Ceilings and floors. Thieves have been known to use the crawl spaces above false ceilings and below raised floors to travel undetected for several hundred feet in shopping-center and retail-store burglaries. Extend computer room walls above a false ceiling and below a raised floor to meet the actual ceiling and floor. In addition to cutting off access points for intruders, walls that extend to the true ceiling and floor are consistent with maintaining an environmentally controlled (i.e., low-dust and temperature-regulated) atmosphere.
The roof. If your data center is on the top floor of your building, intruders can descend through roof vents or air-conditioning access panels into the room below. To prevent such entrance, secure external roof vents and air-conditioning equipment with appropriate bars, grates, or additional fasteners. Equip rooftop security bars and grates with inconspicuous seals; inspect the seals regularly to ensure that someone hasn't tampered with them in preparation for a future assault.
Electrical power. If the master circuit-breaker panels are near the data center (e.g., just outside the door), move them or lock them if local ordinances permit. A possible break-in strategy is to turn off the power in the hope of disabling alarms, cameras, and other perimeter-protection equipment. If you have a UPS for your servers, you might be able to move detection equipment to your high-availability circuits so that you have some measure of protection during power outages.
Inside the Data Center
If intruders make it past the perimeter security and into your data center, you might still be able to detect their presence and slow down their activities. You can try the following methods.
Electronic surveillance. A security professional can help you combine many electronic detection systems such as cameras (both visible and concealed) and video recorders, door switches, motion detectors, sound-discrimination sensors, photocell beams, proximity switches, IR sensors, cabinet-door switches, and wireless technologies into a comprehensive detection system. Carefully control information about the details and location of any surveillance devices that you install.
Console security. Some consoles offer user-logon security enhancements to limit user access to particular nodes. Access restrictions let users control only the machines on their authorization list. Intruders can directly connect their own monitor, keyboard, and mouse to the servers to defeat this feature, but doing so takes extra time, especially if the server racks are properly locked.
Rack security. Most production server racks have locking front and rear doors. The doors and locks can be forced, but they do make reaching the server on-off switches, disk drives, and Power Distribution Unit (PDU) switches more difficult. Retract or remove rack wheels to make moving the racks more difficult. Store screwdrivers, wrenches, and other hand tools away from the site to prevent intruders from using them to pry open doors and remove parts.
External monitoring. You probably already use scripts or an application to monitor server responsiveness and report offline servers, stopped services, and so on. However, you probably monitor from a dedicated server or workstation in the data center. Set up a secondary monitoring node outside the server room. This node will sound the alarm if an intruder disables the network connection or shuts down the primary unit to prevent notification pages from getting out of the server room. Set up and operate secondary monitoring discreetly, with a minimum number of people in the loop and a special list of page recipients.
Remote access to servers. Remote administration tools such as AT&T Laboratories Cambridge's Virtual Network Computing (VNC), Netopia's Timbuktu, Symantec's pcAnywhere, and Windows 2000 Server Terminal Services in Administrative mode can save time by providing easy access to your secured servers. Unfortunately, these tools can permit unauthorized access just as though the intruder were sitting at the console. Maintenance vendors often use RAS to access servers for software upgrades and problem diagnosis. Some remote-access tools use one password per server for all users. If you use these tools, change their passwords regularly and allow only a very limited group of authorized users. Disabling remote-access tools and RAS is probably the best way to ensure that an intruder doesn't use them as a virtual doorway into your server room.
Inventory and ID tags. Keep an inventory of all computer equipment that someone could remove during a break-in (e.g., servers, disk drives, monitors) and attach corporate asset tags or other appropriate ID markings to these devices. Compare actual equipment with asset records annually. If you have a break-in, these practices will aid in determining what's missing and identifying recovered property.
After-hours logon monitoring. Implement a policy that requires data-center administrators and users to log off at the end of the day. You can use the Winexit screen-saver utility in the Microsoft Windows NT Server 4.0 Resource Kit or the Microsoft Windows 2000 Server Resource Kit to automatically log off users after a period of inactivity.
Use scripts or applications to monitor for after-hours logons, log them, and trigger pages if appropriate or if administrator accounts were used. After-hours logons could be legitimate activity—or intruders using captured credentials to gain access.
Backup-tape security. Secure a primary set of backup tapes onsite and store a second set offsite. If intruders destroy both your primary backup tapes and servers, a second offsite set of tapes is crucial to restoring operations. If your company has other nearby offices, ask the IT administrators at those offices whether they have a secured room available and want to develop a mutual tape-storage strategy. If you can't find a secure in-company location, companies that specialize in media archiving (e.g., Iron Mountain) can help you.
Evaluate your risks, discuss your exposure and possible solutions with management, and implement the countermeasures you feel are appropriate. (For a few additional steps you can take, see the sidebar "More Physical Security Measures.")
As an IT manager or systems administrator, you've already protected your valuable corporate data with appropriate permissions, auditing, and monitoring. Extending those protections to the physical data center itself only makes sense. You don't want to receive a call in the middle of the night telling you that the data center you're responsible for has been the victim of an attack.