Re: physical security of datacenter with hosting services

["Lovaas,Steven" <Steven.Lovaas () COLOSTATE EDU>]

Bob,

Many IT folks view computer center operations staff as an expensive anachronism, but your problem points out one very 
useful purpose they serve. Once you remove human monitoring and let a person into your "secure" space, you mostly have 
to rely on trust.

To a certain extent, you can limit access by group. Install locking cabinet doors on department-specific racks, or 
chain-link fences between groups of racks. Commercial datacenters often do this, using a 2nd level of physical access 
control to grant access only to appropriate equipment. You could try to do this with technology, as well, requiring 
dongles or tokens for direct machine access. Which you try depends a lot on how much floor space you have, and how many 
different groups need access. In a university setting, the answer is probably "not much room and lots of different 
people."

Ultimately, though, if a person can get physical access to devices, you have to assume that he/she is going to play 
nice. If a person you trust decides to "go postal" on your network or servers, all you can do at that point is monitor 
what they he/she be doing (or might already have done). Is the camera footage just archived, or does your campus 
security/police actively monitor who's in there? Is there a big sign indicating that the police are watching?

Don't forget the "people" part... Background checks for the people with this kind of access would seem appropriate, 
though I know that can cause HR issues. Also, make sure the signed security agreement has teeth. If someone can't get 
fired for violating the agreement, it's just a piece of paper.

We still have a staffed data center, and though the operators can sometimes seem like they're prying or being overly 
territorial, I value having them there!

Steve


==============================================
Steven Lovaas, MSIA, CISSP
Network Security Manager
Academic Computing & Network Services
Colorado State University
970-297-3707
Steven.Lovaas () ColoState EDU
============================================
-----Original Message-----
From: Bob Bayn [mailto:Bob.Bayn () USU EDU]
Sent: Friday, April 27, 2007 11:36 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] physical security of datacenter with hosting services

Our central data center of about 1800 sq ft is being overhauled and upgraded after about 20 years of service: new water 
cooled air conditioning, UPS, standard rack systems with hot and cold aisles and elimination of operations staff.  
After the overhaul the facility will provide additional hosting capability for the wide assortment of servers scattered 
across campus and will give campus planning services the opportunity to reject attempts to create mini-datacenters in 
departments in favor of using our improved location to host their servers.  The consequence of concern to me is that we 
will have many more people expecting to have access to their equipment in the data center which we will no longer have 
staffed.  We will have access control by biometric scanner and will have cameras throughout the facility.  However, 
someone authorized to manage the server for the department of redundancy department will also have physical access to 
all of the core services housed in the same room.  They will have signed security agreements but their visits to the 
data center may not be directly monitored.

How do others manage the physical access by 30-50 people to an unstaffed central data center and maintain assurances 
that core systems are uncompromised?

Bob Bayn
IT Security Team
Utah State University
Logan, Utah