|
-
October 1st, 2005, 12:43 AM
#1
 Auditing the Physical Security of a Data Center
Auditing the Physical Security of your Data Center
Objective:
Educate the reader in the steps they should look for in their current data center and to aid in the process if you are creating a new data center.
Reason for this Article:
After taking a position as a Data Center Administrator I needed a starting point. After researching everything I realized that not only is there a lack of documentation on the subject but no real recommendations for where someone should start. I propose that ensuring your Data Center is secure be the first step one takes in ensuring their overall security.
Introduction:
Depending upon your type of business the core of all your information technology is passed across your network to and from your servers. There are endless layers of security you should be aware of; however, this is just touching upon the actual physical security of your Data Center. This document will be broken up into the various sections of physical security.
Physical security should be on the forefront of all your security needs and guidelines. It doesn’t matter how many firewalls you have or how secure any of the passwords you have in place are, if someone can physically touch any of your network and serving equipment. This is also true of all your damaged media and backup media.
Location:
The first step in determining where your server room should be located would be in finding a good location in the building that will allow for both expansion and ease of access for anything else you need to have. A centralized location will make wire runs shorter and should prove for future ease of expansion. You will also need to ensure that this room has an adequate locking system.
Access Control:
Access to this room should be limited to essential employees only. Your company should have some form of badge/ID system in place and access to the Data Center should be monitored. There should be a secure process to issuing badges, keys, and/or codes. If you have the means to be able to have Badge scanners then logs should be kept on who accesses the room and when. This list should be audited on a weekly/monthly basis to make sure that only essential employees are accessing this room. There will inevitably be times when people that don’t have badges need access to your room. If you have visitors or maintenance people that come into your data center they should be escorted at all times. No unauthorized user should be allowed unmonitored physical access to your data center. When instances like this happen you should have sign in sheets at each door and all visitors should be required to sign in, state the reason they are coming and then sign out.
All doors should be on fixed hinges or at a minimum hinges that aren’t removable. If possible you should have a double door setup in place. Employee enters door one and can’t enter door two until the first has closed. This will help prohibit people hijacking/tailgating your entry. If you can’t afford to put badge scanners in place you should at least make sure that the doors have automatic locks on them and give keys to the essential list of employees. It is important to note that either route you take, in the event of an emergency, the data center needs to be able to have quick and easy exit capabilities. You need to also ensure that all windows that look into the data center are not conducive to force.
Once beyond the doors you need to make sure that if this is an office setting and your data center has drop ceilings that around the border of the data center that the walls extend all the way to the ceiling to make sure someone doesn’t just pop a tile and scale over the wall. After you have made sure that you pass both these requirements you can move into your data center.
Servers:
If at all possible all servers should be placed into server racks, and it is good policy and practice to lock the rack (after all they have locks for a reason).
Labeling:
There are both pros and cons to labeling your servers on the outside of the server. If your room is truly secure and no unauthorized users can access your data center then you should not have to worry about labeling them. Labels prove useful if you need to manually power down a server or install software or do any other maintenance. This will reduce accidentally powering off the wrong server.
Wiring:
If at all possible all wiring for the servers should be kept within the data center as well. If you have remote switches they should be under key locked switch cabinets to prevent users from accessing your data from a remote location within the premises.
Monitoring:
You should have proper monitoring policies and procedures in place. If possible there should be cameras on the doors to the data center as well as pointing on the servers/switches recording to a machine that is under a separate key lock; and if appropriate alarm systems should be in place and tested on a regular basis.
Media:
Two commonly overlooked pieces of data are your backup tapes/disks and damaged media. All backups should be rotated to an offsite location. If this is someone from the locations home this person needs to be a person that has full authorization to all of the information on the servers since he/she would be able to recreate any of this data offsite. If you outsource this storage you will have to do your research to make sure the company you use is an upstanding company and it would be in your best interest to tour the location that they store your media in to make sure its in a fire proof safe and that they have their own security measures in place. Your data should be as safe as money. All data you keep onsite should be stored in a fireproof safe to ensure it’s not going to be stolen and to keep it safe in the event that there is a fire. All damaged media should either be locked up or physically destroyed.
Synopsis:
While there are many other policies and levels of security it is important that you pay attention to the physical security of your data center. No matter how secure you believe everything is it is imperative that you start with the basics and make sure that your data center is secure physically. These steps are not a guarantee that all your information will be safe but are a series of guidelines and best practices to help ensure your data is physically secure.
Links about this topic:
1- http://www.unix.org.ua/orelly/netwo...uis/ch12_01.htm
2- http://www.awprofessional.com/artic...=25850&rl=1
3- http://it.emory.edu/showdoc.cfm?docid=1860&fr=1027
4- www.securedbydesign.com/ pdfs/standards_computer_2002.pdf
5- http://www.securityinfowatch.com/on...nals/4820SIW306
Special Thanks for Help:
jm459
Egaladeist
Black Cluster
dinowuff
Duct tape.....A whole lot of Duct Tape 
Spyware/Adaware problem click
here
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote