Physical Security

Securing the physical environment is a challenge but standards are being created to help with this effort. ISACA's COBIT framework covers the areas of site selection, physical security, controlling physical access, protecting against environmental factors and the proper management of a facility. This lens will provide a checklist of items you should consider when performing a physical environment audit of a location. Remember, you need to be concern with issues that exist outside of the data center.

The nice data center photo is from jaxmac at Flickr.com.

It is a good idea to know the risks that exist due to where a building is located and what surrounds it. Can activities at near by businesses affect your operations?

Use Google Earth or a site survey to find out.

• Where are the nearest fault lines? Have earthquakes ever affected the site?
• Is the location in a flood zone. What about the 100 year flood zone.
• What about the frequency of severe weather? Any Tornadoes, frequent lightning or Hurricanes?
• Can other local business affect your operations, for example a near by stadium might impact your parking.

  Could an accident at one of these companies cause the evacuation of your business?

• Remember a single location is a single-point-of-failure. Are your critical assets backed up to a geographical separate location which would not affected if a large disaster occurred at the primary location?
• How far is the location from emergency services (Fire, Hospital, Police)?

The first place to start with physical security is to see who can gain access to the building and is done by performing an site survey.

Is Access to the building/data center controlled?

• Does the access control provide an access tracking capability (PIN lock, smart card, biometrics)?
• Can the control be circumvented, for example one person enters code a second person follows the first person inside?
• Are all entrances controlled by the same mechanism? What methods could be used to bypass this device?
• If Master Key access exists, does the client know who all has access to the key?
• Is video surveillance in place? Without video surveillance, master key access will not be tracked. We need to know who accessed the facility if forensic evidence will be collected. Are all entrances monitored by video? Keys might provide a way to avoid video monitoring if all access points are not monitored.
• Is access by visitors logged? Are escorts required for access by visitors and maintenance?
• Is all access information controlled by a group external to those accessing the data center? Separation of Duties is a key security concept.
• Are any foreign nationals on staff? Are extensive background checks run on these employees? Knowing who has physical access is often necessary for government contracts.
• Are there windows within the Data Center that are accessible from non controlled areas? Is security glass used for windows? Are door handles within reach if a window is compromised? Are windows covered (blinds, curtains, etc.)? Learn what equipment exists. Window Surf.
• Can an intruder gain access to the data center from under the floor? Can an intruder gain access to the data center from the ceiling? Are there any gaps under the door. A DarkReading article noted that 1/4 inch copper tubing can be molded to fit under a door and used to move the handle from the inside.
• Are door hinges internal or external to the data center? Could the hinges be popped out and door removed?
• Is the data center a shared facility? Are locking cabinets used? Does the provider log all center access?
• How is off hours physical access tracked and does your security posture change during the day?

Do you know where your hardware is? Are your hardware assets controlled by an inventory tracking system? Are media devices enabled on servers that might enable data to be taken?

• Are processes in place to track the addition and removal of equipment? Inventory management is crucial.
• Do systems contain ports (USB, Firewire) or devices which can be used to created media (USB, DVD/RW) and move data?
• Are drives wiped before equipment is excised? Is the same process used when drives fail and have to be replaced by vendors?
• Is backup media secured both on site and at an external location? Are backups encrypted? Are backups transported off site securely? Is access to backup media tracked?

• Are humidity and temperature controls in place? Is a fail over system in place? Are smoke detectors used? Are they on the ceiling? Are they under the floor?
• If the suppression system is a sprinkler system, are plastic sheets within the center that could be used to protect equipment if someone was in the data center when the system triggered?
• Are fire extinguishers available? Are they the appropriate type? Are they expired? Are fire extinguisher location indicators (signs) visible?
• What is the volume of combustibles within the data center? If a fire started these material might make the situation worse. Could a fire inspection be failed resulting in a order to shutdown the data center or building?
• Are water sensors in place to warn of flooding by high water levels or an overactive HVAC unit?
• Are uninterruptible Power Supplies used? How long can they provide support? Do they include alarms for when a battery fails? How often is the system tested and are records kept?
• Are backup power generators available? How long can the generators provide support? Are generators caged? There has been a string of thefts related to criminals stealing copper and other valuable metals.
• Are there any other ways for someone to remove power from critical devices (breaker boxes, etc.) that might be external to the data center?
• Is the data center raised floor of a sufficient height?
• Is cable management systems used in racks and under floor.

Could the facility be shutdown for failure to comply with health or safety standards?

• Is a cable management system used and no cables are hanging low or run across the floor?
• Does emergency lighting exist in case of power loss?
• Are exits clear and properly marked?
• Are exits free from obstruction? Note the combustible issue mentioned above.
• What is the noise level within the data center? If it exceeds OSHA standard 1910.95, are signs posted at entrances?
• Does the center have emergency power cut off switches available? Are switches available at all exits? Are they clearly marked and of the type which prevents them from being accidental bumped?

Management is crucial because we can prevent outages by controlling on site activities.

1. Manage HVAC/AC services. Know when the are coming, track their visits and ensure preventative maintenance is up to date.
2. All building work should be scheduled, logged and controlled.
3. All vendor access must be tracked and scheduled.
4. Does management require employee security and safety training?

If you already have a data center be sure to consider external influences, some of which you can control.

• Is the data center building anonymous? Are there signs indicating a data center is on site? Consider whether being anonymous adds security to the data center.
• Is the building shared with other businesses? How well do they manage risk?
• How far is the data center from emergency services? Is the building easy to access? what about the data center?
• What is the crime rate around the data center's location?
• Is there adequate exterior lighting and surveillance to deter crime?

• Is insurance in place to cover equipment losses? Does the policy require any of the above environmental controls?
• Is a call list of personel who need to respond to physical security issues maintained?

Ensure you have controls in place to prevent social engineering attacks.

• Shred your documents either on site or hire out for this service.
• Do not publish phone lists to your web site that is available to the public.
• Know that when you publish job opportunities, you are most likely disclosing information about the technologies your company uses by listing the skills you require for a position.

New activities are taking place which might require additional controls if the risk is considered viable.

Let me know if anything else should be added.