I say "security" because I know that in a shared space, nothing is completely secure. I also know that with enough intent, someone will accomplish whatever they set out to do regarding breaking something of someone else's. My concern is mainly towards mitigation of accidents. This could even apply to a certain degree to things within your own space and your own careless techs
If you have multiple entities in a shared space, how can you mitigate the chances of someone doing something (assuming accidentally) to disrupt your operations? I'm thinking accidentally unplug the wrong power cord, patch cord, etc. Accidentally power off or reboot the wrong device.
Obviously labels are an easy way to point out to someone that's looking at the right place at the right time. Some devices have a cage around the power cord, but some do not.
Any sort of mesh panels you could put on the front\rear of your gear that you would mount with the same rack screw that holds your gear in?
- Open space, but your own cabinet. We have open areas where there are rows of half and full cabinets where customers can rent space. That cabinet space is theirs, but they’re in the open and anyone can get to the physical cabinet. While in general the cabinets are secure, they could still be broken in to. One could also disconnect power from the overhead junction boxes, or cut the fiber/copper feed going into the cabinets.
- Caged space. Your cabinets are inside a locked cage. You can choose to have a “ceiling” installed if you think someone is going to squirrel their way up the walls. The whole area is locked, no one else can get in. Unless they crawl under the floor! Access to power and data lines are only available inside the cage.
- Completely isolated space. We have a few customers that have paid to build literal walls around their leased space, giving them a completely isolated data center within a data center. Probably the most secure from the customer’s perspective, as they can and have employed their own man-traps, security systems, surveillance, etc. on top of our own.
- Module space. We have fully-enclosed modules that are RFID card access only. Half or whole modules can be leased. Similar to a caged space, but completely sealed and self-contained. Some of them are shared space, so the same potential issues in the first bullet apply.
On top of this, the data center is carded, man-trapped, iris-scanner’d, video-surveilled, etc. No lasers or pressure-sensitive plates.
These are just examples to illustrate some of the different levels of access someone else might have to another entity’s gear. I’d be curious to hear examples of cases where malicious activity took place within a data center, one customer to another.
Yup; a standard rack item for audio installs; they go over equalizers and
the like. You shouldn't have any trouble finding them in 1U and 2U, maybe
larger.
I guess those covers are really only useful for servers. That really wouldn’t work with a switch\router. Switches and routers are going to be the bulk of what we’re dealing with.
I am finding locking power cables, but that seems to be specific to the PDU you’re using as it requires the other half of the lock on the PDU.
I did come across colored power cords. I wonder with some enforced cable management, colored power cables, etc. we would have “good enough”? You get some 1U or 2U cable organizers, require cables to be secured to the management, vertical cables in shared spaces are bound together by customer, color of Velcro matches color of the power cord? Blue customer, green customer, red customer, etc. Could do the cat6 patch cables that way too, but that gets lost when moving to glass or DACs.
I thought about a web cam that would record anyone coming into the cabinet, but Equinix doesn’t really allow pictures in their facilities, so that’s not going to fly. Door contacts should be helpful for an audit log of at least when the doors were opened or closed.
Financial penalty from the violator to the victim if there’s an uh oh?
I’m not trying to save someone from themselves. I’m not trying to lock the whole thing down. Just trying to prevent mistakes in a shared space.
Label everything - cubicle, equipment, cables using high quality labels that won’t fall off. Use a meaningful labeling scheme. Label both sides of the equipment with letters large enough for everyone to read. Color coding is nice until you have dim lighting or a color-blind tech.
Separate power and data for the wired stuff. EMI leakage is real. Secure power cords to the equipment. Secure cables to PDU so they don’t fall out when bumped. Secure the cables for “wall wart” power supplies so that they do mot loosen. Learned this the hard way after plugs vibrated or “fell” out.
If you have issues with others pugging into your power, use electrical outlet blocker plugs (baby proofing supplies) and mark them as if the outlet is broken.
Secure your data cables so that they do not block the heat exhaust of the equipment. Use cable boots to prevent damage to cable clips, and to prevent tugging on other cables when making changes. Don’t bend cables beyond the minimum bend radius.
You’re only as safe as the most dangerous technician that is allowed into the space.
In a past life we worked with our supplier to create physically separate sub-enclosures.1/2 and 1/3. Able to build in a separate and secure cable path for interconnects to the meet-me-room and connection to power supplies.
Can be done and I think there are now rack suppliers that do this as standard. Been out of DC space for a few years now.
Indeed, paying for and maintaining your own generator and UPS system,
digging up streets for diverse network paths if you can get a CLEC to play
with you, twenty-four hour security and personnel logging, buying and
installing your own environmental conditioning.
Getting a cabinet in someone else's datacenter (Equinix, Coresite, Telx, etc.) and having sub-tenants. Most networks aren't going to need more than a handful of U in a datacenter, but the more significant the datacenter, the less likely they are to provide partial cabinets... which makes no sense. Sure, some networks need large chassis routers chewing up 10U - 20U, but there are far more networks that need routers that take up 1U, 2U, something like that. For many networks, the sheer cost of the space in the datacenter doubles their overall cost per megabit.
Right, but that doesn't limit one's ability (intentional or not) to pull out the wrong power cord or smack someone's loosely ran cables, etc. We're sorting out some standards now and I think it'll largely involve color coding, wire looms, horizontal cable management and a "cabinet practices" document defining standards for use in the cabinet. This is meant to protect customers from themselves and each other.
IE: Someone is removing a power cable and the pull the wrong one out of the PDU. Maybe they pull the right one out of the PDU, but it's wrapped around someone else's power cable and theirs gets pulled out along the way. Stuff like that.
Are you leasing a full cabinet and sub-leasing out portions of it? Not sure how you can define what other customers do, unless they're your customers. Split cabinets are ideal, as you the sections are compartmentalized.
*nods* I've seen half and third cabinet designs employed in a couple datacenters. I've seen product sheets for quarter and sixth rack (with the sixth introduced in this thread).
To me, those seem like ideal cabinets to put in MMRs, which traditionally have full cabinets. By count of networks, there are far more networks that employ routers smaller than say 4U than there are ones that use larger than say 12U.