Auditing the Physical Security of a Data Center
Results 1 to 6 of 6

Thread: Auditing the Physical Security of a Data Center

  1. #1
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    742

    Post Auditing the Physical Security of a Data Center

    Auditing the Physical Security of your Data Center

    Objective:
    Educate the reader in the steps they should look for in their current data center and to aid in the process if you are creating a new data center.

    Reason for this Article:
    After taking a position as a Data Center Administrator I needed a starting point. After researching everything I realized that not only is there a lack of documentation on the subject but no real recommendations for where someone should start. I propose that ensuring your Data Center is secure be the first step one takes in ensuring their overall security.

    Introduction:
    Depending upon your type of business the core of all your information technology is passed across your network to and from your servers. There are endless layers of security you should be aware of; however, this is just touching upon the actual physical security of your Data Center. This document will be broken up into the various sections of physical security.

    Physical security should be on the forefront of all your security needs and guidelines. It doesnít matter how many firewalls you have or how secure any of the passwords you have in place are, if someone can physically touch any of your network and serving equipment. This is also true of all your damaged media and backup media.

    Location:
    The first step in determining where your server room should be located would be in finding a good location in the building that will allow for both expansion and ease of access for anything else you need to have. A centralized location will make wire runs shorter and should prove for future ease of expansion. You will also need to ensure that this room has an adequate locking system.

    Access Control:
    Access to this room should be limited to essential employees only. Your company should have some form of badge/ID system in place and access to the Data Center should be monitored. There should be a secure process to issuing badges, keys, and/or codes. If you have the means to be able to have Badge scanners then logs should be kept on who accesses the room and when. This list should be audited on a weekly/monthly basis to make sure that only essential employees are accessing this room. There will inevitably be times when people that donít have badges need access to your room. If you have visitors or maintenance people that come into your data center they should be escorted at all times. No unauthorized user should be allowed unmonitored physical access to your data center. When instances like this happen you should have sign in sheets at each door and all visitors should be required to sign in, state the reason they are coming and then sign out.

    All doors should be on fixed hinges or at a minimum hinges that arenít removable. If possible you should have a double door setup in place. Employee enters door one and canít enter door two until the first has closed. This will help prohibit people hijacking/tailgating your entry. If you canít afford to put badge scanners in place you should at least make sure that the doors have automatic locks on them and give keys to the essential list of employees. It is important to note that either route you take, in the event of an emergency, the data center needs to be able to have quick and easy exit capabilities. You need to also ensure that all windows that look into the data center are not conducive to force.

    Once beyond the doors you need to make sure that if this is an office setting and your data center has drop ceilings that around the border of the data center that the walls extend all the way to the ceiling to make sure someone doesnít just pop a tile and scale over the wall. After you have made sure that you pass both these requirements you can move into your data center.

    Servers:
    If at all possible all servers should be placed into server racks, and it is good policy and practice to lock the rack (after all they have locks for a reason).

    Labeling:
    There are both pros and cons to labeling your servers on the outside of the server. If your room is truly secure and no unauthorized users can access your data center then you should not have to worry about labeling them. Labels prove useful if you need to manually power down a server or install software or do any other maintenance. This will reduce accidentally powering off the wrong server.

    Wiring:
    If at all possible all wiring for the servers should be kept within the data center as well. If you have remote switches they should be under key locked switch cabinets to prevent users from accessing your data from a remote location within the premises.

    Monitoring:
    You should have proper monitoring policies and procedures in place. If possible there should be cameras on the doors to the data center as well as pointing on the servers/switches recording to a machine that is under a separate key lock; and if appropriate alarm systems should be in place and tested on a regular basis.

    Media:
    Two commonly overlooked pieces of data are your backup tapes/disks and damaged media. All backups should be rotated to an offsite location. If this is someone from the locations home this person needs to be a person that has full authorization to all of the information on the servers since he/she would be able to recreate any of this data offsite. If you outsource this storage you will have to do your research to make sure the company you use is an upstanding company and it would be in your best interest to tour the location that they store your media in to make sure its in a fire proof safe and that they have their own security measures in place. Your data should be as safe as money. All data you keep onsite should be stored in a fireproof safe to ensure itís not going to be stolen and to keep it safe in the event that there is a fire. All damaged media should either be locked up or physically destroyed.

