Feature

How Facebook protects data with physical security

Acting as a final layer to a perimeter defense, Facebook’s global security data centers team guards intellectual property. It’s an integrated approach where even the company’s office buildings are designed to put physical protection between servers and the public.

Terena Bell May 31st 2018

Thorough cybersecurity takes more than tech: That’s the thinking at Facebook, where Chief Global Security Officer Nick Lovrien deploys physical security to protect data. Yes, canine units and human guards stereotypically keep people safe, but when properly integrated, physical security protects information as well.

Acting as a final layer to a perimeter defense, Facebook’s global security data centers team guards intellectual property. It’s an integrated approach where even the company’s office buildings are designed to put physical protection between servers and the public.

“Everything we should do is based on ruthless prioritization,” Lovrien says. “Move fast and build things.” To speed development, the company has an open office floorplan. “Nobody has an office at Facebook,” he explains — “Mark, Sheryl, CEO, COO, nobody.” The business also doesn’t issue employee badges, meaning there are no physical keycards to separate staff from the 20,000 visitors streaming through Facebook facilities every day. That’s an obvious risk — not just for physical threats but for keeping those guests from grabbing data while inside.

Lovrien admits a workplace where so many guests come in or out is “obviously a different approach to creating that safe and secure environment, but the risk level that that has technically is offset by the collaboration and the output and the impact that we feel it enables.” In other words, the business needs open offices, so security has to deal with it.

For starters, within that open environment, every location has “secured spaces” — areas Lovrien describes as shared areas beyond access control points. This, of course, includes the data centers.

“When I started over five years ago,” Lovrien explains, “we had one data center and it was one building. Today we have about 20 data centers and each of those data centers is growing to about 20 buildings per data center.” The centers host photos, Facebook Live feeds, other video, and similar files. The company uses Amazon Web Services (AWS) to support the retail side, but the data centers, Lovrien says, are internal server farms: “Miles of servers everywhere that's storing all of your pictures [and] videos.”

A buddy system to keep an eye on guests

To keep guests from walking right in and stealing the goods, Facebook uses a buddy system. If someone’s in the office to see you, stick with them. If any employee sees someone wandering without a pal, she messages a company safety bot, which can handle more than 2 million conversations at a time. Facebook’s global security services department mans each location’s reception desk to approve arriving guests.

Lovrien says a surveillance team then “utiliz[es] identity management through cameras and other things” to track visitor movement. To keep the camera system in shape, he adds, Facebook’s global security systems and technology group is “always monitoring the health of our systems and making sure that we are proactive — before a camera goes down that we are ripping and replacing it or on asset control.”

The lobby as the perimeter

“We really treat our lobbies as our perimeters. You'll see an obvious two-point authentication as you walk in. You've got the anti-tailgating and the active control, which will be consistent from office to office,” he explains. (Tailgating, in the world of physical security, is when an employee inadvertently lets a non-employee in, usually through trying to be nice — like holding the door open for the person behind you.)

Countersurveillance officers walk the buildings in plainclothes, Lovrien says, so “people don't feel like they have a bunch of security officers running around.” At Menlo Park — Facebook’s California headquarters — a bicycle unit, mobile team, and canine patrol police the grounds as well.

Large cities a bigger challenge for physical security

Protection for Menlo Park is easier than for New York, Singapore, and offices in larger cities where sales and marketing teams work. Menlo Park, Lovrien explains, is “actually the same size as the Empire State Building” were you to lay the skyscraper on its side. Facebook owns the property around the office, some of which will be used in upcoming facilities expansion. This extra space enables security to patrol the area near Facebook’s headquarters for suspicious situations.

In larger cities, Facebook’s offices aren’t the only thing around for miles. “We have to be very centrally located,” he explains, and their buildings are just part of the crowd. The New York office, for example, is at East 43rd Street and Madison Avenue — less than a block from Grand Central. The Singapore office is at street level. It’s impossible to control and police activity around them.

This creates a challenge, Lovrien admits, “but also enables us to think differently and outside the box.” In London, this means architectural design that makes use of stairwells. Coupled with knocked out ceilings, stairs connect the office for that open feel but act as physical barriers that slow intruders down.

Granted, visitor tracking and architectural design usually aren’t cybersecurity’s building blocks. Even if global security is less 128-Bit, more nightstick, that doesn’t mean Lovrien’s team avoids infosec. Physical security’s raison d’etre, Lovrien says, is “protecting our assets — to ensure Facebook's physical and electronic assets are safe and secure from buildings to servers and prototypes to ideas.” When threats surface, he adds, “We don't say, ‘Is that an IT issue or that is a facilities issue?’ We take it, we provide white glove services, and we solve it.”

“I always tell people our organization is an intel-based organization,” he continues, explaining how, in part, integrating with cybersecurity is “how you make your program not just a cost center but giving back to the business. We try to identify the threat and mitigate it before it's ever realized.”

Corporate buy-in, he adds, solidifies this team effort: “One of the great things about having Mark [Zuckerberg as CEO] is that he sees and understands the value of the global security program. He understands the holistic approach that we're taking to protect him and all of our employees.” If Mark Zuckerberg sees the link between physical and cyber protection, can’t we all?