Modular Server Vaulting

A recently released study conducted by Verizon Business and the United States Secret Service shows that despite all the countermeasures applied to prevent data breaches, the problem is still wide-spread and costly.  The majority of the information lost was due to the concentrated efforts of criminal organizations.  These criminals utilize a variety of methods to acquire financial and other personal information, then sell this information on the black market for stolen identities, credit card numbers and banking information.

In some areas the study found that data theft had decreased from the previous study period, but this is probably due to the over abundance of credit card numbers and other information that has created a glut in the market.  The supply has outpaced demand to the extent that the price for such information has dropped below the point where it is profitable to steal more.  This is hardly good news for consumers.

This study underscores how critical it is for organizations to maintain control over their mission critical information.  Having a safe environment in which to operate IT equipment and store backup media is a major component in this equation.  That is where a Class 125 data vault can give security-conscious organizations an advantage.  These vaults are capable of protecting against catastrophic fires, stabilizing the interior climate, and improving physical security.  This secure environment combined with a well designed and implemented cybersecurity program mitigates the risk of data theft and loss.

For more information on the Verizon/Secret Service study, here is the link to the original article: http://newscenter.verizon.com/press-releases/verizon/2010/2010-data-breach-report-from.html

There is no doubt that we live in a litigious society.  And among all the industries in this complex economy, the healthcare industry may be affected by the threat of law suits more than any other.  The Health Insurance Portability and Accountability Act (HIPAA) adds to the already long list of reasons to sue a healthcare provider.  That is not to say we do not need this federal mandate to require that our personal medical information is kept safe and confidential.  In this age of identity theft and other forms of personal intrusion, we need all the safeguards we can get.  Firelock vaults are one element in a conscientious healthcare provider’s comprehensive data protection program that keeps our information safe and mitigates their risk of litigation.

As our medical records continue to migrate to completely digital formats, this information must be accessible to authorized personnel but protected from intruders.  It must also be protected from corruption by taking backup copies of the information off-line with backup tapes or removable hard drives.  These backup copies must be stored in a Class 125 data vault to comply with NFPA 232, which ensures that even if the temperature around the vault reaches 2,000-degrees F. in a catastrophic fire the interior will remain below 125-degrees F.–the point at which digital information is lost.  If the integrity of the information is not maintained it is a violation of HIPAA requirements.

These Firelock vaults are also used to protect IT equipment which hosts electronic medical records.  Server vaults can keep temperatures from reaching the threshold where electronic equipment is damaged or destroyed, enabling healthcare providers the ability to relocate this equipment to a secondary site and get the vital patient records back online where healthcare providers need them.  By employing these best practices, healthcare organizations can mitigate risk and meet the needs of their patients when it matters most.

Managed hosting companies are often the sole custodian of their client’s mission critical information.  Statistics vary, but the majority of companies that lose their vital information go out of business within the next year.  Protecting this information is rarely seen as a priority for this industry, as uptime and cost per GB of storage tend to be the key selling points hosting companies emphasize.  Not all companies are the same, of course, and a small but growing contingent of managed hosting companies is investing in server vaults for their data center to ensure the survival of their clients’ data, even if their facility is hit by a disaster.

This concept of offering clients a higher level of protection for a premium price is not a new one in the data protection industry.  For nearly twenty years a network of offsite data storage companies has been using Firelock media vaults to differentiate themselves from the competition and grow their businesses.  In any market with a lot of competition the product and or service becomes a commodity, and in a commodity market the lowest price almost always wins.  To avoid this margin-shrinking phenomenon the Secure Media Vault Associates (the network of Firelock-equipped offsite data storage companies) invested in true data-rated vaults and are able to charge premium prices for their services.  Their clients recognize the value of the investment their service providers have made to protect their backup data and are willing to pay extra for this level of security.

By providing a data center with real data protection capabilities these hosting companies can win new business without slashing their prices to be the cheapest vendor.  They can also go after clients that have more stringent information protection requirements, like healthcare companies with HIPAA regulations and financial service firms with FTC mandates to satisfy.  A Class 125 server vault is an excellent way for a managed hosting company to carve out a very profitable niche in a crowded market.

One of the things data center operators frequently ask me is how we are able to maintain the integrity of the vault with their cooling system’s needs for coolant lines penetrating the vault.  The answer is the insulated pipe penetration assemblies we install to protect this critical area.  Without the ability to adequately cool the server room equipment the data center will not function properly, and if the server room is not protected everything is lost in a disaster.

One very attactive option for cooling is the LiquiCool® Rear Door Heat Exchanger (RDHx) system offered by Coolcentric.  This type of system utilizes the airflow generated by the server equipment to push the warm air through the radiator-like heat exchangers in the units that replace the rear doors of the server cabinets.  This cools the air before it exits the rack and keeps the temperature in the server room at optimum levels.  Coolcentric’s RDHx system is very energy efficient and reliable because there are no fans or other moving parts on the server cabinets.  A Coolant Distribution Unit monitors the temperatures within the individual racks and increases or decreases the flow of chilled water to each unit as needed to achieve maximum efficiency.  Over time the total cost of ownership of RDHx systems is lower than conventional HVAC systems due to the reduced power consumption.