    Synopsis:
    While there are many other policies and levels of security it is important that you pay attention to the physical security of your data center. No matter how secure you believe everything is it is imperative that you start with the basics and make sure that your data center is secure physically. These steps are not a guarantee that all your information will be safe but are a series of guidelines and best practices to help ensure your data is physically secure.

    Links about this topic:
    1- http://www.unix.org.ua/orelly/netwo...uis/ch12_01.htm
    2- http://www.awprofessional.com/artic...=25850&rl=1
    3- http://it.emory.edu/showdoc.cfm?docid=1860&fr=1027
    4- www.securedbydesign.com/ pdfs/standards_computer_2002.pdf
    5- http://www.securityinfowatch.com/on...nals/4820SIW306

    Special Thanks for Help:
    jm459
    Egaladeist
    Black Cluster
    dinowuff
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  2. #2
    Junior Member
    Join Date
    Oct 2003
    Posts
    8
    not a bad start. The part where you talk about having double doors and only one door can be opened after the first is closed is called a man trap. You could also go more into depth on How you would secure the room itself, for example, I know of some data centers employ Bullet resistant and fire resistant Drywall. they usually use two sheets of 5/8 laided over top of each other for extra thickness. Also you could discuss the use of Fire surpressant systems, to put out a fire. I know some comanys use fm-200, or halon(sp) to put out fires.
    The placement of UPS's is important because you just don't want anyone bumping into the Load off button on those puppys Not sure if you mentioned it but alway use steal doors. Then there is just alot of stuff you could get into about biometrics.

    The facility that I work in uses multiple layers of physical security to cut down on unannounced guests and tailgating. To get into the building you need a keycard. This leads to a mantrap, where a security guard sits and checks credentals(sp). As we discussed before the next door can't be opened till the first door is closed. The security guard sits behind a bullet proof glass window. the next doorway contains A facial scanner, from there there are individual cages which must be opened via thumbprint and keycard scanner. these cages and doors have dual locking mechinisms(sp) so one door can't be opened till you swip out, ex. you thumbprint and swip to get into cage, you pass your card to someone esle to let them in, but it will not let you pass till you swipe out of the cage that you are in, if that makes any sense.

  3. #3
    Hi, my hume opinion for this texts:


    first:

    Servers:
    If at all possible all servers should be placed into server racks, and it is good policy and practice to lock the rack (after all they have locks for a reason).
    think in server structure:

    a) server rack (how you say)
    b) server hardware (dual processor architecture if it is possible)
    c) server freezee (anti hate systems)
    d) server plarform (motherboard) thinking in what server operational tasks is run under...
    e) server processors.


    second:

    Wiring:
    If at all possible all wiring for the servers should be kept within the data center as well. If you have remote switches they should be under key locked switch cabinets to prevent users from accessing your data from a remote location within the premises.
    You may consider for acces point architecture, CISCO, Comercial Routers, and the best considerations for security vendors.


    The server installation and server configuration take more than one way.(data center, application center, Clustering Data Base, NAT etc)



    Good post.


    Saludos

  4. #4
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    742
    freealans - my next tut is going to be about designing a data center and the thoughts ideas behind it. That will definitely fit in with what you are talking about. I personally havent seen a data center with bulletproof drywall... I didnt even know it existed. Cool idea though. I will make sure to look into that as I develop my next tutorial.
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  5. #5
    In And Above Man Black Cluster's Avatar
    Join Date
    Feb 2005
    Posts
    912
    Hi Spyrus,

    great reading indeed, as a little enhancment, why don't you devise a handy checklist out of your tutorial? Checklists are really cool with tutorials, I think.

    Cheers
    \"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts\".....Spaf
    Everytime I learn a new thing, I discover how ignorant I am.- ... Black Cluster

  6. #6
    Junior Member
    Join Date
    Oct 2005
    Posts
    1
    A new standard was issed by TIA in april.

    http://www.tiaonline.org/media/press...arelease=05-46

    it addresses physical security of datacenters and comptuer rooms from a design perspective.

    another resource is the professional organization AFCOM (http://www.afcom.com).

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •