May 12th, 2005 07:26 PM
Physical security and biometrics
We all know that how much important and critical is the issue of physical security of server machines. Infact, I am looking for a security solution to be implemented for my server room and I am looking for a biometrics solution. What would AO suggest on this? Do you people have any experiences with biometric security implementation? Do you think that it is feasible implementing a biometric solution for our server room? or you would say that sweeping the old magnetic tape cards into a reader would be good enough? OK..i guess too many recommendations in a row...lolz..Take a deep breath and shoot your valuble opinion about this issue.
I would really love, if someone could explain their physical security setup on their server rooms. Also do you people have any policies for the visitors ( like a support team from the vendor ) who are supposed to come and visit you on regular basis.
I would really appreciate AO input in this regard.
May 12th, 2005 08:19 PM
Well, that all depends on the nature of your business...
I mean, I work in the COSC Research Lab at the local university... Our server room is protected by a deadbolt, which only one professor has the key to... Our servers don't contain "valuable information" per say - student research webpages, various ISOs, an Oracle database, student homework... I mean, it would really suck if someone wiped all of that stuff out, but it wouldn't exactly devestate the nation... so the "deadbolt system" is sufficient for us...
On my home file/web server, I have *no* physical security (well, it is in my apartment - I suppose that's somewhat secure )... personally, I wouldn't give two sh1ts or a fux0r if someone came in and stole the thing (it's just an old pentium 2 hosting nothing more than a crappy webpage and misc. files - backed-up mp3s mostly)...
However, if you've some serious stuff you want to secure, I suppose you need to perform a simple risk assesment and a cost-benefit analysis... In other words, "How badly would you be screwed if your servers were compromised, and is it worth the cost of a biometric system/keypad/deadbolt/camera/watchman/etc., etc. to protect those servers"
May 12th, 2005 08:25 PM
I like solutions that use more than one authenticator.
A proximity or swipe key card and a palm scan device is a good combo we use.
The solution should directly reflect what you are protecting.
Can you elaborate with more detail about room contents, size, other details?
Your solution should compliment existing building security.
Good door access control means little for a room with un-guarded drop ceilings...
May 12th, 2005 08:47 PM
It really just depends on the value of that data and what your company is willing to pay to protect it.
I have used anywhere from a regular deadbolt doorlocks to biometrics for securing some of my clients server rooms.
A simple fingerprint reading door locking mechanism with a key punch bypass could run you as little as $200.00, or you can spend alot more on iris, retnia, palm scanners.
What is the data worth to the organization? What type of data is being protected?
Let me know and ill try to make some better recommendations.
\"Common Sense, isn\'t that common\"
\"It is a lot easier to raise a child then it is to repair an adult\"
May 12th, 2005 08:50 PM
to get to our server room you first need to get in our building.get into our office (electonic key cards, camera at the front door) walk passed a conference room, a secretary(you must sign in and out, and 5 offices (mostly department heads, and our office manager) pass all the tech offices and cubes. and then have a second key card that is unique from all others in the building. The server room has cameras that can be accessed by any employee at anytime and the key card makes a loud beeping noise that can be heard from most parts of the offce when swiped.
Policy here is unless you are directly employed by this company and have reason for being in the room (IE a network engineer, systems engineer, or database engineer) you stay out. If a contractor comes in, somone we co-locate servers for, etc atleast 1 tech has to be with you all the time.
we dont have expensive security but it works well becasue you cant get passed everyone without being seen by an actual person or a camera. at night when the office is empty we have security in the building.
personlly I wouldnt mind a guy with an automatic rifle sitting there...but oh well.
