What is a “trap for a person” in the data center and why is it needed?

Despite the fact that the lion's share of protective measures of any data center is directed against virtual attacks (malware, direct attacks, etc.), some of the effort must be spent on protection against physical hacking / penetration. An attacker can penetrate into any data center sooner or later in the flesh. This may be a curious teenager, a thief or a saboteur, an “agent of influence” of a direct competitor of the company.

In several data centers where our equipment is located, there is a physical protection system against such "guests". This protection is called a “human trap” (mantrap). And this is really an effective measure - to avoid it is almost impossible. The same biometric scanners can be fooled or hacked, and in order to avoid the effects of hacking, Mantrap is used in many data centers. Why do we need traps and when should we use them?

Trap for a man: what's in a name?

This is exactly what it seems: a small room designed to catch unexpected guests. The trap initially asks a person to identify himself, and then begins to act, depending on the response of the person. In such a room there is usually only one or two doors, almost never more. The authentication procedure is usually required to enter any of the doors.
')
The simplest implementation of the “human trap” concept is a room with two doors. One door gives access to the restricted area, and the second gives access to the public area. This model uses authentication for each of the doors of the room. Here is a short description of how this all works:

1. Someone wants access to a protected area. To do this, you need to enter an access code or go through the authentication procedure using one of the sensors, or pass the card along the receiver slot. Combinations of all these methods are possible. With successful authentication, the door to the trap opens automatically, launching the person into the room.

2. The first door closes, preventing other people from falling into the trap. High-quality automation with a high degree of probability cuts off other people from getting inside. If the system still records several people in the room, an alarm is activated, the room is blocked;

3. If there is only one person in the room, the entrance door is blocked and the guest is asked to authenticate once more. Moreover, the procedure or their combination may differ from what was required to perform at the entrance. If all is well, the person goes into a closed area. Until this happens, the doors remain closed and locked.

As you can see, one of the main purposes of the “trap” is to minimize the probability of people who follow a verified user enter a closed area. Some systems also use human security guards, who, for example, inspect incoming traffic through a protected window in the trap room. But such a system, of course, is more expensive than a fully automatic one, so it is used in extreme cases.

Loneliness in a trap

As mentioned above, the main task of traps for people in data centers is to ensure that only authorized employees / guests get into the protected area. Therefore, the main task of the trap is to pass only one person at a time into the room. If the system is hybrid, that is, the work of a person is also added to the work of automation, then there is no problem. But if pure automation functions, then everything is more complicated.

The fact is that the automatic system can still be deceived. It is much more difficult to deceive a person in this regard - the attentive security guard is unlikely to miss two people under the guise of one, this is unlikely. One of the implementation schemes for solving a task for automation is the addition of infrared sensors. You can also embed pressure sensors in the floor (hoping that a person weighing under 200-250 kg, whom the system can recognize as two people) will not visit, add analytical software that will analyze the video stream from the cameras.

In this case, problems still arise. For example, if an employee needs to carry something big and heavy into a protected area - how to report this trap? The same pressure sensors can work exactly. There are solutions, but they are quite expensive. One of these solutions is Newton Security's T-DAR system .

Now there are quite a few solutions, so there is something to choose from.

What else?

There is one more important aspect of data center security related to traps. This, for example, an emergency in a room, a fire or flood, or something else. In this case, the trap should automatically pass people into the safe zone without checking. In addition, the traps must be large enough to meet US ADA standards (basically, this is a US requirement, but there are similar standards in other countries).

The design of the trap should not be too complex, it should be simple and reliable in operation and maintenance.

All this entails additional costs. But hacking often entails not large, but huge costs, so this is a necessary payment for the security of the DC and the calmness of the management.

Do you need a “trap for a person” for your data center?

The answer to this question may be different in each case. In some cases, the creation of such a system may simply be unnecessary. Here it is worthwhile to calculate the costs of operating the trap and the possible benefits from its use. If safety is at the forefront for all the work - of course, a trap is needed.

But in some cases, the security problem can be solved without a trap. The main thing is to remember why such a system is being introduced, and to know how much money is needed to implement such a project.

Share experience:

• Working with Big Data with the help of GPU: accelerating the work of databases dozens of times
• Cable Management: Some Tips From Your Own Experience
• Was there a boy? Our servers and hacker attack on the US Democratic Party
• PaaS, DBaaS, SaaS ... What does all this mean?