPS systems, MUST be automatically monitored. Detected faults MUST be forwarded and processed as quickly as possible in an appropriate manner.
In the case of a server room, IT and support equipment that does not need to be operated on-site or only rarely SHOULD be equipped with a remote fault indicator. The responsible employees MUST be alerted promptly.
INF.2.A17 Use of an Early Fire Detection System (B) [Planners, Facility Management]
A data center MUST be equipped with an early fire detection system. A server room SHOULD be equipped with an early fire detection system. Alerts from the early fire detection system MUST be routed to a continuously staffed location that can initiate a check and protective response within a maximum of 3 minutes. Alternatively, an automatic protective response MUST occur. To achieve a balanced relationship between fire protection and availability, it MUST be ensured that mutually redundant facilities are not jointly within the scope of the same de-energization.
INF.2.A29 Avoidance and Monitoring of Unnecessary Cables (B) [Facility Management, Planners]
In a data center, ONLY cables that directly serve the supply of the technology installed in the data center (generally IT and possibly cooling technology) MAY be installed. If it is structurally unavoidable to route cables through the data center to supply areas other than those of the data center, this MUST be documented including the justification. The risks posed by such cables MUST be minimized by appropriate measures, e.g., enclosure and monitoring.
The aforementioned cables may be routed through server rooms without justifying why this is unavoidable, but they MUST be treated in the same manner as described for the data center.
Alerts from monitoring of the cables MUST be checked and assessed without delay with regard to their threat relevance. Countermeasures MUST be implemented promptly in accordance with the identified threat relevance (see also INF.2.A13 Planning and Installation of Hazard Detection Systems).
Standard Requirements
Together with the basic requirements, the following requirements represent the state of the art for this building block. They SHOULD generally be met.
INF.2.A12 Perimeter Protection for the Data Center (S) [Planners, Facility Management]
A perimeter protection SHOULD exist for data centers. Depending on the defined protection needs for the data center and the terrain, the perimeter protection SHOULD consist of the following components:
- outer enclosure or fencing,
- security measures against unintentional crossing of a property boundary,
- security measures against intentional non-forcible crossing of the property boundary,
- security measures against intentional forcible crossing of the property boundary,
- open-area security measures,
- external personnel and vehicle detection,
- evidence-gathering measures (e.g., video recording), and
- automatic alerting.
INF.2.A13 Planning and Installation of Hazard Detection Systems (S) [Facility Management]
Based on the building’s security concept, it SHOULD be planned which hazard detection systems are needed and installed for which areas of the data center. Furthermore, it SHOULD be specified how alarm messages are to be handled. The concept SHOULD always be updated when the use of building areas changes.
A hazard detection system (HDS) appropriate to the respective application SHOULD be installed. Signals from the HDS SHOULD be connected to an alarm receiving center in accordance with the applicable Technical Connection Conditions (TCC). The selected alarm receiving center MUST be reachable at all times. It MUST be technically and organizationally capable of responding appropriately to the reported hazard. The transmission path between the HDS and the alarm receiving center SHOULD be designed in accordance with the TCC and, where possible, redundantly. All existing transmission paths MUST be regularly tested.
INF.2.A14 Use of a Standby Generator (S) [Planners, Facility Management]
The energy supply of a data center from the grid of an energy supply company SHOULD be supplemented by a standby generator (SG). If an SG is used, it MUST be regularly maintained. During these maintenance activities, load and functional tests as well as test runs under load MUST also be carried out.
The fuel reserves of an SG MUST be regularly checked for sufficiency. It MUST also be regularly checked whether the reserves are still usable, especially to avoid so-called diesel plague. Where possible, low-sulfur heating oil SHOULD be used instead of diesel fuel. Fueling operations MUST be logged. The log MUST include the type of fuel, the additives used, the date of fueling, and the quantity fueled.
If the use of an SG is dispensed with for a server room, a UPS with an autonomy time appropriate to the protection needs SHOULD be realized as an alternative to the SG.
INF.2.A15 Surge Protection Equipment (S) [Planners, Facility Management]
A lightning and surge protection concept SHOULD be developed based on the currently applicable standard (DIN EN 62305 Parts 1 to 4). The lightning protection zones (LPZ) required for proper DC operation MUST be defined. For all facilities required for proper DC operation and its service provision, this SHOULD be at minimum LPZ 2. All surge protection equipment SHOULD be subjected to a comprehensive inspection once a year in accordance with DIN EN 62305-3, Table E.2.
INF.2.A16 Air Conditioning in the Data Center (S) [Planners]
It SHOULD be ensured that appropriate climatic conditions are created and maintained in the data center. The air conditioning SHOULD be adequately dimensioned for the data center. All relevant values SHOULD be continuously monitored. If a value deviates from the norm, an automatic alarm SHOULD be triggered.
