It starts with the CIA Triad
Crime Prevention Through Environmental Design ( CPTED ) creates an environment around the data center to deter nefarious activity. CPTED lowers the likelihood to breach the perimeter of the data center, and increases the ability to detect breach attempts.
A good description of the history of CPTED applied to urban planning is found here. This body of knowledge has also been applied to mission critical facilities. CPTED is based upon the awareness that all space has a purpose, and that cultural, social, legal and physical aspects affect people’s use of that space. CPTED techniques help encourage legitimate uses of space and discourage illegitimate uses of it.
In my experience, “CPTED” is pronounced two different ways. Some say it as “Sea-Pea-Ted”. Others pronounce it as “Sep-Ted”. Either way is fine. CPTED strives to prevent or deter criminal activity through thoughtful design of the environment surrounding the facility.
Simple CPTED Techniques
CPTED is a detail of data center design that is often overlooked or underappreciated. Indeed, if one looks at a data center with good environmental design it may not even be noticeable at first glance. The principles of CPTED are applied to any mission critical facility- hospitals, government buildings, laboratories, and data centers. As a matter of fact, there are CPTED techniques that you might even consider at your home. It’s an area of study accused of paranoia, but the pervasiveness of application shows it’s effective. Let’s look at a few examples, and I think the picture will begin to come into focus.
Plants and Shrubbery
Plants can be a low tech way of enabling the breach of the perimeter of a data center.
Consider for example, how plants and shrubbery can assist in a break-in attempt. An intruder can hide behind tall shrubs. If those shrubs are planted next to a fence or along the wall of a building, they can be used to conceal an intruder’s presence and they work on breaching that barrier. If they are planted intermittently on the grounds surrounding the facility, they can be used to conceal one’s gradual approach to the building. It’s a simple idea, but it makes sense in the context we’re describing.
The same thing applies to trees. A tall tree next to a fence or wall can be used to breach the barrier. Someone can simply climb the tree and leap over the fence. How painfully simple is that? Wouldn’t the Security Officer of a data center be embarrassed if an intruder got in by climbing a tree!
Landscaping and Topography
The topography of the surrounding grounds, and the materials comprising them are also important. The sculpting of the surrounding landscape can help control the flow of foot traffic around the facility. Mounds and valleys can be used to encourage pathways. The landscaping materials can assist with this too, by creating surfaces that are difficult on which to travel.
At the same time, the creation of elevated and depressed areas of the grounds should be mindful of surveillance. A line of sight from the front lobby and surveillance cameras should not be obscured by mounds or depressions that can be used to hide an intruder.
Routes and Ways
The design of driveways and pathways can also be effective in the avoidance of intrusion. A long straight driveway from the street to the wall of the data center is an opportunity for a vehicle to gather speed as it approaches the building. This is not a good idea for risk avoidance. Instead, an approach that is windy and presents an approach parallel to the building as it gets closer is one that takes away the “battering ram” technique and gives more opportunity for evaluation of the vehicle as it enters the property.
Sidewalks can route foot traffic to where it needs to go, and avoid where we don’t want it to go. A long sidewalk adjacent and parallel to the wall of the data center only creates an opportunity to have a lot of people spending a lot of time next to the secure facility wall. Why would we allow that if we don’t have to?
One of the primary criticisms of CPTED is that it can deter but not prevent crime. They’ll say that someone with criminal intent is going to attempt to intrude on the data center one way or another. To this I say, “of course they are”! CPTED techniques will not completely end physical breaches. However, CPTED techniques are sensible and beneficial as a part of one’s risk mitigation approach. If you have the knowledge, why not use it? It’s another weapon in your “Defense in Depth” toolbox.
Many data centers lack the luxury of changing the environment surrounding them. Indeed, I’ve worked on many urban data center projects which violate many CPTED techniques that I can think of. This doesn’t obviate the value of CPTED. It reduces one’s options, but being aware of these concepts allows the creative data center designer to compensate in other ways.