It is essential that only authorized personnel have physical access to the datacenter. Data centers hold sensitive and crucial information and services. Software-based protections on your server(s) become far less effective or even useless as soon as an attacker gains physical access! Access into a data center is fairly limited.
Best practices:
- Use Role Based Access Controls (RBAC) on a physical level;
- Racks with hardware are by default locked;
- Equipment in the racks is smartly placed;
- Any authorized person to enter the datacenter has its own digital access key combined with something they know like a pin code and/or biometric measures;
- Visibility in the current security status is key for an accurate security;
- Make sure there are no exterior windows and relatively few entry points.
Role Based Access Controls on a physical level
Make sure that anyone that is authorized to enter the datacenter can only access those parts they are entitled to. Follow the principle of least privilege, give people the correct rights to do their job properly, nothing more nothing less. For example, an UPS and generator engineer does not need access to any of the racks in the datacenter and a Compute engineer should not have access to the UPS and generators.
Equipment Racks
By placing and using locks per 19-inch rack you can shrink the physical security domain from the whole datacenter to a 19-inch rack. By smartly placing the different hardware components and their specific roles in different racks can enable RBAC rights to that particular security domain. For example, do not place the Veeam Repositories in the same racks as the production storage or the hypervisor hardware.
Access to the Datacenter
An important part of a layered security defense is always knowing who entered the Datacenter and that access is being logged. Any authorized person to enter the datacenter has its own digital access key combined with something they know like a pin code and/or biometric measures. Make sure people are screened before they become an authorized person to access the datacenter.
Surveillance
It is crucial to protect a data center from external threats and attacks and to make sure only authorized personnel has access to the areas where they need to be. Monitor for suspicious activity using footage from surveillance cameras (CCTV) installed along the outside perimeter but also inside the datacenter.
IMPORTANT: Even though you do not have your own Datacenters and are renting space or even just Infrastructure as a Service, always check how the physical security is arranged and if it fits your security policy.
Resources:
- When surveillance equipment is connected to your infrastructure what to think about - Security Magazine
- Veeam Backup & Replication Best Practices - Architects website
- Back to main Infrastructure Hardening post