Coolcentric offers this product with a coolant line manifold that is located inside the vault, so only a single pair of supply and return lines is needed to penetrate the vault structure to connect to the water chiller unit.  This is ideal for maintaining the integrity of Firelock’s Class 125 data vaults.  Of course the coolant penetrations are just one component of the total vault system.  The vault structure, doors, dampers and cable penetrations must all meet the stringent Class 125 rating (the ability to maintain the temperature below 125-degrees F. even if the exterior temperature reaches 2,000-degrees).  As the old saying goes, ” a chain is only as strong as its weakest link.”  The same is true for data center design.  All components must work together to create a functional and safe environment for mission critical data center operations.

To protect its mission critical information a large healthcare provider is including a Class 125-Three Hour server vault in their data center renovations.  As part of their security protocols they do not want to be named but their spokesperson stated: “Protecting our clients’ medical records is paramount, and this is one way we can fulfill our duty to provide the absolute best care for them.”

This vault is capable of maintaining the interior temperature below 125-degrees F. for at least three hours, even if the exterior temperature reaches 2,000-degrees F.  This is the rating required in the National Fire Protection Association’s standard NFPA 75, which details the specifications for the protection electronic equipment.  Only the most critical data centers currently adhere to this stringent standard, while less important facilities are typically just equipped with a fire suppression system inside the server room.  The flaw in this method of protection is it only helps if the fire starts inside the server room.  If the fire starts somewhere else in the building and burns its way into the server room the equipment will already be destroyed by the time the fire suppression system is activated.

One of the reasons this organization decided to protect their data center is the federal government’s HIPAA requirements on safeguarding patient data.  Protecting the equipment where this information is stored and processed helps this organization stay in compliance with HIPAA mandates.  Another deciding factor is the federal government’s initiative to have all medical records converted to digital format.  By protecting their data center facility with a Class 125 server vault they already have the infrastructure in place to protect these digital records.  It’s good to see an organization being proactive in their approach to protecting mission critical information.

Over the past 25 years Firelock has built over 1500 modular fireproof vaults to protect IT equipment and other heat-sensitive assets.  In that time very few of these vaults have had the same dimensions as previously installed vaults.  Each vault is custom-sized to fit in an existing room or to provide for the client’s exact interior space requirements.  When length, width and height is easily customized it creates an almost infinite number of  vault size permutations.  This is why it is easy for Firelock to customize the Secure Agile Vault Environment (SAVE) units for each customer’s needs.

Of course building inside a shipping container limits the vault dimensions to some degree, but containers can be had in multiple sizes and the length of the vault can be customized.  The standard SAVE unit is constructed with a 40-foot shipping container and allocates space for a vestibule in front of the vault and a mechanical room behind it.  It also includes eight server racks, an overhead cable management system, internal fire suppression, Vette’s LiquiCool Rear Door Heat Exchanger system and the HVAC equipment to support it.  The SAVE unit can be delivered with all of these components, some of these components, or with just the vault itself.  It’s all up to the customer.

If the water chiller and support systems are not needed inside the SAVE unit, the mechanical room can be eliminated and the vault can be expanded into that area.  If the unit will always be operated in an indoor space, such as a warehouse, and weather protection and improved physical security is not required then the vestibule area can be eliminated.

With a history of customizing fireproof vaults to fit each individual customer’s needs, Firelock is able to do the same for the SAVE solution.  Just as it is with all Firelock vaults–it’s all about the customer.

Many of the major server equipment manufacturers have recently been marketing the concept of a “data center in a box,” which is a shipping container filled with their IT equipment to create easily transportable data center modules.  This concept does have some advantages over traditional data center facilities, such as mobility, scalability and compact size.  However, these high-density modules are very much at risk of being damaged or destroyed by fire, intrusion or even adverse weather conditions.

To address these threats, Firelock has created the Secure Agile Vault Environment, or SAVE solution.  By using a 40-foot shipping container and installing a Class 125 data vault a much more secure environment is provided for mission critical systems.  The vault ensures that IT equipment will be kept safe even if exposed to the heat of a catastrophic fire.  Physical security is also greatly improved with the double door assembly.  The vestibule area in the front of the container allows the container to be sealed before opening the vault doors, so even the worst weather conditions are not a threat to the valuable servers.  The on-board mechanical room behind the vault contains the HVAC system, so only power and network communications need to be supplied to the SAVE unit.

Firelock has taken a vendor-neutral approach to the mobile data center module concept.  Eight standard server racks are in place and ready for any hardware manufacturer’s equipment.  To cool these racks the Vette LiquiCool Rear Door Heat Exchanger system is utilized.  This efficient and compact cooling system uses the airflow from the server units so no power needs to be supplied to these economical and maintenance-free units.

