A few days ago, a situation in a local organization took place where a well-intentioned IT employee caused several thousands of dollars’ worth of damage and hours of downtime. He was trying to help organize a datacenter and damaged some fiber cables that provide the backbone between two environments.
Immediately, questions were asked. Why he was in the datacenter unescorted, how did he get access, why was he trying to work on equipment that he had no reason to have access to? In IT, we put a lot of effort into securing our systems and our networks. We spend a lot of money purchasing intrusion detection systems, firewalls, anti-virus/malware systems, and so on.
It occurred to me that we often have no idea who is in a datacenter at any given time. Especially in a large datacenter or an environment with multiple datacenters, several people from different departments, divisions, companies, or workgroups can gain access to the datacenters and everything in them. Some time ago, I attended a training class for ethical hacking that focused on preventing hacking; several of the methods involved the hacker actually having physical access to your equipment, cables, etc. I kind of dismissed these threats, thinking that if a hacker had physical access to my datacenter, they would own me; they could just pick up my equipment and take it with them. I still believe that to be true; however, an insider could very well walk out of a datacenter they have legitimate access to with data they don’t.
My first thought was that combos and locks should be installed on all datacenters to ensure that nobody could gain unauthorized access , but what about shared datacenters? Many equipment racks have locking doors that can be secured to protect the equipment and cabling inside, but most of the racks usually take the same key.
I have worked in datacenters that had card swipes on each rack so that you would be able to access the equipment to which were you were granted rights and nothing more. A record was also kept of who and when the racks were accessed. The only down side is that this is another system that needs to be managed.
Obviously you need to put some trust into who you allow into your datacenter, but accidents do happen. Most equipment and racks look very much alike, so mistakes can occur. The challenge we now face is how to defend against and mitigate the risk of unauthorized datacenter access. I have utilized several shared datacenters, and access to these datacenters was very controlled and limited… but most of the time when I went in there, someone else was there. I often didn’t know who they were, and they didn’t know me.
There are lots of potential solutions that come to mind, but this just goes to show the importance of the basic physical security aspect of IT – which is, unfortunately, often overlooked when developing layered security and defense-in-depth strategies.
http://www.techrepublic.com/blog/it-security/understanding-layered-security-and-defense-in-depth/
https://www.nsa.gov/ia/_files/support/defenseindepth.pdf
http://www.sans.org/reading-room/whitepapers/warfare/defense-depth-impractical-strategy-cyber-world-33896
