2

After reading a similar question on Reddit, I wanted to hear from the serverfault community on the practice of letting maintenance staff in to server rooms without supervision.

There are obvious dangers such as:

  • Theft (both of physical servers and of data)
  • Breaking things (introducing water, tripping the power, etc.)

Do maintenance staff generally have access to server rooms?

Tom Marthenal
  • 2,106
  • 7
  • 25
  • 37
  • 9
    Absolutely not. My rule of thumb is if you do not work for my IT dept. you do not get unsupervised access to the server room. Period. –  Jul 06 '12 at 20:28
  • 3
    This reminds me of the oft-repeated tale of the server that mysteriously rebooted at about the same time every day which, when observed in person, turned out to be the cleaner unplugging it so that she could plug her vacuum cleaner in. – Chris McKeown Jul 06 '12 at 22:48

4 Answers4

7

I have never encountered a scenario where mission-critical server hardware was not under lock and key. Access should always be restricted to qualified IT personnel. If you are on the hook for whatever happens in that room, then you get very stingy with access very quickly.

Don't let your maintenance personnel in the server room. Sweep (don't vacuum) it and keep it clean yourself.

Joel E Salas
  • 5,562
  • 15
  • 25
  • I find server rooms, by virtue of good air filtering/conditioning and minimal foot traffic, really don't need more than the odd sweeping/dusting. – gravyface Jul 06 '12 at 20:55
7

Not to be a contrarian, and I'm not advocating that non-IT staff should have access to your server room, but I'd like to posit the following questions and points as an illustration of what I believe is wrong thinking related to IT infrastructure, server rooms and data centers:

  1. You're worried that someone may steal equipment or data. Is it not possible for them to steal equipment or data from any other location other than the server room? Do you have the same concerns regarding the maintenence staff in relation to their access to other areas of the building? Could they not steal data by simply sitting down at someone's workstation, laptop or terminal? Surely if they're savvy enough and skilled enough to steal data due to their having physical access to the server room then they're savvy enough and skilled enough to do it from any workstation, laptop or terminal anywhere in the building, no?

  2. Is the server room the only place that the maintenence staff can inadvertently or purposely/purposefully trip the power, or activate the fire supression system, or flood the building or cause any one of a number of other "disasters"?

  3. Is it the fact that they're maintenance staff that stokes your concern about them being in the server room? That seems like a bit of intellectual bias to me. They're smart enough to push a broom or repair the HVAC system but not smart enough not to break something in the server room? They're trustworthy enough to empty the CEO's wastebasket but not trustworthy enough to have access to the server room?

  4. What's lacking in your controls that would give them the ability to steal equipment or data? What's lacking that would allow them to trip the power or introduce water?

I regularly work in a data center that is PCI-DSS compliant and SAS 70 Type II certified that allows their maintenence staff access to the data center "floor" to perform tasks related to their jobs as maintenence personell. The maintenence staff is vetted the same as any other employee, visitor, customer or vendor.

Should they have access to the server room? Maybe not, but not for the reasons you postulated in your question.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • 1. Stealing a workstation, laptop, etc probably won't bring down a company. Stealing the servers, though...very well could. Stealing the data probably could too, depending on what you do with it...but that's a bit harder to get at from some random computer than from the server's console. – cHao Jul 07 '12 at 02:41
  • 2. You're not in contol of those other places. If someone somehow manages to kill power to the whole building or something, there's not much you can do (absent a generator). But if they unplug the server to plug in their vacuum cleaner or something...what is the first thing the PTBs will ask? "Why was that idiot in the server room in the first place?" Hint: "Cause i don't wanna clean it myself" probably won't cut it. – cHao Jul 07 '12 at 02:45
  • 3. It's not about smarts -- it's about specialties. You don't let outsiders wander unsupervised around a construction site or a mechanic's shop either. Or, ironically, an HVAC repair shop. The people who are in there pretty much have to know what to do where and when...or be shepherded around by someone who does. Why, then, should some guy who probably has no training in IT stuff be allowed to wander around in a room with semi-unique hazards, where a bit of water here or a couple of keystrokes there or flipping the wrong switch could wreak havoc? – cHao Jul 07 '12 at 02:57
  • 4. Do you leave your house's front door unlocked and just lock up all the important stuff you don't want people messing with? I kinda doubt it. Why do that with your server room, considering that the equipment and data in there might very well be worth more than your whole house? :) *And* considering that if something goes wrong in there, that's your spot (and therefore, ultimately your responsibility)? – cHao Jul 07 '12 at 03:04
  • It's not an issue of trust, but an abundance of caution. Unlike your data center staff, our maintenance staff are not given training in how to properly clean (or even avoid disrupting) computer systems. In addition, the vetting is done by the building manager, not by us, and turnover is very high. – Tom Marthenal Jul 07 '12 at 04:07
  • You're absolutely right when it comes to an enterprise deployment. Unfortunately, most "server rooms" are not "data centers." Smaller enterprises don't have the resources to vet their staff in the same way (and provide the commensurate compensation), or to build maintenance staff-resistant datacenters. – Joel E Salas Jul 08 '12 at 02:36
3

I think you understand the risks. The answer is absolutely not. First of all only trusted personnel should be in your server rooms with specific access. We also ensure every entry into the room is logged.

Just by keeping it simple by cleaning up after oneself, and ensuring that everyone is educated with this, the room will be neat and tidy.

With best practices put into place, you should not need to have janitorial crew go through your server room. Similar to cable management, if you do things right the first time you won't have to bother revisiting what you've done.

liverpoolaustin
  • 31
  • 1
1

What counts as maintenance staff? The above answers seem to imply that only janitors would fall into this category but staff electricians, HVAC engineers, etc are often part of the maintenance crew in lots of shops.

Lots of larger enterprise DC's I've had contact with have actually specifically excluded the majority of IT staff - to include senior systems and network engineers, etc. The idea is that a very specific set of DC facilities/operations people should be sufficient to physically operate the infrastructure without particular non-facilities domain experts being allowed into a space that they're often not qualified to be in anyhow.

It's actually only in the smaller facilities that I've seen sysadmins typically involved in standard rack-and-stack / cabling. Some network organizations keep their hands in longer, but even they end up splitting off day-to-day cabling (and even a lot of the layout/design) to dedicated facilities people. I've generally just chalked this up to the greater need for specialization.

BTW - Dedicated DC facilities orgs will often have their own specially trained cleaning staff. There -is- need to keep these areas clean over time, albeit through different means than standard office space.

rnxrx
  • 8,103
  • 3
  • 20
  • 30