For more details about the SAVE by Firelock, click here for an illustrated presentation: http://www.youtube.com/watch?v=EFQ9bOuQub4

One of the most difficult aspects of server room design is managing the temperature inside this critical area.  As the density of server racks increases and the heat generated by the IT equipment escalates year over year it is no wonder data center designers must consider their cooling options carefully to maintain optimum server room temperatures.

One option we have found to be an excellent solution in high density data centers is the Vette Corporation line of rear door heat exchangers for server racks.  These systems cool the exhaust air from server cabinets before they enter the airspace within the server room by circulating chilled water through the unit.  Because this design utilizes the airflow from the fans in the server equipment there is no power consumption from the cooling units, resulting in significant operating cost savings.

To protect against ambient heat, especially in hotter climates, the R-33 insulation rating of Firelock vaults is a major advantage in maintaining the correct server room climate.  All cooling system penetrations in Firelock server vaults, such as for coolant lines and ducted air, are specially designed and installed to prevent the heat from a fire from damaging or destroying the most critical area of the data center.  And of course the vault structure and doors are capable of maintaining the temperature below 125-degrees F. for at least two hours (up to four hours in larger server vaults) even if the outside temperature reaches 2,000-degrees.  Heat must be held below this critical threshold to protect the IT equipment and the vital information it holds.  After all, mission critical data centers must be protected from all threats–from within and without.

When most people think about security for the data center, the focus is on firewalls that keep hackers out of the network.  These countermeasures are absolutely essential for protecting the data hosted on the network.  One issue that isn’t emphasized enough is the need for physical security–keeping unauthorized personnel and other intruders out of critical areas in the data center.  The server room is especially vulnerable and in need of extra security, due to the value of the components in the server racks and the information they contain.

Electronic equipment must also be protected from heat exposure.  Fortunately, improved physical security is a beneficial by-product of the modular fireproof server vaults by Firelock.  The wall and roof panels used in the construction of these vaults is not specifically designed to stop intruders (these vaults are capable of maintaining interior temperatures below 125-degrees F. for two to four hours, depending upon the size of the vault, even if the fire outside the vault reaches 2,000-degrees F.) but it would take a significant amount of time to breach them.  If a motion sensor or other intrusion detection system is installed outside the vault area, this extra time gives security personnel or the police a chance to arrive before the server room is compromised.

The double door system is another major improvement to physical security in the data center.  The outer door is an 1,100-pound fire door with a combination lock.  When the door closes it automatically throws 10 steel bolts into the locked position in the steel door frame.  This would be a very difficult door for an intruder to open after the combination lock is engaged.  The inner door is a steel door with a conventional door handle and lock that is often converted to a magnetic lock that can be activated by swipe cards or biometric access control systems.  These electronic lock systems are ideal for controlling access to the critical vault area during business hours and keeping track of authorized personnels’ entry and exit times.

With all the threats to IT operations that exist in the world, it’s a distinct advantage to have one integrated part of the data center that can protect against both fire and intrusion.  Vaulting the server room with a modular data chamber protects mission critical data both ways.

When  comparing the specifications for fireproof server vaults, there is a distinct difference between the ASTM E119-00a testing standards found in the U.S. market and the EN1047-2 standard that dominates Europe, Asia and South America.  For example, the American test requires a five-hour fire test, with a blast furnace heating the vault to over 2,000-degrees F. to measure how long a vault structure can maintain temperatures below the critical 125-degrees F. threshold.  The same vault structure must then be exposed to a hose stream test to ensure it still has the structural integrity to resist the pressure of fire fighting efforts around the vault.

In contrast, the EN1047-2 test procedure only requires the vault structure to be exposed to heat from the furnace for one hour, after which the furnace is turned off and only the residual heat in the test area remains as the source of elevated temperatures outside the vault.  Even more surprising is the fact that a new vault structure is then used for the hose stream test, rather than the one that was exposed to heat.  Most fire testing experts agree this is not an accurate procedure to test real world capabilities.

Because of these different test procedures, Firelock vaults are designed and constructed very differently from those that are designed to meet the EN1047-2 requirements.  Every component of Firelock vaults is capable of meeting the Class 125 rating required to protect electronic equipment and the data stored within.  The European-spec vaults have some fire protection value in the vault structure (though not as robust as the ceramic fiber-core panels utilized by Firelock) but the other components are far from meeting the Class 125 rating.  For example, the EN1047-2 spec requires a single door with an outward swing and a “crash bar” opening mechanism to speed egress from the vault area.  The door is not much different than a standard steel commercial door, and it is not unusual for them to have windows.  Needless to say, this is a far cry from the Class 125 double door assembly employed on Firelock vaults.  The same is true for the cable and air duct entry points, where light-duty units are installed to ease speed of installation.

Does this mean IT infrastructure and information in Europe, Asia and South America are less valuable than the same type of assets in the U.S. market?  Not likely.  I believe it is more a matter of U.S. testing authorities recogizing then need to apply real world conditions to encourage the development of products that will protect American assets when the worst case scenario becomes a reality.