Security Spotlight: Managing Physical Access
Consider this chilling thought: given 15 minutes and the right software, almost any half-way proficient IT professional can break into a server and establish administrative credentials. Widespread access to tools like NT Locksmith (works on Windows NT, 2000, XP, and so forth) or so-called “rootkits” for Linux and Unix machines make maintaining physical security paramount—that is, keeping tabs on who has access to servers and preventing all but authorized personnel from attaining such access.
The answer to such needs can be as lo-tech as a locked server room where only authorized administrators (and perhaps a trusted corporate officer) have keys. If all unauthorized personnel are truly kept away by such an approach, physical security can be established and server security better guaranteed.
On the other hand, many companies opt for electronic keycards or other similar electronic proofs of identity. These can also keep unauthorized staff away from important machines, but can also track which ID opened the doors at which times as people leave and enter the server sanctorum. Companies with extreme security needs or highly sensitive materials or information may add surveillance cameras to the mix or use manned checkpoints to control access and monitor in-room activity as well.
You decide how to make the trade-off between the cost and complexity of access controls by assessing the level of risk involved in leaving servers openly accessible and weighing potential risks or losses against the costs of various possible security solutions. When you find one that costs less than your potential liability that provides strong protection, you’ve hit the sweet spot!
Remember, too, that protecting physical security may mean making sure that access isn’t possible through ductwork or suspended ceilings. Likewise, it may be necessary to bar windows or other potential avenues for access. A lock on the server room door is worthless if the door can be bypassed. Finally, don’t forget about the cleaning crew: industrial espionage is rife with tales of those who’ve penetrated security by masquerading as a janitor! If you allow cleaning crews access to server rooms, you must either perform the same kind of background checks on such staff as on other authorized personnel, require a monitor to be present and awake at all times while they’re in the room, or take other steps to maintain physical security.