Re: physical security of datacenter with hosting services

["William C. Moore II" <wcmoore () VALDOSTA EDU>]

Bob,

On a similar note how did your campus insure that the current or previous
monitoring staff 'done no harm' to the monitored systems while it was
monitored?  I believe there has to be a certain level of trust, coupled with
binding agreements and back ground check, among the staff and the
administrators of the systems.

You will always inherit some risks but can you use the previous steps of how
a person was approved to be a monitor as proven effectiveness for future
actions and a precedence?  For example why did you trust little Johnny to
monitor the main server room?  What approval process was there?


Bill





William C. Moore II, CISSP, MEd, MLIS
Assistant Director of Information Technology
Information Security
Valdosta State University
Valdosta, GA 31698
Phone:(229)333-5974
Fax:  (229)245-4349



***********************************************************************
The information transmitted is intended only for the person addressed.
Any unauthorized review, distribution or other use of or the taking of
any action in reliance upon this information is prohibited. If you
received this message in error, please contact the sender and delete or
destroy this message and any copies.
***********************************************************************

-----Original Message-----
From: Lovaas,Steven [mailto:Steven.Lovaas () COLOSTATE EDU]
Sent: Friday, April 27, 2007 14:40
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] physical security of datacenter with hosting
services

Bob,

Many IT folks view computer center operations staff as an expensive
anachronism, but your problem points out one very useful purpose they serve.
Once you remove human monitoring and let a person into your "secure" space,
you mostly have to rely on trust.

To a certain extent, you can limit access by group. Install locking cabinet
doors on department-specific racks, or chain-link fences between groups of
racks. Commercial datacenters often do this, using a 2nd level of physical
access control to grant access only to appropriate equipment. You could try
to do this with technology, as well, requiring dongles or tokens for direct
machine access. Which you try depends a lot on how much floor space you
have, and how many different groups need access. In a university setting,
the answer is probably "not much room and lots of different people."

Ultimately, though, if a person can get physical access to devices, you have
to assume that he/she is going to play nice. If a person you trust decides
to "go postal" on your network or servers, all you can do at that point is
monitor what they he/she be doing (or might already have done). Is the
camera footage just archived, or does your campus security/police actively
monitor who's in there? Is there a big sign indicating that the police are
watching?

Don't forget the "people" part... Background checks for the people with this
kind of access would seem appropriate, though I know that can cause HR
issues. Also, make sure the signed security agreement has teeth. If someone
can't get fired for violating the agreement, it's just a piece of paper.

We still have a staffed data center, and though the operators can sometimes
seem like they're prying or being overly territorial, I value having them
there!

Steve


==============================================
Steven Lovaas, MSIA, CISSP
Network Security Manager
Academic Computing & Network Services
Colorado State University
970-297-3707
Steven.Lovaas () ColoState EDU
============================================
-----Original Message-----
From: Bob Bayn [mailto:Bob.Bayn () USU EDU]
Sent: Friday, April 27, 2007 11:36 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] physical security of datacenter with hosting services

Our central data center of about 1800 sq ft is being overhauled and upgraded
after about 20 years of service: new water cooled air conditioning, UPS,
standard rack systems with hot and cold aisles and elimination of operations
staff.  After the overhaul the facility will provide additional hosting
capability for the wide assortment of servers scattered across campus and
will give campus planning services the opportunity to reject attempts to
create mini-datacenters in departments in favor of using our improved
location to host their servers.  The consequence of concern to me is that we
will have many more people expecting to have access to their equipment in
the data center which we will no longer have staffed.  We will have access
control by biometric scanner and will have cameras throughout the facility.
However, someone authorized to manage the server for the department of
redundancy department will also have physical access to all of the core
services housed in the same room.  They will have signed security agreements
but their visits to the data center may not be directly monitored.

How do others manage the physical access by 30-50 people to an unstaffed
central data center and maintain assurances that core systems are
uncompromised?

Bob Bayn
IT Security Team
Utah State University
Logan, Utah