Air conditioning systems in IT operations areas SHOULD be as fail-safe as possible.
INF.2.A18 DISCONTINUED (S)
This requirement has been discontinued.
INF.2.A19 Functional Testing of Technical Infrastructure (S) [Facility Management]
The technical infrastructure of a data center SHOULD be regularly tested (at least once or twice a year) as well as after system modifications and extensive repairs. The results SHOULD be documented. In particular, complete response chains SHOULD be subjected to a genuine functional test.
INF.2.A20 DISCONTINUED (S)
This requirement has been discontinued.
INF.2.A30 Suppression or Fire Prevention Systems (S) [Facility Management, Planners]
A data center SHOULD be equipped with an automatic suppression or fire prevention system.
Requirements for High Protection Needs
The following are exemplary proposals for requirements for this building block that go beyond the level of protection representing the state of the art. The proposals SHOULD be considered when protection needs are elevated. The specific determination is made within an individual risk analysis.
INF.2.A21 Alternate Data Center (H)
A geographically separate alternate data center SHOULD be established. The alternate data center SHOULD be dimensioned so that all processes of the institution can be maintained. It SHOULD also be permanently operational. All data of the institution SHOULD be regularly mirrored to the alternate data center. Switching to the emergency data center SHOULD be regularly tested and exercised. The transmission paths to the alternate data center SHOULD be appropriately secured and designed with appropriate redundancy.
INF.2.A22 Implementation of Dust Protection Measures (H) [Facility Management]
For construction work in a data center, appropriate dust protection measures SHOULD be defined, planned, and implemented. Persons not directly involved in the construction work SHOULD check at sufficiently frequent intervals whether the dust protection measures are working properly and whether the dust protection regulations are being observed.
INF.2.A23 Appropriate Design of Cabling in the Data Center (H) [Facility Management]
Cable trays in data centers SHOULD be carefully planned and implemented. Trays SHOULD be designed with respect to arrangement and dimensioning so that a separation of voltage levels and a sensible distribution of cables across trays is possible and sufficient space is available for future capacity increases. To optimally supply IT hardware equipped with two power supplies, an A-B supply system SHOULD be established from the low-voltage main distribution for IT operations areas. Cables that are mutually redundant SHOULD be routed via separate trays.
INF.2.A24 Use of Video Surveillance Systems (H) [Data Protection Officer, Facility Management, Planners]
Access control and intrusion detection SHOULD be supplemented by video surveillance systems. Video surveillance SHOULD be embedded in the overall security concept. When planning, designing, and evaluating video recordings, the Data Protection Officer MUST always be involved.
The central technical components required for video surveillance SHOULD be installed in a protected location in a suitable environment. It SHOULD be regularly checked whether the video surveillance system is functioning correctly and whether the viewing angles agreed upon with the Data Protection Officer are being maintained.
INF.2.A25 Redundant Design of Uninterruptible Power Supplies (H) [Planners]
UPS systems SHOULD be modular and designed so that failure is compensated without interruption by a redundant module. If an A-B supply system is established for IT operations areas, each of the two power paths SHOULD be equipped with its own independent UPS system.
INF.2.A26 Redundant Design of Standby Generators (H) [Planners]
Standby generators SHOULD be designed redundantly. With regard to maintenance, redundant SGs MUST also be treated in accordance with INF.2.A14 Use of a Standby Generator.
INF.2.A27 DISCONTINUED (H)
This requirement has been discontinued.
INF.2.A28 Use of Higher-Grade Hazard Detection Systems (H) [Planners]
For data center areas with elevated protection needs, ONLY hazard detection systems of VdS class C (in accordance with VDS guideline 2311) SHOULD be used.
Additional Information
Good to Know
The BSI provides documents at https://www.bsi.bund.de/dok/RZ-Sicherheit including “Data Center Definition,” “Site Criteria for Data Centers,” “Availability Measures for Data Centers,” “Redundancy – Modularity – Scalability,” and “Fuel Storage for Standby Generators.”
The German Institute for Standardization (DIN) describes general principles for data center design in the standard “DIN EN 50600-1:2019-08 Information Technology – Facilities and Infrastructures of Data Centers: Part 1: General Concepts.”
The German Institute for Standardization (DIN) addresses the topic of lightning protection in the standard “DIN EN 62305-4:2011-10 Lightning Protection: Part 4: Electrical and Electronic Systems within Structures.”
The German Digital Association (Bitkom) provides guidance on planning and building a data center in its guide “Betriebssicheres Rechenzentrum” (Operationally Reliable Data Center).
The German Insurance Association (GDV) describes perimeter security measures that can be used as guidance for building security in its publication “Sicherungsleitfaden Perimeter.”