Regardless of the size, scope, or culture of your organization, physical access to the server room should be monitored and controlled. The server room is one of the most important physical places in an organization. In most cases, "business as usual" critically depends on the investments in the server room. This article will provide some tips on controlling server-room access.
If your organization is like some I've worked for, the server room can be a room of many functions. Most organizations are lucky to have their server room as exclusive space. Many times, due to space constraints, servers share space with storage, a workspace, or possibly someone's office.
A quick look around
I performed an unscientific survey of how server rooms are situated in a facility and inquired about a LAN closet (patch panels, hubs, switches, or routers). I received more than 70 responses from many types of organizations and was somewhat surprised at what I found.
The server room
- Twenty-one percent share their server room with general storage for the organization.
- Twenty-nine percent reported that their server room doubles as someone's office.
- Thirty-five percent have a server room used for that single purpose.
- Eight percent have server equipment out in the open.
The patch panel and LAN components
- Thirty-three percent have their cables, hubs, switches, and/or routers in their server room.
- Thirty-seven percent have their patch panel in a separate, secured room.
- Twenty-two percent have their patch panel in a separate, unsecured room or located outside the server room somewhere else in the facility.
In general, the larger organizations keep all places secure, and the smaller organizations have to make do with what's available. It is interesting that over half of those who replied said that their patch panel is kept somewhere other than in the server room.
Tools to protect against unwanted access
There are many ways to restrict access to the area. The solutions range from door locks to sophisticated keycard systems. Of course, to get the most out of any security measure, it must be used effectively. Below are some tips for using each type of tool.
A simple tool to put in place, a keyed lock is one of the most common means of restricting access. However, be careful about what types of keys are used. Your options will vary depending on the type of building you're located in. If you lease your workspace, chances are your keys are nonduplicable (at least not at your average key copy center). This is important, as an easily duplicated key is less effective, especially if former employees come into the picture.
If your building has on-site maintenance staff, chances are that the keys you use to get into your protected areas are duplicable. Some keys have warnings on them prohibiting duplication, while others are of a rare shape, so that even without a warning, a copy can't be made. Be aware of the ability to duplicate keys to your protected areas because over time, some duplicates may be floating around.
If you have a duplicable key for your server room, it may be worth considering periodic changes of the lock and key. This will effectively "expire" any unauthorized duplications, while still providing the flexibility of a nonproprietary key.
Keyless lock or electronic code entrances
Many forms of keyless locks and electronic code locks exist in buildings today. Some of the more advanced systems can be sophisticated and expensive. These systems require a user to input code to gain access through a doorway. The obvious vulnerability with these systems is that if the code never changes, the entire facility may eventually know the code. When that occurs, there might as well be no door at all. Get the individual in charge of locks or external security to help you be diligent about changing the access code if you use one of these keyless lock systems. With some systems, you can also provide different codes to different employees. That way, if someone leaves the company, you can deactivate his or her access code.
Access control cards
The most robust means of protecting access to precious areas is an access control card system. These are full-featured systems that are integrated into a building's structure and that grant or deny a set of rights to each card (which is assigned to a person). Such systems can configure everything from HVAC, elevators, doors, and even lighting systems. Access control card systems offer the best benefit to large enterprises. They allow facilities to handle special situations, changing staff, and distributed environments most effectively. Some even have software interfaces to control rights. Access control card systems provide the ultimate flexibility, but they're expensive. Some of the more cutting-edge variants of these technologies include human interface devices to work in connection with card systems.
Strategies to prevent mishaps
Effective security measures may help prevent unwanted access—but some of the more dangerous incidents in the server room can be caused by authorized IT staff. Share with your workgroup some simple rules to be followed in the server room and post clearly visible signs displaying your guidelines. You might include rules like these:
- Do not smoke.
- Do not bring in any food or beverages.
- Keep the door shut (for security and climate control).
- Limit traffic in and out, if it doubles as your office or another usable space.
Designate someone in the organization to be responsible for delegating access to the server room and for keeping the access current. The process can be viewed in a similar manner to a password expiration policy. This person can work with whoever's in charge of the physical facility to best keep all areas of the room secure. If your patch panel, hubs, switches, and/or routers are in a separate room, be sure to maintain the same diligence in securing that area. Also consider the other forms of exposure for rooms in which your precious equipment resides. For example, it is a good idea to keep custodial service out of the server room or a wire closet room to avoid any unintentional contact with your equipment.
Working to limit physical access to the server room is an important part of an IT security plan. Controlling access can help protect against both intentional and unintentional events that may damage the computing environment and result in significant productivity and revenue losses.
Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.