Your company recently went through several rounds of layoffs, and many employees received pink slips. One night, you receive a page that a server has gone offline. You report to the data center and unlock the door to find what looks like a battle zone. Two new Storage Area Network (SAN) racks are lying on their sides on the floor. Yellow warning lights blink on several of the drives and their controllers.
The main server cabinet has suffered the greatest damage. Floor tiles that covered the raised floor have been removed, and the whole unit has been rolled into the gaping hole and dropped 2' to the actual floor below. Backup tapes are strewn everywhere. You'll need days to figure out what data you've lost and whether the tapes are in good enough condition to aid in restoration. The security supervisor arrives and tells you she found the point of entry in an abandoned room that shares the same raised floor.
This incident is fictitious, but incidents like this can and do happen. And here's a true story that teaches the same lesson. Several years ago, a crucial member server in my company lost its network connectivity. We had been using domain accounts to log on to the machine, but these were now unusable because the credential caching on the server was disabled. Our hopes for logging on with the local Administrator account were dashed when we learned that someone had changed the account's password without documenting the change.
Using a trick I picked up off a cracker Web site, we were soon able to log on to the server with administrative privileges. In just a few more minutes, we were able to get the server back on the network. Initially, we were euphoric that we'd gotten the server back online so quickly by using our newfound cracking skills. Then, we realized that unscrupulous individuals could just as easily have gained unauthorized access to the valuable corporate data on that server and covered their tracks afterward, making it impossible to tell that they'd logged on. Anyone with physical access to the server could perform these actions. And today, additional tools are available that make accessing a locked server even easier.
The moral of these two stories is that physical security is absolutely crucial. You can disable unused ports, install event-log-monitoring software, and add every update and hotfix to keep out the bad guys—but if they can gain physical access to your data center, they can still do real damage. Complete server and network security includes physical security. As an IT professional, you're most aware of the high cost of hardware and data loss and are in the best position to determine your risks and strengthen your data center's physical defenses against this type of attack.
Determining the likelihood of a break-in at your data center can be difficult. Following are a few factors to consider.
Past security incidents at your facility or your competitors' facilities. If your site or your competitors' sites have a history of serious security incidents, I hope your management has devoted the resources necessary to protect against future attacks. Incidents of vandalism might be an indication of external or internal perpetrators who might escalate their activities and turn their attention to the data center. Check with corporate security and local law enforcement to determine whether incidents might be part of a trend.
If your company hasn't experienced physical attacks, consider yourself lucky, but don't assume your luck will continue. Your company's security history might provide some indicators, but it can't forecast the future. Even if your facility is in a safe area and you have good perimeter security, a disgruntled employee can attack at any time from within your building.
Data sensitivity, importance, and value. Most companies' greatest corporate asset is their data. Credit card information, corporate financial records, customer account information, and personnel records are extremely valuable and sensitive data types. The more crucial the data is and the more value it has to your company or your competitors, the greater the risk of unauthorized access attempts.
Protection and detection capabilities. Your best offense is a good defense. The knowledge that your data center is well defended and that the risk of discovery is high might be enough to deter an individual from attempting a break-in.
Proficiency level of security staff. Your corporate security staff and their training have a direct impact on the level of risk your company faces. Nightly patrol rounds at random intervals and training in computer security topics help reduce your risk.
Employee security consciousness. Several years ago, I worked as a contractor at a facility that required badges for access. Because of a glitch, I didn't have the proper ID for a few days. During that time, numerous employees queried me about where I was going, whom I worked for, and so on. These people weren't security personnel but rather employees who were taking responsibility for corporate security. Training employees to be security conscious can help extend the eyes and ears of your dedicated security staff.
Employee morale. Industry or corporate layoffs and strikes and a resulting deterioration in employee morale can lead to incidents of vandalism, theft, or industrial espionage. When employees think that their company isn't loyal to them, they often think that they no longer have any reason to be loyal to the company. They might see destroying or selling corporate data as a way to "settle the score."
Geographical location and local economic conditions. Plant location and local economic conditions can be a factor in crime potential. Check with local law enforcement for crime statistics related to your specific area.
Don't be complacent. The high corporate cost of a security incident should compel you to take defensive measures, even if your assessed risk is low.
The Enemy Within
The best approach to physical security is to visualize the enemy and build your defenses accordingly. Unfortunately, you might know the enemy, and the enemy might know you. Employees can possess inside knowledge of the data center location, room layout, and security defenses. They know which corporate data is valuable, and they might have an ax to grind. You should assume that vendors, janitorial and support staff, and contractors have the same "insider knowledge" as employees.
