11

I wanted to know if anybody had any recommendations as to how to keep the server room secure from employees. There is a lock on the door, however, anybody with a building master (maintenance, owners, custodians, etc) can open it. It would be nice if it required the key and also had a proximity card lock so that we could log entry and restrict it further. Has anyone done this before? What are some other ways to make sure it is secure?

Brett G
  • 2,023
  • 1
  • 27
  • 45
  • 3
    Our building used to be a bank, so we keep our servers in the vault. nothing like a 3" steel door to keep people out.. – Dentrasi Sep 03 '09 at 19:12
  • 1
    @Dentrasi: My last office was an old bank. The vault door is awesome until you fool around and get a board wedged in it...Last time I fool around with a vault-door. I had to chip the board into pieces to get the door back opened. – Sampson Sep 03 '09 at 19:52
  • We have an old vault in our building. The vault door is about 8-10 inches thick and probably weighs in the neighborhood of 10 tons. I would not want to have to open that door on a regular basis. It's sheer mass is impressive and scary at the same time. I cannot imagine getting any body part "stuck" because once that door starts moving, it's moving until it shuts...there is no stopping it. – GregD Nov 18 '10 at 14:24

11 Answers11

15

Are those nice biometric and what have you devices of yours attached to UPS power? Is the entire chain, from reader, electric lock, any switches / distribution layer, to the authentication server and its database on emergency power?

I'm just asking because a few years ago we had the largest regional power loss in 25 years around here. I know of one major installation where they to their horror discovered that they couldn't enter their server room while the electricity was out. Their emergency procedures required them to power down non-essential servers, because their UPS power couldn't run the air conditioning at full output, so the server park heat output exceeded the A/C cooling when on emergency power. So they stood outside their server room, and wondered how hot it was getting in there...

I would suggest to keep it simple, with a good certified steel door, a steel door-frame that is well fastened to solid walls, and 2 good mechanical locks on the door (say 1 Medeco and 1 Kaba).

You can of course replace one of the mechanical locks with a swipe card, to gain a entry log during normal operation. Just be sure that the electric lock automatically disengages if power is out. Strictly speaking, this makes you more vulnerable against a James Bond style burglary, where the attackers cut power to the building before going in. This is a small risk, but one I'd much rather take than risk being locked out of my server room during an emergency.

10

Proximity cards are your best bet. The logging is there in a clean, concise format. Our data centers are secured by the same badge system that our external doors are secured with which allow for group access configurations.

Security cameras are another option, but the maintenance is problematic and it takes a little longer to sift through the video to find what you're looking for.

EDIT:
Bioscanners are another option, as Zypher pointed out, but then you start getting into privacy issues. In many countries this quickly gets legal involved.

squillman
  • 37,618
  • 10
  • 90
  • 145
7

Don't try to secure things too much, put the usual swipe or promixity card on and audit access. Lots of swipe locks can be further secured with a pin for trusted employees.

I know of a site where the server room is secured by the outsourced company, and access has to be requested in advance and a key provided to gain entry. As a result a minimum of 2 employees are required to be in the room at any given time - if 1 person went in, fell or had a server fall on him or otherwise was unable to get to the door to open it, they'd have to raise an emergency request to get a new key sent over, which would take far too long (personally, I'd smash the door open in such a case). Don't try to restrict access too much.

gbjbaanb
  • 3,852
  • 1
  • 22
  • 27
5

I'm a big fan of simple solutions that don't require too much extra hardware to function. I like strong doors, strong locks, and large, intimidating security guys named 'Larry', who can bench press the entire IT staff.

Locks do have a problem that many lock manufacturers are in denial about how easy their products are to pick right now, but that's where Larry comes in - you can't use a lockpick when Larry is around because he'll turn you into a pretzel.

Further, if the number of people who go in and out of the special door is small, Larry will learn to recognize them. And when someone who doesn't normally go through that door approaches, Larry will ask them what they are doing. And if they don't have a good explanation for their presence, well, it's pretzel time again!

Larry does have the downside of being an ongoing expense for your organization, but if you really need that door protected, then Larry can be a really big contributor to that protection.

Michael Kohne
  • 2,284
  • 1
  • 16
  • 29
3

We have our door at the local office setup with a badge reader that ties into our normal system. The lock is also keyed so that a master key cannot open it and only IT has a copy of the key as a just in case backup. In our data center we additionally have a hand scanner that ties into the system so you need both your hand and badge ID to get into the door, along with being in the group that allows access.

