NEXTDC has deployed a no-holds barred electronic security solution of its own design, comprising Genetec Security Center 5.8 and Synergis, HID VertX control panels and HID iClass SE readers, as well as Axis CCTV cameras, across 9 Australian data centres.
YOU get your first taste as NEXTDC’s intensely layered access control solution as soon as you arrive at the site. First there’s a heavy sliding gate to negotiate via a video intercom conversation with operations staff at the front desk. Once they’ve confirmed you’re expected by checking their management system, you arrive at the front steps but must then be granted access to the facility through a locked door.
Next, you enrol as a visitor with the security team located at the front of house after presenting photo ID and enrolling a biometric scan of your fingerprint via a biometric scanner. I’m assigned a visitors access card, which lets me into a meeting room in the visitors’ area. Later I use my bio-enrolled fingerprint to get through a set of Gunnebo bullet resistant CompacSas BA single airlock doors into what might be called the sterile zone but isn’t really, because NEXTDC’s access control solution opens like a Russian doll. It’s not only the Gunnebo entry that’s air locked – there’s a second airlock once you’re through to the secure side of the facility, which leads you deeper into the humming sanctum of the data centre.
Managing all this functionality is Genetec’s sophisticated Security Center technology, which integrates access control, video surveillance (via Omnicast), and video intercom. Security Center workstations provide staff with event logs, video monitoring and an interface to not only communicate with customers and open doors for them as they arrive, but as they move through the data centre – and this functionality applies to NEXTDC’s network of nine data centres and counting.
At the heart of the integration is the Security Center Federation feature which allows for centralised monitoring, reporting and alarm management. Security Center synchronises cameras, doors and other managed hardware, access points and solutions. Built on role-based protocols determined by NEXTDC, Genetec Security Center offers its security and customer service employees managed access to the video surveillance system, video analytics and reporting, access control, 2-factor authentication systems, and intercoms.
The NEXTDC Security Solution
NEXTDC’s national footprint is linked by dark fibre with considerable standardisation at every level of the operation – I’m visiting the M2 data centre in Melbourne. It’s an impressive operation. According to David Dzienciol, Chief Customer Officer and Executive Vice President of technology at NEXTDC, this site is 48,000 square metres with four live data halls and the capacity to grow significantly.
“It’s one of 9 NEXTDC sites across Australia – a 10th site is planned for Perth – and these are all linked by a dedicated network and is federated using Genetec Security Center,” Dzienciol says. “This federation means an authorised staff member in Brisbane could manage operation of the site here in Melbourne – opening gates and interacting with customers, though system management is primarily site-by-site.
“The access control component of the system is handled in front of house by the Security staff, but there’s separate live management of the entire facility within the building and we are considering a national monitoring centre for CCTV cameras as we grow. The CCTV system is used by our security team to keep an eye on the site and to undertake remote guard tours. The way we have deployed the Genetec Security Centre as a federated platform nation-wide has evolved into a key differentiator for our business.”
According to Dzienciol, one of the revelations when NEXTDC built the M2 site in Melbourne related to operational functionality.
“In every other Generation 1 site the customer boardrooms and breakout spaces were behind the Gunnebo doors,” Dzienciol explains. “We realised this was creating an overhead because if visitors were not inducted, they needed to be escorted by front desk staff to get to a board room, a breakout space, or to have a cup of coffee.
“With the design of M2, we have integrated meeting and break out spaces into front of house as well as back of house. What this means for guests is that they can be issued with guest access to front of house amenities without compromising on data centre security by having non inducted visitors entering back of house operations. There are layers of authorisation and induction required to get through the Gunnebo doors, then onto corridors, data halls, racks or private caged areas.
“Importantly, Genetec Security Center’s Synergis allows us to build those customised access profiles for each environment and apply them on the basis of each customers requirements – customers have these different profiles assigned to their credentials depending on their requirements.”
Dzienciol says an influence on the design of the access control solution is ensuring that NEXTDC promote an always-open partner environment that supports vital infrastructure on behalf of local and overseas customers.
“A partner environment means a visitor could be a partner of NEXTDC, like a Telstra or Optus, and that partner will have multiple clients wanting access to different racks in the data centre,” he explains. “These partners must all be inducted and assigned access profiles that allow us to manage what can they access in a particular part of the site.