If you build a defense against these insiders, it will need only minor additions to defend against external attackers. The perimeter and data-center security measures I describe are designed to guard against both internal and external threats.
Hiring a perimeter-protection consulting company to analyze your data center's physical environment and determine your risks is a wise business investment. The myriad security devices available—including door locks, cameras, motion sensors, and pressure sensors—can be confusing, and melding them into a cohesive perimeter-protection system can be a daunting task. Following is a list of vulnerable areas and suggestions that your security consultant might make to protect them.
Door locks and doors. A high-quality lock on your data-center door is the first line of defense in physical security. Purchase a cipher lock system that supports user-level security. Issue a different combination to each user, and issue new combinations periodically and whenever a combination is compromised. Have a procedure in place that revokes user access when a user leaves the company. Security experts don't recommend conventional key locks or single-combination locks because these locks lack logging capabilities and because losing keys and compromising one combination are too easy. Use a lock that has a shield so that only the user entering the combination can see the keypad.
Configure the lock to record an event log of users entering the locked area. Both OSI Security Devices and Alarm Lock Systems sell advanced lock systems (the OMNILOCK product line and Trilogy product line, respectively) that support logging. These locks have a built-in infrared (IR) port that you can use to print output from the event log and the user list. You can also use a door camera to further document the user and any guests who enter with the user. Magnetic-card locks and proximity badges that support event logging are additional options. The main risk with any system that requires users to carry a badge, proximity device, or key is that unauthorized users can also use these access devices.
Choose a metal or solid-core-wood door that's substantial enough to resist being forced open by shoulder impact. Reinforce the doorframe and strike plate to further resist shock loads and prying. Locate hinges so that intruders can't remove hinge pins from outside the door, or use nonremovable hinge pins. Use long screws to attach hinges and strike plates to the surrounding wall structure. Use one-way screws (i.e., screws with ramped slots in their heads to prevent counterclockwise removal) for any locks or hinges on the outside of the door, or otherwise secure them to prevent lock or hinge removal. Weld the nuts onto any bolts that extend through the surface of steel doors.
Fire doors or secondary exits. If the design of your room requires a secondary exit door, equip the door with an alarm unit and heavy-duty lock. Conventional exit-door mechanisms are vulnerable. Ingersoll-Rand's Von Duprin Exit Device Division and Monarch Exit Devices & Panic Hardware are prominent suppliers of exit-door hardware.
Exterior signs. Exterior identification signs, wall maps, and so on can guide a thief who is unfamiliar with your facility right to your data center door. If you need exterior signs for tours or events, mount them with Velcro for tour days and remove them immediately afterward.
Locate the data center away from heavy traffic so that the presence of unauthorized individuals is more noticeable. When hardware service technicians or other personnel visit the data center, an administrator should accompany and supervise them throughout their stay.
Move shipping and packaging materials from inside the data center directly to the recycling or trash bin. A stack of empty computer-equipment boxes outside a door is a dead giveaway to the valuable hardware and data inside.
Walls. Ensure that any external building walls that are also computer-room walls or are near computer-room walls are constructed of materials that can withstand a major external assault. In retail business break-ins, burglars often back a stolen pickup truck or SUV right into the building, fill the bed or interior with merchandise, and drive away. Reinforced planter boxes or 4"-to-6"diameter pipes spaced 4.5' to 5' apart, sunk in the ground, and filled with and embedded in concrete are the best defense against this type of attack. Check local building codes for relevant regulations before you start building these reinforcements.
Security experts don't recommend having windows in the interior walls or doors of a data center. Exterior windows should be inaccessible from the ground or secured with appropriate anti-intrusion bars or grates.
Ceilings and floors. Thieves have been known to use the crawl spaces above false ceilings and below raised floors to travel undetected for several hundred feet in shopping-center and retail-store burglaries. Extend computer room walls above a false ceiling and below a raised floor to meet the actual ceiling and floor. In addition to cutting off access points for intruders, walls that extend to the true ceiling and floor are consistent with maintaining an environmentally controlled (i.e., low-dust and temperature-regulated) atmosphere.
The roof. If your data center is on the top floor of your building, intruders can descend through roof vents or air-conditioning access panels into the room below. To prevent such entrance, secure external roof vents and air-conditioning equipment with appropriate bars, grates, or additional fasteners. Equip rooftop security bars and grates with inconspicuous seals; inspect the seals regularly to ensure that someone hasn't tampered with them in preparation for a future assault.