I would talk to whoever provides your normal badge entry systems for options on how to integrate it to your existing system (if you have one)

Zypher
  • 36,995
  • 5
  • 52
  • 95
3

In response to jesper.mortensen:

I agree that a good steel door, steel door frame, supported by solid walls, is ideal. That said, I don't see the point of having two mechanical locks on the door. A single swipe/proximity reader should be sufficient unless your business rules require both a physical key and an electronic key. Biometric access would be a good addition to proximity, IMO. I simply see no need for physical keys for routine access.

As for auto-disengage on power failure -- I think that's a horrible idea. If someone wanted in the office, they'd be able to defeat most or all of the locks just by finding a way to cut power to the facility. What we've done in some of our facilities is replacing the steel door frame with one that is specifically designed to permit key override. I've honestly not examined the mechanism to see how it works, but I do know that our electronic key system is set to fail-secure. If we need to get through a secured door and electronic locking is unavailable, we still have physical keys that we insert into a lock on the door frame, and the lock is released. Definitely more secure than just fail-insecure.

In any case, I'd also very strongly advocate a monitoring system in the room for both motion and entrance -- if anyone uses an electronic bypass key while the system is operational, an alarm would sound.

aNullValue
  • 447
  • 5
  • 10
  • Auto-disengage on power failure - depending on the room, the lock configuration and local fire codes, you may not get a choice on this one. In any sane jurisdiction, you CAN NOT lock people in just because the power failed. So unless the lock is also configured with a manual exit, it MUST auto-open on power fail. You'd be surprised how uncommon the manual exit is. I've worked at places with electronic locks, where someone gets a call to come in when the power fails so no one can rob the place. Stupid? Oh yea. But a consideration none the less. – Michael Kohne Sep 03 '09 at 19:06
  • I did know about those regulations existing in most places, but they didn't come to mind. Those places that I've seen electronic w/ key override have been 1) equipped with one-direction keyless override, or 2) been in a jail. – aNullValue Sep 03 '09 at 19:55
2

SmartCards etc so it's per-employee and logged.

Remember:

  • your entire business probably relies on the kit there
  • "need to have" only: not "I'm the boss"
  • your sysadmins need somewhere private to sleep off hangovers
gbn
  • 6,009
  • 1
  • 17
  • 21
1

We install S,E,A,P rated doors and partitions for many list x cxompanies ,these are approved by the Home Office asnd no one is getting in with out permission

phil
  • 11
  • 1
1

All good answers. I would also install a camera inside the server room. They are relatively inexpensive and can record on event and can be monitored remotely.

We have installed a mechanical push-button lock on one of our server room doors. The lock has number and letter buttons. Authorized personnel do not need a key and changing the combo is very easily done if staff leave or get fired.

cop1152
  • 2,626
  • 3
  • 21
  • 32
  • 1
    also make sure that whatever the camera is recording to (hard disk, video tape, etc) is in another room or secured in a separate cage/box/safe with a separate key so it can't be stolen or destroyed by anyone who realises that they've just been caught on camera breaking into the room. – cas Sep 02 '09 at 02:37
  • 2
    If using that kind of mechanical lock, make sure you change the combo regularly, otherwise wear and tear on the keys will tell people which numbers are in the combo. – Michael Kohne Sep 03 '09 at 19:08
  • good insight MK – cop1152 Sep 03 '09 at 19:43
0

I'd recommend the Handscan Biometric reader - for example: Handpunch 2000. You can ntework it, use modems or a serial link. Perfect for user verification tasks. There's a SDK available (and even an api for .Net/c# etc..). We use it for our employees clock in/out.

-js

J Sidhu
  • 440
  • 2
  • 4
  • I don't know if these are suited for security applications... they seem to be used exclusively for employee in/out punching – Brett G Sep 01 '09 at 18:30
  • We use a unit similar to this on our data center door. It works well and integrates with the badge system. – Zypher Sep 01 '09 at 19:44
  • It is meant to be a Identity Verification System. It is definately suited to verify your identity so it can open the door. Time/Attendance mode is simply a feature that makes use of this service. T&A is disabled by default but can be enabled. We use this a lot of I have actually developed a lot of our own code to interface with these systems (14 devices so far...) – J Sidhu Sep 01 '09 at 20:22
0

I recommend anti tail gating solutions.