“Once profiles are assigned, NEXTDC’s internally developed ONEDC customer portal takes over, integrating Security Center and NEXTDC’s managed systems. If there’s a large project happening that customers need access to, we need to be able to provide that access in a precise, secure and seamless way that drives a positive customer experience. The multi-faceted ONEDC portal talks directly to access profiles in Genetec and allows customers of major partners to self-manage their visits, including booking space for meetings and capacity and resource plan for projects, upgrades and maintenance.
“Thanks to Security Center and ONEDC, rigorous access protocols and robust security is ensured at all times” says Dzienciol. “And so is the customer’s right to have optimal and frictionless access to the data hall and racks containing their organisation’s critical information.”
Dzienciol says ONEDC and its integration with Genetec security systems has driven significant savings by reducing touch points on each request ticket and speeding up the process of approval and delivery – from several days to just a few minutes.
“When it comes to access control in line with security standards, our customers are looking for auto approval and self-service,” he said. “With the level of intelligence built into our security solution we have been able to reduce the number of staff customers need to engage with each time they visit. This enables us to help our customers get to where they need to be, quickly and efficiently. With the support of Genetec, we can offer a frictionless experience that does not compromise on security.”
Walking the NEXTDC Site
We head deeper into the data centre through the Gunnebo bullet resistant CompacSas BA doors – these can be fitted with presence detection, single person detection, as well as metal and abandoned object detection technologies. In this case, access to the airlock is managed by HID SE Class 2 factor readers, featuring keypads, proximity reader and a biometric fingerprint reader.
Once through the Gunnebo door which is specially configured to avoid tail gating, we go through another air lock door and out into the back of house corridors. On the way to view Data Hall 1, we take a look at the loading dock and the storage area, which allows customers to store equipment on-site as backup or as art of projects. Both are access controlled and can be managed via ONEDC.
“Staging rooms contain 3-phase power which allows customers to bring servers and supporting equipment into the staging areas to stage them and power them up prior to deploying them to the Data Hall,” says Dzienciol. “You can imagine if a customer is installing their infrastructure into 10-15 racks, that’s a lot of equipment. We purposely build our facilities with significant storage capacity to allow for these customer requirements, which is something many others don’t offer”.
As we go head towards Data Hall 1, we pass a Vesda unit – fire detection and control is a major factor of the site – we also pass the switch rooms – there’s no customer access to these core pieces of infrastructure. Other areas where access is highly restricted include high voltage areas such as power boards, transformers and the massive Penske diesel generators.
What’s telling about our tour is that by the time we reach Data Hall 1, we’ve gone through the front gate, been physically and verbally identified and fingerprinted in front of house, passed through the Gunnebo portals, through the second air lock, through the door to the corridor and from the corridor through another access controlled door to gain access to the Data Hall itself. Even after traversing these layers of security, we still can’t access the racks.
Inside Data Hall 1 are caged higher security, or C-Class racks which are more often than not requested by government departments and overseas organisations requiring authorised credentials to open cage doors before customers are faced with individually accessed-controlled racks. And while rack rows in the Data Hall can be traversed on foot; you need authorised credentials to open rack doors. Given the physical size of the site, there’s an enormous density of access control readers – every door to a rack is access controlled with HID readers – it’s mind-boggling stuff.
Seeing lines of access control readers stretching down the rack rows in the data centre halls highlights the complexity of installation. Setting up and managing a system with so many access points and alarm/open/close/tamper inputs would have been a time-consuming process. Then Dzienciol tells us there’s access control locking on the back of racks, as well as the front.
“Our rack locking technology is a significant part of our value proposition,” he explains. “Layers of access control are great but if the racks are all open and someone can reach the hardware then the data centre is not secure. Furthermore, if the layers of access are only accessible by physical keys which is the way that many data centres structure their security – it severely inhibits the customer experience. That’s why we have gone to such lengths in our system design.
“Back locking of racks is important for maintenance – customers that can’t get to the data centre use our Remote Hands services to carry out hands on work for them, such as restarting a server, reseating a network card, carrying out an audit it – they simply use the ONEDC customer portal to unlock and relock the racks to allow engineers access to carry out work required,” Dzienciol says, demonstrating the app on his phone.
