What is a “human trap” in a data center and why is it needed

Despite the fact that the lion's share of protective measures of any data center is directed against virtual attacks (malware, direct attacks, etc.), part of the effort needs to be spent on protection against physical hacking / penetration. An attacker in the flesh can sooner or later infiltrate any data center. It can be a curious teenager, a thief or a saboteur, an “influence agent” of a direct competitor to the company.

In several data centers where our equipment is located, there is a physical protection systemfrom such "guests". This protection is called a “human trap” (mantrap). And this is really an effective measure - it is almost impossible to avoid it. The same biometric scanners can be tricked or hacked, and in order to avoid the consequences of hacking, many data centers use Mantrap. Why are traps needed and when should they be used?

A trap for humans: what's in a name?

This is exactly what it seems: a small room designed to catch unexpected guests. The trap initially asks the person to identify himself, and then begins to act, depending on the response of the person. In such a room there is usually only one or two doors, almost never more. The authentication procedure is usually required to go through to enter any of the doors.

The simplest implementation of the concept of “traps for humans” is a room with two doors. One door gives access to a closed area, and the second to a shared area. This model uses authentication for each of the doors of the room. Here is a short description of how it all works:

1.Someone wants access to a protected area. To do this, you must enter the access code or go through the authentication procedure using one of the sensors, or swipe the card along the slit of the receiver. Combinations of all these methods are possible. Upon successful authentication, the door to the trap opens automatically, launching the person into the room.

2. The first door closes, preventing others from falling into the trap. High-quality automation with a high degree of probability cuts off other people from getting inside. If the system nevertheless captures several people in the room, an alarm is triggered, the room is blocked;

3.If there is one person in the room, the front door is blocked, and the guest is invited to go through the authentication procedure again. Moreover, the procedure or their combination may differ from what was required to be performed at the entrance. If all is well, a person goes into a closed area. Until this happens, the doors remain closed and locked.

As you can see, one of the main purposes of the "trap" is to minimize the likelihood of people entering the closed zone following the verified user. In some systems, human guards are also used, which, for example, inspect traps entering through a protected window in the room. But such a system, of course, is more expensive than a fully automatic one, so use it in extreme cases.

Loneliness trapped

As mentioned above, the main task of traps for people in data centers is to guarantee that only authorized employees / guests get into the protected zone. Therefore, the main task of the trap is to pass into the room only one person at a time. If the system is hybrid, that is, human work is added to the work of automation, then there is no problem. But if pure automation functions, then everything is more complicated.

The fact is that an automatic system can still be fooled. It is much more difficult to deceive a person in this regard - it is unlikely that an attentive guard will let two people in under the guise of one, this is unlikely. One of the schemes for implementing the solution of the problem for automation is the addition of infrared sensors. You can also integrate pressure sensors into the floor (hoping that a person weighing 200-250 kg, who the system can recognize as two people, will not come to visit), add analytical software that will analyze the video stream from the cameras.

In this case, problems still arise. For example, if an employee needs to carry something big and heavy into a protected area, how do you report this trap? The same pressure sensors can certainly work. There are solutions, but they are quite expensive. One such solution is the systemNewton Security's T-DAR .

Now there are a lot of solutions, so there are plenty to choose from.

What else?

There is another important aspect of data center security related to traps. This, for example, an emergency situation in a room, a fire or flood, or something else. In this case, the trap should automatically let people into a safe area without checking. In addition, the traps must be large enough to meet US ADA standards (basically this is a US requirement, but other countries have similar standards).

The design of the trap should not be too complicated, it should be simple and reliable in operation and maintenance.

All this entails additional costs. But hacking often entails not big, but huge costs, so this is a necessary payment for the security of the DC and the peace of mind of the management.

Does your data center need a “human trap”?

The answer to this question may be different in each case. In some cases, creating such a system may simply be unnecessary. It is worth calculating the costs of operating the trap and the possible benefits of its use. If safety is at the forefront for all work - of course, a trap is needed.

But in some cases, you can solve the security problem without a trap. The main thing is to remember why such a system is being introduced, and to know how much money is needed to implement such a project.

We share our experience:

• Working with Big Data using the GPU: speeding up databases by tens of times
• Cable Management: Some Tips from Your Own Experience
• Was there a boy? Our servers and hacker attack on the US Democratic Party
• PaaS, DBaaS, SaaS ... What does all this mean?