The physical security of a web host’s data center isn’t always considered when one is choosing a web host. After all, we tend to think more of the security of our data from hackers and other electronic threats, and not so much from someone actually breaking into the data center to steal equipment. It’s not uncommon to see users on web hosting forums claiming that physical security isn’t really a consideration, as they’ve never heard of anyone walking into a data center and stealing a server.

But physical security is a big concern. There are attempts to break into data centers on a regular basis, some of which are successful. You should really pay attention to what precautions your web host has taken to ensure that their servers stay secure from physical threats in addition to electronic ones.

Break-ins aren’t the only potential threats. Fires, floods, power outages, and other natural disasters can also be huge concerns. Where is the host’s data center located? It might be in a completely separate city from where their corporate offices are. Is the area prone to floods? Mud slides? Earthquakes? Hurricanes? If so, what have they done to protect themselves, their equipment, and your data from these threats? Have they built their data center to the most current building codes for their area? Have they put in additional systems to protect against common threats? Do they have offsite backups or mirrors in case of a major disaster in their primary data center?

Some common security precautions you might look for include:

• Smoke detection and fire suppressant systems.
• Off-site data backup storage or mirrors.
• 24-hour monitored security system.
• Biometric or other secure pass codes required to access their data center or server rooms.
• Reinforced entry doors, bulletproof/safety glass, reinforced walls.
• Video surveillance both inside and outside the facility.
• A standby generator or backup power systems.
• 24-hour security guards.
• “Mantraps” for automatic physical detention of an intruder.
• Buffer zones around the building itself so that unauthorized vehicles can’t gain entry.
• Redundant utility setups, with multiple incoming power lines, data lines, water lines, etc. each coming from separate utility substations or mains.

Data Centers are graded in Tiers (according to the TIA-942:Data Center Standards Overview) depending on their level of security, infrastructure types, and reliability. Tier 1, the lowest level, is equivalent to a basic computer room. They’re very susceptible to downtime from both planned and unplanned sources. The highest level, Tier 4, is meant for mission-critical type data. Their data centers aren’t interrupted by planned activity and they can still operate under many worst-case scenarios without any critical impact. Most data centers for shared hosting fall into the middle tiers, though there are some that are Tier 4.

Many hosts outsource their data center operations and simply buy space in one of the larger data centers located around the world. While this might make some customers uneasy, it can actually be a good thing. Large, dedicated data centers generally dedicated resources to up-time and security in a way that smaller hosts couldn’t afford to do. Oftentimes these data centers work with not only hosting companies but also large corporations where security is a big concern (such as banks or hospitals). In many cases, these kinds of hosting companies offer the best of both worlds: you get personalized attention from the hosting company’s staff while also getting all the benefits of a large data center.

Realize that if the data center your host uses is compromised by a physical threat, it can mean not only downtime for your site(s), but also a range of potential liability issues if your customers’ data is lost. Physical security is especially important if you deal with sensitive data like financial or medical records. Make sure that your web host is taking all of the proper precautions to make sure their facility and your data remain secure. Some questions you may want to ask a prospective web host about their data center:

• What tier is your data center rated at according to the TIA-942:Data Center Standards Overview?
• Do you have monitored alarm systems and/or twenty-four-hour security onsite?
• What kind of fire suppressant system do you use?
• Have you taken necessary precautions to defend against natural disasters common to your area?
• Do you use biometric or other identifiers to control access to your facility?
• What redundancies and backup systems have you put in place?

Realize that a host may be reluctant to share exact details of some of their security features (which is good, as they shouldn’t be giving potential threats information on all their security precautions), but they should be able to at least give you basic information about precautions they’ve taken. Many of the better web hosts have information of this nature right on their website. Even smaller hosts often use servers in a data center that has top-level security, while some of the larger ones might not take physical security seriously. Again, how much security you need depends on the type of data you handle and how important constant up-time is for your website.

Beware of web hosts who don’t take physical security seriously. There are plenty of hosts out there who only take threats from electronic sources seriously. But considering that physical security threats come not only from people, but also from nature, it’s not something to be taken lightly.