May 13th, 2005 07:16 AM
The room is pretty big and its security is critical for the operational activities of business. We have almost all of our regional servers in that room.i.e. domain controllers,mail servers,web server,dns,file server,ftp server, our CISCO equipment tha includes firewalls,IDS and CATALYST. All of our call center equipment, that includes our cluster IVR's, cluster CTI's, recorder machines, database server and ACD stuff. The integrity and security of data is one aspect. But I am being paranoid about the physical access to the machines. If any of these machine goes down, organisational activities will come to a halt. I am looking to suggest a proposal to my company which does balance between cost and risk assessment. OK, data security and integrity is an important issue to worry about, but one cannot be ignorant about the physical security.
For our tech support team, we have already a visiting policy but i am looking to harden it a little more. Umm, two factor authentication seems to be a nice idea. I guess i would say palm scanning and a security camera in place and a loud alarm would do good. What does AO say about it??
P.S. Besides, anyone ever had an experience with the call center setup, like IVR's, CTI's and ACD etc. Would you suggest any specialised security precautions in a call center environment??
May 13th, 2005 07:47 AM
Call center equipment (although very important) generally is not the target of a malacious act.
The first thing you want to consider for security is how many entrances to the room are there? if it is just one front door then it makes it all easier. I would -strongly- recomend you get locking racks. We have these and they are great, if one is forced open an alarm goes off. In addiditon to this most of our servers have face plates on them and if one is removed it alerts out monitor program of it and that will send a page to the tech in charge of that server. these are great incase somone does get by allof us or if somone we trust is touching stuff they shouldnt.
as far as security goes. how many people need access to the room? If they dont -need- access then they shouldnt have it. simple. I would also make sure each person has a uniqe identifier when they get in (like our system has a key, this is not unique, everyone that goes in the room has an identical key...this sucks) so make that a must. You was backups also. If the power goes out make sure you can still get in and out of the room if needed.
also IMO you should need a key to get out as well. that way if somone gets in using a trick of some sort, getting out will still be hard to do. Twice the chance of catching them. I like the idea of palm scanning, no chance of people losing their passwords or loaning them to others.
Make sure you have a CLEAR set of policies written and make EVERYONE (even the people who dont need access to the room) sign them. Make it clear that NO ONE is to let others in the room, etc. If possible set time restrictions to keep people from going in when not necessary and have an override incase of emergencies (maybe two ro three people who can get in at all times, prefably head techs).
cameras are a must, and I would suggest one that is accessable from the desktop computers so any authorized person can check them if needed.
May 13th, 2005 09:14 AM
You possibly need to think about the layers of security you have.
Work from the outside of the building in and think about all the sets of security a would be intruder would have to go though. Your changes to the physical security surrounding the servers may start further away than the entrance to the server room.
XTC46 is very correct in mentioning that you will need policies and procedure set for the the physica, security. It the rest of the building is out of your remit you may still want to review their policies/procedures and check to see if they are being followed. You may want to put recommendations to them if you find it lacking and it may change what you feel is necessary for your own servers.
I'd be interested to hear what you finally decide on and what you find if you review the security of others.
May 13th, 2005 10:08 AM
in addition to my previous recomendations, id still like to point out that a guard with an automatic rifle outside the server room door would still be very effective, lol.
May 13th, 2005 01:42 PM
I think many points have been introduced by XTC 46 and krupots …. They are the best actually ….
In the process of evaluating the feasibility of installing biometric system for the server room, we must ask ourselves many questions. The importance of protecting the server varies from one business to another …. For instance, a commercial web server owner would be by far more paranoid about the security than the owner of non-commercial ones ….
Secondly, we have to make like some kind of contrast between the cost of the implementation and feasibility of implementation …. Like if a business has small server to house regular HTML pages .. for $10 per month ….it would be extremely ridiculous to install some advanced biometric systems .. like iris and retina scanning … no need for such a policy … we can guard the server by locking the room … that's it ….
Quite the contrary, if a commercial server is there and the company hosts a lot of commercial websites and stores costumers' information … here a really restricted policy needed to restrict physical access to the server …..
\"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts\".....Spaf
Everytime I learn a new thing, I discover how ignorant I am.- ... Black Cluster