ONEDC is an access portal, it’s a browser-based interface where customers carry out access requests and log access tickets. The way the site is managed, a customer needs to log a ticket requesting guest or contractor access via ONEDC. That ticket is what the security team in front of house refers to before you they grant you access on arrival.
On the CCTV side, there’s coverage everywhere in the same general layers, with dome cameras at either end of the rack rows, cameras in corridors and all access points monitored – but it’s executed in a non-invasive manner. Same as in supermarkets, the presence of racks in data centre halls demands cameras be thoughtfully positioned. Infrastructure on the ceiling is something else the security installers needed to work around. Cameras used are high specification domes with capabilities greater than required by the stable environment in which they are installed – it’s a sign of the importance that NEXTDC’s business places on the security protocols here.
Storage is equally epic in scale – NEXTDC has around 500TB of storage on average dedicated to CCTV surveillance at each of the sites and the cameras are recording at a minimum of 5MP resolution and at 15 frames per second with 90-day retention rates. There are 2400 active cameras across the nine sites – that’s around 265 cameras per site, which is a significant number, again highlighting the importance of security to the operation.
“Some of our largest customers have service level agreements that dictate where we have CCTV and how we use it and we retain footage for up to 90 days to meet with some customer requirements,” Dzienciol says.
As we walk around, Dzienciol points out that certain infrastructure is located above racks rather than under the floor. This costs less to implement and is easier to access for maintenance and upgrade, as well as being easier to monitor for security. He points out that the Vesda system also covers the data centre and is designed to activate in a very targeted way so fire suppression will put out the fire without impacting on the servers of nearby customers.
Another key aspect of the site is power redundancy and monitoring and that redundancy goes all the way down to rack level. NEXTDC employs hot aisle and cold aisle containments in its data centres – these are ways to design individual racks and rack rows to manage the process of cooling using passive means that can also enhance the efficiency of air conditioning. Given 60 per cent of data centre costs relate to cooling, these designs are important.
We also see another customer breakout facility within the site – it’s pretty neat, with coffee and kitchen facilities as well as games, an outdoor area and tables for dining – useful if you have a team on site undertaking a major project, or if you’re showing customers around. These facilities highlight NEXTDC’s drive to make the facility as open to the needs of customers as possible.
Challenges of the Integration
With such a large site you’d expect to find serious challenges, but the integration, the physical components of which were undertaken by ACG FIre & Security, went smoothly, according to Dzienciol.
“Any build is complicated – security is just one element of building a data centre,” Dzienciol says. “When it comes to security, because we went with Genetec from day one it was reasonably easy to add more sites. When we went to market 5 years ago, we felt Genetec was light years ahead in terms of work they are doing with airports, with virtualisation, the Genetec team is super focused.
“Given this, our challenges revolved around having different integrators handling different locations when it came to hardware infrastructure. This impacted on integration and ultimately meant we needed to go through a standardisation effort before we went to full federation. We’ve also had some government customers wanting SCEC designs applied to their particular areas in the data centre, so we’ve needed to stay on top of those customer requirements, too.”
Dzienciol says there is an ongoing operational challenge on the customer side.
“That important thing is making sure we are across new and growing client requirements – what they need, when they will be working on establishing or expanding their infrastructure in the data centre,” he explains. “This is impacted on by factors like whether they are a local company, a global company, whether they have a local partner or no partner at all. There’s an operational side to this as well. For instance, it’s good for the NEXTDC team to know when a customer’s maintenance windows are so this can be compared to the appearance of faults.”
Throughout the process NEXTDC has looked at video analytics.
“Some customers don’t want us to be going too far with video analytics while others would like us to use it,” Dzienciol says. “We’d be interested in analytics for license plate recognition to automate vehicle access control – we want analytics as a driver of efficiency. Face recognition is a consideration for people working remotely – we are looking to add that when we can. Another ongoing challenge is moving some elements of our video surveillance solution to the cloud – we will continue looking at that as we grow.
