Physical Security Controls for Server Locations
By: Glen Caspers, Regional Manager-Technology Division
As part of our on-site examinations, OSBC staff review a bank's security measures to control both physical and environmental threats to servers and other critical technology components. Basic controls are necessary to help protect the servers and the data stored on those servers. An important step in securing your network's servers is to ensure that they cannot be tampered with physically. One of the worst ways of starting an IT examination is having the examiner march in and spy your servers stacked up behind the teller line. Servers should be located in a locked room to which access is strictly controlled and documented. Banks should not depend on "security through obscurity," thinking that putting these critical computers in an out-of-the-way, but unlocked closet will thwart a determined data thief or disgruntled employee with sabotage on their mind. The following are some physical security controls you should consider at your institution:
1. The room where servers are located should be secure and separate from all other activities. Ideally, this room should be specifically designated as a "server room", with only the servers and related computing equipment stored there. Doors to the room should be kept locked and secured with a key lock, combination lock, card access system, or some other type of lock. Access to the room should be restricted to only those people who need to have access to the servers to perform their normal job functions. Intrusion alarms on the doors or motion sensors in the server room should be considered. If the location has windows facing the outside, they should also be secured, alarmed, and covered so the equipment cannot be seen from the outside. Installation of bars or metal mesh over the windows should also be considered.
2. If a separate room is not available or feasible, consider locking the server case so that an unauthorized person cannot steal the hard disk or damage the machine's components. Or, at minimum, completely enclose the server(s) in a locked cabinet or cage, making sure to allow adequate ventilation.
3. The server room should have fire/smoke detection monitors. Additionally, fire suppression equipment should be in the room, whether it is a sprinkler system or hand-held fire extinguishers. No one believes it could happen to them - a fire in the data center. But all it takes is a malfunctioning power supply or an improperly maintained AC unit and your data center, and possibly your entire building, goes up in smoke.
4. Water detectors should be placed in the room if the area is prone to moisture, water seepage, or is located near water pipes. Basement locations or locations below or next to bathrooms would be good candidates for moisture detectors.
5. Monitoring environmental conditions such as temperature and humidity is also a good idea. Depending on the volume of space in the area and the amount of equipment in use, heat buildup can occur. Separate cooling units for the area should be considered. Systems are available that monitor room temperatures and notify someone if temperatures reach a predetermined critical point.
6. An uninterruptible power supply (UPS) or battery backup should be considered for the servers. While a UPS or battery backup may keep servers from crashing during a short-term power loss, they will eventually loose power during a long-lasting power shortage. If a UPS or battery backup is used, software should be considered that will properly shut down your equipment before the battery expires.
7. All of the equipment discussed above (alarms, monitors, heat/air conditioners, fire suppression systems, etc.) should be tested on a regular schedule and receive preventative maintenance. Regardless of who actually performs the testing and maintenance, written reports should be retained that document the process and results.
