Educause Security Discussion mailing list archives
Re: physical security of datacenter with hosting services
From: "Lovaas,Steven" <Steven.Lovaas () COLOSTATE EDU>
Date: Fri, 27 Apr 2007 12:39:38 -0600
Bob, Many IT folks view computer center operations staff as an expensive anachronism, but your problem points out one very useful purpose they serve. Once you remove human monitoring and let a person into your "secure" space, you mostly have to rely on trust. To a certain extent, you can limit access by group. Install locking cabinet doors on department-specific racks, or chain-link fences between groups of racks. Commercial datacenters often do this, using a 2nd level of physical access control to grant access only to appropriate equipment. You could try to do this with technology, as well, requiring dongles or tokens for direct machine access. Which you try depends a lot on how much floor space you have, and how many different groups need access. In a university setting, the answer is probably "not much room and lots of different people." Ultimately, though, if a person can get physical access to devices, you have to assume that he/she is going to play nice. If a person you trust decides to "go postal" on your network or servers, all you can do at that point is monitor what they he/she be doing (or might already have done). Is the camera footage just archived, or does your campus security/police actively monitor who's in there? Is there a big sign indicating that the police are watching? Don't forget the "people" part... Background checks for the people with this kind of access would seem appropriate, though I know that can cause HR issues. Also, make sure the signed security agreement has teeth. If someone can't get fired for violating the agreement, it's just a piece of paper. We still have a staffed data center, and though the operators can sometimes seem like they're prying or being overly territorial, I value having them there! Steve ============================================== Steven Lovaas, MSIA, CISSP Network Security Manager Academic Computing & Network Services Colorado State University 970-297-3707 Steven.Lovaas () ColoState EDU ============================================ -----Original Message----- From: Bob Bayn [mailto:Bob.Bayn () USU EDU] Sent: Friday, April 27, 2007 11:36 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] physical security of datacenter with hosting services Our central data center of about 1800 sq ft is being overhauled and upgraded after about 20 years of service: new water cooled air conditioning, UPS, standard rack systems with hot and cold aisles and elimination of operations staff. After the overhaul the facility will provide additional hosting capability for the wide assortment of servers scattered across campus and will give campus planning services the opportunity to reject attempts to create mini-datacenters in departments in favor of using our improved location to host their servers. The consequence of concern to me is that we will have many more people expecting to have access to their equipment in the data center which we will no longer have staffed. We will have access control by biometric scanner and will have cameras throughout the facility. However, someone authorized to manage the server for the department of redundancy department will also have physical access to all of the core services housed in the same room. They will have signed security agreements but their visits to the data center may not be directly monitored. How do others manage the physical access by 30-50 people to an unstaffed central data center and maintain assurances that core systems are uncompromised? Bob Bayn IT Security Team Utah State University Logan, Utah
Current thread:
- physical security of datacenter with hosting services Bob Bayn (Apr 27)
- <Possible follow-ups>
- Re: physical security of datacenter with hosting services Bill Kyle (Apr 27)
- Re: physical security of datacenter with hosting services Julian Y. Koh (Apr 27)
- Re: physical security of datacenter with hosting services Lovaas,Steven (Apr 27)
- Re: physical security of datacenter with hosting services Michael Sana (Apr 27)
- Re: physical security of datacenter with hosting services William C. Moore II (Apr 27)