“Something else we are planning to implement is more granular detail when it comes to where people are in the facility so if there’s an emergency, we know exactly how many people are on site and where everyone is. That’s going to be based on Wi-Fi and Bluetooth using the HID access control readers – having readers with these capabilities gives us a measure of future proofing.”
Unsurprisingly, Dzienciol says that managing its own infrastructure can be challenging for the NEXTDC team.
“We have about 100 racks nationally that are exclusively for our own infrastructure – we are faced with the same challenges as our customers in managing our maintenance and upgrade requirements,” he says. “The analogy we use to describe our business is a plane that’s always in the air. We can never shut down all the critical engines that fly the plane. This means the way we manage our infrastructure and plan our upgrades and maintenance windows needs to be handled meticulously. Along with our network and support infrastructure, we also need to stay on top of maintenance of security devices like cameras and we proactively monitor the Genetec system, including all the connected devices, including readers, access control infrastructure.”
Philippe Ouimette, director of strategic partnerships, Genetec, says Genetec’s history with NextDC made the process easier.
“The first data centre we did with NextDC was through a systems integrator in 2011 and since 2014 we have had much more direct collaboration to ensure they can leverage the security systems to inform and improve business operations,” he explains. “One of the things we like is that every time NextDC builds a new data centre they try to outdo themselves in terms of technology – they always try to do better for their customers. To meet their expectations for each new data centre, we sit down and examine the way they are managing their operations, consider the new Genetec features and functions that might help them run their operations better.”
“We then help them implement the enhanced solution. The NextDC team is very open to using new technology if it allows them to deliver the best possible service to their customers. From a Genetec point of view, it’s enjoyable to work with a company like NextDC that is like-minded – we put 25 per cent of turnover into R&D and working with a customer hungry to implement our latest developments is great.”
At the same time, Ouimette says the greatest challenge of the NextDC application is finding ways to update and upgrade a live data centre management system. Using the Genetec Update Service, we can download and distribute upgrades to the entire Security Center environment. It eliminates time-consuming, repetitive tasks, such as the need to manually deploy upgrades to each server and workstation, or the update of licenses. To minimize downtime, Security Center also offers the ability to deploy a failover server to maintain system functionality during the primary server’s upgrade.
“NextDC is in the process of updating to the latest version of the software – Security Center 5.8 – which will include graphical maps,” he explains. “But, as David says, the ‘plane is always in the air, so that upgrade is a process where operational constraints must be balanced against the value-add of new features and other priorities.”
Conclusion
Dzienciol says customers and staff love the M2 facility, with its integrated security solution and clever management solutions.
“This a world class site – we’ve won significant awards – and we’ve hosted some of the biggest companies in the world and been told our site is years ahead of competitors – the customer experience, design and engineering, down to the cleanliness of the facility” he says. “Our approach to security and the systems we deploy lead the industry also, and we are working to ensure this functionality is uniform across the country.
“Something we learned as we grew is that it gets harder as you grow – scaling, back-end systems, but we continue to invest in innovation and infrastructure. We’ve invested significantly in the customer experience. We spend an enormous amount of time speaking to customers – part of our company values is to be customer-first and we have worked hard to put the customer at the centre of our thinking. As such we have focussed intensely on building a single platform for our infrastructure – standardisation makes data centres easier to manage.
“In the future as part of our drive for standardisation across all our sites, we will move to a model where we are running the full access control model remotely – centralised in a network operation centre,” he says. “We are not quite there yet, but we are approaching the inflection point.”
NEXTDC M2 will grow in the future.
Regardless of which model the business operates under, Dzienciol says the most important thing for NEXTDC is enhancing and streamlining the customer experience.
“When NEXTDC launched, we wanted to deliver our customers the best level of resilience and redundancy, the highest levels of security, the most flexible and scalable services and the best customer experience money could buy. And it was important that we deliver that world-class service to organisations of all sizes, not just larger scale customers” he says.
“We believe we have achieved our goal – only 10 years ago many organisations had their own data centre but no matter how big an organisation is, you can’t build a facility with this level of security and redundancy to support only 10 racks – the economies of scale simply don’t work, but our model helps them achieve it.
“Today, thanks to seamless operation and security management, our customers treat NEXTDC’s data centres as their own and our technology allows them go about their days and get what they need with little to no friction.”
#sen.news