CHICAGO -- Enterprises often forget that physically securing the data center is just as important as virtually securing the information it holds, said security expert Kevin Beaver Wednesday at TechTarget's Data Center Decisions 2004 conference.
Beaver, founder and principal consultant of Principle Logic LLC of Kennesaw, Ga., gave attendees a refresher course on the 10 most common mistakes companies make when it comes to the physical layout of their precious information systems.
- Weak or missing security policies: Don't take the time to develop security policies only to put them on a shelf and forget about them. It's important to make sure security policies are effectively communicated to employees. A good security policy includes a simple introduction that conveys the purpose of the policy, the policy statement itself and information about how compliance will be measured. It should also include information about what sanctions will be taken against those that fail to comply.
- Poor physical access controls: To be sure that everyone entering the data center has a reason to do so, implement strong visitor sign-in procedures and then enforce those rules. If keycards are required to enter the data center, check regularly to make sure they work. Companies that have no receptionist or a distracted receptionist should consider hiring guards around the clock. "I have seen some glaring vulnerabilities in that area," Beaver said.
- Specific security concerns: Constantly check the data center for vulnerabilities. Look to see how many access points there are and if people tend to prop doors open. Don't leave media such as CD-ROMs and other documentation laying around. Try to make sure that wires are not exposed. For companies that outsource their data center, make sure the third-party secures documentation about your infrastructure. "If anybody can reach it, they can potentially do bad things with it," Beaver said.
- Location and layout: There is much debate over which floor of an office building is best for housing a data center. First-floor data centers are vulnerable to car crashes, while second-floor data centers may be vulnerable to fires that start below. Either way, try to be aware of where your data center resides in the building and develop disaster recovery plans accordingly.
- Unsecured computers: Beaver said that it's important to lock screens when employees get up and walk away from their computer, and that locking screensavers are recommended. "Everybody knows that once physical access is gained all bets are off," he said.
- Utility weakness: Beaver said to confirm that the proper fire protection policies are in place. Also, make sure there are working back-up generators or battery power in the event of an electrical outage.
- Rogue employees: Everyone inside the data center should have a reason to be there. Don't assume someone is trustworthy just because they have gained access to the data center. To solve the problem of rogue employees, vendors and others passing through the data center, refer to internal policies or create them if necessary. Next, have some awareness training for employees. Finally, make it a human resources (HR) issue. It is HR's job to punish employees who break the rules.
- Separation of physical and logical security: Physical and logical security should be converged into one because they are both equally important. After all, there is a lot of overlap between the two. Both require risk assessment and countermeasures to mitigate risks. And "the goal of both is to keep the bad guys out and the good guys honest," Beaver said.
- Outsourcing all data center security responsibilities: Companies should never outsource 100% of their data centers' security responsibilities to a third-party company. Rather, Beaver said, put someone in charge of making sure the third party is properly handling your physical security, compliance and other needs.
- No third-party security assessments and/or audits: The security of data centers is a continually evolving process. Every time a new technology is introduced, a new vulnerability appears that needs to be addressed. That is why it's important to occasionally bring in a third-party auditor or consultant. Companies that outsource data center operations should consider sending auditors to the third-party company in question. "Get somebody that has physical security and technical security experience involved," Beaver said. "It may not be the same person."
Conference attendee Bruce Peterson, vice president of systems with The ServiceMaster Co. in Downers Grove, Ill., is no stranger to physical security overhauls. His company recently implemented several new changes designed to increase security, including what he calls a "man trap." Whenever someone leaves or enters his company's data center, they have to go through two doors and swipe an access card at each one. This way the data center is never fully exposed to the outside.
"If you don't have your card and you follow somebody in, you're going to get caught," Peterson said.
Service Master also installed video cameras at every access point and removed motion detectors that used to open doors, because from the inside they can be easily tampered with. The company even went as far as to install chicken wire above the drop ceiling as an added measure against intrusion.
"I think right now we're pretty secure," Peterson said. "I feel pretty good about it."