9

As a result of a security audit there's the need to lock the racks and manage the keys:

  1. Keep the keys safe
  2. Record key usage

Complying with these two requirements has many challenges as there are a lot of possible sysadmins and netadmins (around 10) that need access to the server room.

We are considering several possible solutions but everyone has some drawbacks, mainly related to who is the key master and how to maintain availability in the case of absense of such person.

Do you lock your racks? How do you manage the keys to assure availability and accountability?

chmeee
  • 7,270
  • 3
  • 29
  • 43
  • There's an added problem I forgot to include in the question: the server room is shared by different government agencies, that's why only server room locks are not enough. – chmeee Jun 18 '09 at 17:37
  • 2
    I'm the key master, are you the gate keeper? – Scott Jul 22 '09 at 19:32

15 Answers15

12

Buy a key safe, put it in the server room, give the key(s) to the key safe to your trusted minion(s) and one or two helpful backup folks (friendly and helpful owners, or the accounting people who are already trusted with cash and such).

The trusted folks are the only ones who lock and relock racks, and they write themselves in on a log.

Since the safe is in the server room, it should be covered by whatever security you've already got there.

Yannone
  • 347
  • 3
  • 9
  • 2
    +1: This is what Key-safes are for. Sophisticated models handle check-in/out of keys to individuals – Michael Haren Jun 18 '09 at 17:45
  • Key safes are excellent and in many cases integrate easily into any sort of RFID-enabled badge you may have. We use a Morse Watchman KeyWatcher. – Xorlev Oct 10 '09 at 22:18
8

Put them in a lock box secured by a digital passcode for each user, which then logs entry to the box.

crb
  • 7,928
  • 37
  • 53
3

We don't lock the server racks, we lock the room and it's across the hall and visible from the offices of 3 or 4 IT people, so no one could get in there w/out us noticing.

The lockbox with passcodes for each person idea mentioned above is a good one. Re-reading the questions, I see the part about auditing key use. I know that the lockboxes realtors use here can do this: each realtor has an electronic key that's registered to them, the lockbox records which key opens it, and the owner of the lockbox can download a report. I don't imagine this is cheap, however...

Ward - Reinstate Monica
  • 12,788
  • 28
  • 44
  • 59
3

I would recomend locking the server room, not the racks. Furthermore, to track individual access I would use a keycard system to allow access to this room.

The keycards are unique to each person and can be programmed to allow access during specific time of day, and days of week. This allows you to most control so that some people might have 24/7 access, while others might only have 9-5 access.

Also, systems like this allow you to create reports showing exactly who entered the room when, so you have a full audit log.

Richard West
  • 2,968
  • 12
  • 42
  • 49
1

I'd definitely consider fitting a pass-code lock to the server room door - it's much easier than managing the keys and the locks are pretty reasonably priced now. Or you can spend a little more and get one that offers separate codes per user so it will log access in to the room.

I leave the racks themselves open as i find it easier to work with and helps with airflow.

Chris W
  • 2,670
  • 1
  • 23
  • 32
0

Keys get lost, copied, and are not tracked well.

I would use combo locks for the racks that track usage as each person gets their own code.

Have worked in a place with these:

Auditcon 252

http://www.kaba.co.uk/products/auditcon-2-series-model-252.asp

Also put up a camera so you can see who opened what, and when.

MathewC
  • 6,877
  • 9
  • 38
  • 53
0

I KNEW this link would come in handy some day CyberKeys

It's WAY more than I need, but looks like it's exactly what you are looking for.

Don't you just love when auditors say you need something, but have no suggestions?

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
Brad Bruce
  • 616
  • 8
  • 17
0

If they are APC racks like ours, you can buy replacement rack locks that change them from key locks to combo locks.

http://www.apc.com/resource/include/techspec_index.cfm?base_sku=ar8132a

Expensive, but worth it for us.

TheCleaner
  • 32,352
  • 26
  • 126
  • 188
0

There are plenty of solutions for this sort of thing. I had a friend who worked at a place where they had to manage over 500 vehicle keys -- no heavy technology required. Try a place like this.

duffbeer703
  • 20,077
  • 4
  • 30
  • 39
0

We don't lock our racks, but we don't share a server room either. For keys that are controlled and shared in common they are in a locked keybox in a secured room. We log the keys in and out of the keybox. These are primarily keys to other wiring closets and the like, but then we know who had which key when, and the box is secured through it's own lock (albiet easy to physically defeat) and the keycard access to the data center (which is logged).

Laura Thomas
  • 2,825
  • 1
  • 26
  • 24
0

We use a keysafe as well. It lives inside a mantrap between a small business operations center and the actual DC. TO get a key, you have to badge into the man-trap, badge into the safe and complete a hand scan. Then, you badge into the DC. All of this is monitored by video.

dr.pooter
  • 399
  • 5
  • 10
0

We got rid of key locks on our racks and put in electronic locks that where hooked up to our building security system instead.

If someone lost their access card or was fired it took less than a minute to revoke access. It also gave us logs of who was opening racks and when. As well as limiting access for personnel and clients to only the racks they were supposed to have access to.

Edit: Another trick we did with it was give our regular contractors access cards that were disabled by default, when we called them to go in and do work the NOC would enable their cards for that period. Saved them having to come into the NOC which was in the next suburb over for keys first.

Haakon
  • 1,305
  • 7
  • 11
0

Standardize the locks (get them keyed the same) so they are all the same that way you have less issues with keys going missing and such. Most locksmiths should be able to do this if they use the same type of locks.

p858snake
  • 439
  • 2
  • 6
0

Racks aren't secure. You can take off the doors off of most racks in a couple of seconds even when they're locked.

You may need locks for some certification, but remember this if you really want to depend on it.

Thomas
  • 1,446
  • 11
  • 16
0

Have you thought of using Rittal CMC remotely-unlocking racks? That way you can have an audit of what was open when, no keys needed at all.

Chopper3
  • 100,240
  • 9
  • 106
  • 238