We’ve all experienced these: Theft of a laptop or other portable device in a supposedly secured environment, theft of a server (though not too common, but pricey). These usually come with an uncomfortable feeling of suspicion among the employees as some of them try themselves at sleuthing!
This blogs discusses about Physical Security in the I.T environment. For a more global Physical Security perspective, I find this document a much better piece of reading!
Today (it’s been a while I’ve posted, I know), we’re going to look at the 5 most important steps every organization needs to take to ensure a minimum level of Physical Security. To ensure a proper I.T Security, one of the key requirements is to have an underlying Physical Security. There is indeed little point in enforcing strong password policies on a server system if that system is sitting in the open and can be taken away easily by the first marauder to come. In fact, a common joke we security folks use often is a story of a contest by two security experts, the first one taunting the other to “hack” his server. The latter only walked in the server room of the former, took the server off and went away in his workshop, where he had of course plenty of time to “hack” it.
I must say that once your physical security is breached, there’s no help! In fact, once you let an ill-intended person next to your system without supervision, do not assume that your data is safe. There are plenty of tools and utilities out there that people use to bypass even the most complex passwords. This will be the discussion of another day!
Now, let’s move on to these Steps:
STEP #1: GET A SERVER ROOM AND LOCK IT UP TIGHT.
Having a Server Room provides an organisation with a Boundary Zone (or Restricted Area) where security can be enforced. A Server Room should have a hard-to-pick lock (If possible, a multi-factor access control mechanism such as a combination of a key and an Access Code). Use a Server Rack to secure all Servers within, and lock the cabinet and tightly ground it to the floor.
STEP #2: SETUP CCTV SURVEILLANCE
Despite all the security protocols put in place (with the locks and the various access control mechanisms), anyone can still break in by forcing the locks. Setting up a CCTV surveillance (which itself should be secured) allows to track the movements of everything caught within the sight of the cameras and can be reviewed. Furthermore, a CCTV system is a deterrent to most ill-intentions.
STEP #3: DO NOT LEAVE ANY PORTABLE ITEM IN THE OPEN OR SECURELY TIE THEM TO AN UNMOVABLE ITEM
This includes notebooks, tablet PCs, smartphones, USB drives, even Printers (Yes, Printers do Have memory and disk, and data may be recovered from these. Using a Kensington lock to securely tie a device (Notebook, System Unit, Printer) to the desk is a killer-technique. Lock all other items away in a drawer (don’t forget to take the key along with you), and keep other portable devices with you (in your pockets for smartphones, or around your neck for pen drives).
STEP #4: PROTECT YOUR BACKUP DISKS
Backing up data is a key disaster recovery element, and securing these disks or tapes is just as important as securing the Servers. Losing a notebook is one common occurence in organizations with roaming users. In fact, I recently lost mine (forgot my luggage on the train). Though the Lost and Found Items department found mine, I didn’t feel desperate as i had a two-days old backup of my data sitting on the server. I doubt everyone is that lucky.
So Always keep a backup Off-site in a secured lock (bank account, or safe, nothing else).Also, always test your backups. And remember: a backup is as good as just the last successful restore.
STEP #5: BUILD AWARENESS WITHIN THE OFFICE FOR SECURITY RISKS
The weakest link of the security chain is the human nature. We don’t need to come up with a conspiracy theory (though that would be a good one), but it is essential to sensitize the users about the risks of security breaches. Imagine all your valued work going off the radar!
With that said, I highly encourage anyone reading this blog to check their organization security practices against these basic steps. If you’re missing one, you’re already at risk, and it won’t be a matter of IF it will happen, but WHEN it will happen.