Educause Security Discussion mailing list archives
Re: physical security of datacenter with hosting services
From: "William C. Moore II" <wcmoore () VALDOSTA EDU>
Date: Fri, 27 Apr 2007 16:06:40 -0400
Bob, On a similar note how did your campus insure that the current or previous monitoring staff 'done no harm' to the monitored systems while it was monitored? I believe there has to be a certain level of trust, coupled with binding agreements and back ground check, among the staff and the administrators of the systems. You will always inherit some risks but can you use the previous steps of how a person was approved to be a monitor as proven effectiveness for future actions and a precedence? For example why did you trust little Johnny to monitor the main server room? What approval process was there? Bill William C. Moore II, CISSP, MEd, MLIS Assistant Director of Information Technology Information Security Valdosta State University Valdosta, GA 31698 Phone:(229)333-5974 Fax: (229)245-4349 *********************************************************************** The information transmitted is intended only for the person addressed. Any unauthorized review, distribution or other use of or the taking of any action in reliance upon this information is prohibited. If you received this message in error, please contact the sender and delete or destroy this message and any copies. *********************************************************************** -----Original Message----- From: Lovaas,Steven [mailto:Steven.Lovaas () COLOSTATE EDU] Sent: Friday, April 27, 2007 14:40 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] physical security of datacenter with hosting services Bob, Many IT folks view computer center operations staff as an expensive anachronism, but your problem points out one very useful purpose they serve. Once you remove human monitoring and let a person into your "secure" space, you mostly have to rely on trust. To a certain extent, you can limit access by group. Install locking cabinet doors on department-specific racks, or chain-link fences between groups of racks. Commercial datacenters often do this, using a 2nd level of physical access control to grant access only to appropriate equipment. You could try to do this with technology, as well, requiring dongles or tokens for direct machine access. Which you try depends a lot on how much floor space you have, and how many different groups need access. In a university setting, the answer is probably "not much room and lots of different people." Ultimately, though, if a person can get physical access to devices, you have to assume that he/she is going to play nice. If a person you trust decides to "go postal" on your network or servers, all you can do at that point is monitor what they he/she be doing (or might already have done). Is the camera footage just archived, or does your campus security/police actively monitor who's in there? Is there a big sign indicating that the police are watching? Don't forget the "people" part... Background checks for the people with this kind of access would seem appropriate, though I know that can cause HR issues. Also, make sure the signed security agreement has teeth. If someone can't get fired for violating the agreement, it's just a piece of paper. We still have a staffed data center, and though the operators can sometimes seem like they're prying or being overly territorial, I value having them there! Steve ============================================== Steven Lovaas, MSIA, CISSP Network Security Manager Academic Computing & Network Services Colorado State University 970-297-3707 Steven.Lovaas () ColoState EDU ============================================ -----Original Message----- From: Bob Bayn [mailto:Bob.Bayn () USU EDU] Sent: Friday, April 27, 2007 11:36 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] physical security of datacenter with hosting services Our central data center of about 1800 sq ft is being overhauled and upgraded after about 20 years of service: new water cooled air conditioning, UPS, standard rack systems with hot and cold aisles and elimination of operations staff. After the overhaul the facility will provide additional hosting capability for the wide assortment of servers scattered across campus and will give campus planning services the opportunity to reject attempts to create mini-datacenters in departments in favor of using our improved location to host their servers. The consequence of concern to me is that we will have many more people expecting to have access to their equipment in the data center which we will no longer have staffed. We will have access control by biometric scanner and will have cameras throughout the facility. However, someone authorized to manage the server for the department of redundancy department will also have physical access to all of the core services housed in the same room. They will have signed security agreements but their visits to the data center may not be directly monitored. How do others manage the physical access by 30-50 people to an unstaffed central data center and maintain assurances that core systems are uncompromised? Bob Bayn IT Security Team Utah State University Logan, Utah
Current thread:
- physical security of datacenter with hosting services Bob Bayn (Apr 27)
- <Possible follow-ups>
- Re: physical security of datacenter with hosting services Bill Kyle (Apr 27)
- Re: physical security of datacenter with hosting services Julian Y. Koh (Apr 27)
- Re: physical security of datacenter with hosting services Lovaas,Steven (Apr 27)
- Re: physical security of datacenter with hosting services Michael Sana (Apr 27)
- Re: physical security of datacenter with hosting services William C. Moore II (Apr 27)