Let's Get Physical; part 1
When we discuss security for our server systems, logical security measures tend to take precedence. Lets be honest; configuring a firewall to deter a seasoned hacker is a little more exciting that making sure the lock on the server room door is working properly. However, years of research and numerous statistics show that you are far more likely to lose data or suffer downtime as a result of the actions of an employee than an outside source. That's not to say that firewalls and the like are not important -- they are -- it's simply vital to remember that such measures are only part of an overall security strategy. That security strategy should include physical security measures as well as logical ones. Physical security is about limiting access to equipment for the purposes of preventing tampering, theft, human error and the subsequent downtime these actions bring.
In most environments, many of the basic physical security measures are already in place. Server and other associated equipment are placed in a separate room, away from the prying eyes and wandering fingers of overcurious staff. Backup tapes are commonly password protected, but do such password systems offer the protection your data warrants? For an extra degree of protection, using encryption devices such as the aptly named Paranoia from Avax (www.avax.com) can ensure that if backup tapes fall into the wrong hands, the likelihood of unwanted eyes seeing your data is slim indeed. Security of backup tapes is an often-overlooked aspect of physical security, which is a shame. Organizations spend massive amounts of money creating a physically and logically secure network environment, and then send a backup tape that contains an entire copy of a server's data offsite with little or no protection. In many cases the loss of a tape serves as the wake up call, but often this is a case of closing the barn door after the horse has bolted. As important as the security of offsite tape backups is, it must not distract us from the physical security of our equipment and data while it is onsite.
Inside the server room, server specific racks allow equipment to be stored in a tidy and efficient manner; they also allow keyboards to be protected by a locked door. Most server rack locks are more of a discouragement than a preventative measure, but in many cases that is all that's needed. Network switches, routers and other networking equipment should be similarly protected. The key consideration here is not theft or damage to equipment, but rather the downtime created by a borrowed power cable or the clumsy disconnection of a network cable.
If servers can't be secured by lockable racks they should be password protected. Some server and network administrators have objections to password-protected screensavers as they prefer to be able to see the server screens and any possible error messages. A safer and more efficient approach is to have remote monitoring and remote notification in place. Removal of keyboards and mice are also reasonable options, though this can present a level of inconvenience that many server and network administrators are reluctant to explore.
Moving away from the security of individual equipment and looking at the server room as a whole, there are many more physical security factors to consider. For example, depending on your physical location and your degree of paranoia, windows should also get plenty of attention. If you server room is on the first floor, security bars are a must, as are blinds or reflective film to stop prying eyes. For a further degree of protection, consider using a film such as BurglarGard from Shattergard (www.shattergard.com) that can serve both purposes.
If your server room is higher up within the building, the chances of someone gaining entry are lessened, but windows should still be considered, particularly in settings such as a downtown tower block where people from other buildings may be able to look into the server room. How much information could be gained by 'peeping toms' may be debatable, but for the sake of a small investment in window blinds or reflective film it's not a risk worth taking. If another justification were needed for the use of blinds or reflective film, consider the benefits to cooling in the server room. Blocking the sun will stop the room heating up and allow air conditioning units to work less. Ideally of course, server rooms will have no windows at all, but placement considerations don't always allow an internal room to be used, a point that has more of a bearing than just windows.
In the conclusion to this article, we will look at server room placement within the phsical plant.
Drew Bird (MCT, MCNI) is a freelance instructor and technical writer. He has been working in the IT industry for 12 years and currently lives in Kelowna, BC., Canada..