
kjekol - Fotolia
Can vendors go unescorted in a secure colocation center?
You've sentenced your production servers to five-to-life lockdown in a secure colocation cage. Who's allowed to visit them?
Unescorted access to colocation facilities is a big NO.
That engineer coming in from ABC123 Computer Equipment Inc. to patch your cables is just like any other employee of any company. Can you personally vouch for him? Has ABC123 or its partners vetted the person's background to the extent that the colocation provider would have -- or to the same degree to which you vet employees?
You should have chosen a colocation partner after carrying out due diligence on every possible area of security. A secure colocation center vets all of its own employees; it only allows named personnel from your company to have access to your cage or rack; all people entering the facility are logged.
When looking for security vulnerabilities, think like a 'black hat' that wants access to one or more companies' information: The criminal could try corrupting an employee of each company or they could target just one relatively poorly paid engineer working for a third-party vendor. That support technician knows any weakness in the system, has all the "master keys" to certain systems, and understands where users might leave an area open by default or by mistake -- without any particular loyalty to the company that owns this IT infrastructure. An unhappy vendor employee is not only easier to corrupt, but they are more valuable too, as they have access to multiple systems.
To ensure a secure colocation center, always send an escort with a vendor's employee and verify that the technician has a proper job sheet stating what systems they should touch and what actions to take. Only the company that owns the IT equipment can permit the vendor to do anything not on the job sheet, such as log onto a different system or reboot a related system. If only the colocation center's escort communicates with the vendor, allow no changes.
Dig Deeper on Data center design and facilities
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.
Meet all of our Data Center experts
View all Data Center questions and answers
It all depends on:
- the implemented procedures and consequences of their application
- personnel selection in the object
- separation of operating functions (administration, maintenance, incident response and change) and security functions
- supervision way of staff work
I have worked in both types of objects, and I know that in each case the relevant security violations occur due to the increasingly routine behavior of employees (managers too), which at one point becomes a deviations from procedures.