2

Recently, a customer asks for not closing and not locking his rent rack inside a cage of data center, is there any reason to reject his request due to security reason?

Since the rack is inside private cage and in data center, if the rack is not inside cage, everyone knows this must be rejected as anyone can easily take away equipment from the unlocked rack. While this case is inside private cage, the cage is protected by access system.

Therefore, any reason to support not allowing customer request for this? I don't want the rack door keep opening just feel that is not safe enough, but cannot provide a stronger reason to support this decide.

Anders
  • 64,406
  • 24
  • 178
  • 215
Kiwi
  • 21
  • 1
  • Did he provide a reason of why? – nd510 Mar 23 '17 at 02:52
  • I think if he has multiple racks inside the cage he ask this to make his access more simple with using only one key to access all his racks – Mr.lock Mar 23 '17 at 03:58
  • "I want less security" makes me suspicious. I'm probably overthinking this, but are we sure it's the customer asking? – Mathieu K. Mar 23 '17 at 04:32
  • The case is that customer wrongly ordered a relatively small rack(not deep enough) to hold his equipment. After equipment mounted to rack, it even blocked some power sockets, and some cables are trapped at the back and thus hard to close the rear rack door...Since not all cable are connected, the rack door can still be closed. Foreseeable that will soon cannot be closed. They told me their project schedule is tight and not willing to change a bigger rack. Then they ask if any concern if not closing the door inside private cage. – Kiwi Mar 23 '17 at 06:21
  • in that case, it's up to you; if you don't mind then keep your customers happy. – dandavis Mar 23 '17 at 06:45
  • Whether they want to lock it is on them, but you ought to take more issue with the door not being closable for your own sake. You're inviting a workplace accident (and possible lawsuit) if someone clips an open door or snags a cable while walking past. – Ivan Apr 22 '17 at 19:14

2 Answers2

2

If you decide to allow this, make sure you cover your own ass. Make sure you have a written and signed statement from the customer about this arrangement. Make sure the statement states that you've advised them not to do so, and have explained to them what the risks are, and that the customer will take full responsibility of any losses incurred to them and/or to you due to the non standard procedure. Make sure the statement is signed by key decision makers on the customer's company, which should include the key technical personnels, security officers, and executives.

Ultimately, the customer's security and risks appetite is their own responsibility. If they are willing to put up with the risks against your advice, then that's on them. If the customer has their own security requirements, it's ultimately on them to make and break.

Also, if you yourself had your own compliance standards that you're subjected to. Ask them what they think about it. Make sure you won't get dragged into problems due to this.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
0

Technically the cage door is one level of defense and the rack door is the second level of defense, so by not locking the rack he is losing a layer of defense in depth.

If you have already had a policy about locked rack doors that may still apply to racks within cages depending on how your policy was written.

If your website advertises an auditing standard which should apply universally to the datacenter and that standard states something about the racks being locked in its physical security section, you may be able to point out that the client may be putting your compliance with that standard at risk (only if this is true). It's something to think about if you don't already have a policy which covers this.

It would also be wise for your team to check all racks (outside of cages), and cage doors for security every few hours. If this is a standard process you could start "reporting" this finding to them every few hours and possibly escalating the issue if appropriate.

Ultimately if you didn't have anything in place prior to this coming up you may be in a spot where you have to deal with this customer behaving this way as this may not be a contractual violation and you may have nothing to really leverage to get them to change behavior. Does your contract with the customer allow you to change security procedures and if so is it simply updating the policy and providing the client with sufficient notice that the policy has changed an option?

Keep in mind this may also be a hot button for your client, so be wise in how you approach this, and update your contracts and policies to prevent this issue or similar issues from being a problem with future customers.

Finally, I'd review your contracts and policies for basic things like smoking, liquids, foods, other organic materials, live animals/organisms, etc... You may find many other things missing that also need to be addressed. Bind agreement of these policies to your contracts if possible.

One additional thought: Ultimately you want good security to be easy to use. Is there a way to make it easier for your customer so he/she does the most secure thing automatically? Maybe this customer is having a problem with a poorly made key or something that could easily be fixed (depending on the doors maybe he/she thinks it helps keep the servers cool).

You want the customer to choose the most secure action on their own and not be forced to do so if possible. If there is resistance in their actions it might be wise to tackle what is creating the resistance rather than trying to tackle the customer.

Trey Blalock
  • 14,099
  • 6
  • 43
  • 49
  • Really thank you for your advice. Yes, losing a layer of defence in depth and putting standard at risk are better reasons to reject the request. The case is customer ordered a small cage and they are not willing to change a bigger one. After mounting all equipment and cables, the rear door will become not possible to close and lock. That's why customer are asking is it possible to not closing rack door inside private cage. – Kiwi Mar 23 '17 at 06:31