Businesses can spend thousands to stop network intrusion, yet never notice that the new guy stocking a lobby vending...
machine at 4:00 am just strolled into an unlocked basement server room.
Data center security best practices eliminate this risk of harmful breaches to business and customer data.
Protecting data in storage subsystems and network traffic, malware and hacking attacks, and data leakage are popular security topics among data center pros, but they overlook fundamental physical security in the data center.
First rule of data center security best practices: Know who is and isn't authorized to be in the facility. Only a small number of IT staff should ever need to be in the server room since many routine monitoring and administrative tasks are achieved remotely.
The amount of IT staff members with access to the data center depends on the size of the business, the scope of the facility and the work. Base facility access on "least privilege" rights, reaching all the way up to a C-level executive. For example, several IT staff may have front-line responsibilities for server room maintenance, while other IT staff may be allowed access as needed for larger projects or special tasks.
Restrict access by locking all doors to the server room. If renovating the data center or seeking a new facility, allow minimal access doors for people, and minimize the number of doorways for equipment. Ensure secure storage or staging area for IT equipment off the loading dock, a secure preparation area for unloading and assembly, and a secure doorway from the preparation area to the data center. Doors, walls and cages should be windowless and hardened to resist break-ins. Man-traps can also be included as a more sophisticated access feature.
Organizations like the SANS Institute provide generic guidelines and recommendations for data center security. Third-party organizations that specialize in compliance auditing against SAS 70, SSAE 16 and other established regulations with controls around data processing and storage also make some recommendations for data center security.
Once you restrict access to the data center, think about the best way to guard that space. Tracking everyone who enters the facility is a crucial data center security standard. A badge-operated electronic locking system (with battery backup) is a good start -- it automatically logs individual access. Video surveillance is a good complement to monitor each access point and critical equipment location or cable closet. Rack, wiring, and room door switches can trigger cameras and security events, especially during off hours.
Escorted guests and off-hour workers
Data center security standards indicate that all guests should be escorted around the facility, and kept out of the actual data halls when possible. Visitors, such as vendor representatives, are relatively low risk because they arrive on-site during normal working hours. However, they should be logged and escorted at all times.
Sub-contractors, like cleaning staff and construction workers, or service providers, like telecom technicians, present a bigger security dilemma because they might need to enter the data center on weekends or off hours. Make sure security is in place to monitor and escort anyone who enters during non-business hours.
Dedicated entry and power rooms with separate secure access and video monitoring keep peripheral work away from the servers. Otherwise, an authorized employee might escort workers while on-site. Cleaning staff should simply not access the data center, which is cleaned differently than office space.
Employee security breaches -- sharing badges, piggy-backing entry to secure areas -- are mostly due to a lack of proper education and conscientious policy enforcement. While an incident like badge-borrowing might not seem serious, it underscores a broader lack of concern that opens the door for more serious incidents. Negligence is a data center security worst practice.
Examine security practices for IT staff and other employees. If there is no written security policy prohibiting shortcuts, add them to data center documents along with disciplinary consequences. Educate the staff about new or changed security practices. Involving employees in acceptable use and security decisions will encourage them to follow these rules.
Stephen J. Bigelow is a senior technology editor at TechTarget, covering data center and virtualization technologies. He acquired many CompTIA certifications in his more than two decades writing about the IT industry.