Electrical power. If the master circuit-breaker panels are near the data center (e.g., just outside the door), move them or lock them if local ordinances permit. A possible break-in strategy is to turn off the power in the hope of disabling alarms, cameras, and other perimeter-protection equipment. If you have a UPS for your servers, you might be able to move detection equipment to your high-availability circuits so that you have some measure of protection during power outages.
Inside the Data Center
If intruders make it past the perimeter security and into your data center, you might still be able to detect their presence and slow down their activities. You can try the following methods.
Electronic surveillance. A security professional can help you combine many electronic detection systems such as cameras (both visible and concealed) and video recorders, door switches, motion detectors, sound-discrimination sensors, photocell beams, proximity switches, IR sensors, cabinet-door switches, and wireless technologies into a comprehensive detection system. Carefully control information about the details and location of any surveillance devices that you install.
Console security. Some consoles offer user-logon security enhancements to limit user access to particular nodes. Access restrictions let users control only the machines on their authorization list. Intruders can directly connect their own monitor, keyboard, and mouse to the servers to defeat this feature, but doing so takes extra time, especially if the server racks are properly locked.
Rack security. Most production server racks have locking front and rear doors. The doors and locks can be forced, but they do make reaching the server on-off switches, disk drives, and Power Distribution Unit (PDU) switches more difficult. Retract or remove rack wheels to make moving the racks more difficult. Store screwdrivers, wrenches, and other hand tools away from the site to prevent intruders from using them to pry open doors and remove parts.
External monitoring. You probably already use scripts or an application to monitor server responsiveness and report offline servers, stopped services, and so on. However, you probably monitor from a dedicated server or workstation in the data center. Set up a secondary monitoring node outside the server room. This node will sound the alarm if an intruder disables the network connection or shuts down the primary unit to prevent notification pages from getting out of the server room. Set up and operate secondary monitoring discreetly, with a minimum number of people in the loop and a special list of page recipients.
Remote access to servers. Remote administration tools such as AT&T Laboratories Cambridge's Virtual Network Computing (VNC), Netopia's Timbuktu, Symantec's pcAnywhere, and Windows 2000 Server Terminal Services in Administrative mode can save time by providing easy access to your secured servers. Unfortunately, these tools can permit unauthorized access just as though the intruder were sitting at the console. Maintenance vendors often use RAS to access servers for software upgrades and problem diagnosis. Some remote-access tools use one password per server for all users. If you use these tools, change their passwords regularly and allow only a very limited group of authorized users. Disabling remote-access tools and RAS is probably the best way to ensure that an intruder doesn't use them as a virtual doorway into your server room.
Inventory and ID tags. Keep an inventory of all computer equipment that someone could remove during a break-in (e.g., servers, disk drives, monitors) and attach corporate asset tags or other appropriate ID markings to these devices. Compare actual equipment with asset records annually. If you have a break-in, these practices will aid in determining what's missing and identifying recovered property.
After-hours logon monitoring. Implement a policy that requires data-center administrators and users to log off at the end of the day. You can use the Winexit screen-saver utility in the Microsoft Windows NT Server 4.0 Resource Kit or the Microsoft Windows 2000 Server Resource Kit to automatically log off users after a period of inactivity.
Use scripts or applications to monitor for after-hours logons, log them, and trigger pages if appropriate or if administrator accounts were used. After-hours logons could be legitimate activity—or intruders using captured credentials to gain access.
Backup-tape security. Secure a primary set of backup tapes onsite and store a second set offsite. If intruders destroy both your primary backup tapes and servers, a second offsite set of tapes is crucial to restoring operations. If your company has other nearby offices, ask the IT administrators at those offices whether they have a secured room available and want to develop a mutual tape-storage strategy. If you can't find a secure in-company location, companies that specialize in media archiving (e.g., Iron Mountain) can help you.
Evaluate your risks, discuss your exposure and possible solutions with management, and implement the countermeasures you feel are appropriate. (For a few additional steps you can take, see the sidebar "More Physical Security Measures.")
As an IT manager or systems administrator, you've already protected your valuable corporate data with appropriate permissions, auditing, and monitoring. Extending those protections to the physical data center itself only makes sense. You don't want to receive a call in the middle of the night telling you that the data center you're responsible for has been the victim of an attack.