This is the second in a ten part series on information technology security from SBAM Approved Partner NuWave Technology Partners.
Read Part 1
With a quick google search and downloading free tools, anyone with physical access to a server can reset the administrator password and have full access within a few minutes. Securing the server in a locked room however, is not the only physical security that a business owner needs to be concerned with.
Physical security is the first line of defense in protecting the data on your business network. Large datacenters run by companies such as Google, IBM, Apple and, Amazon are often protected at the perimeter by high fences with razor wire and armed guards. If you get past those, you then have to deal with the biometric security systems with retina scans, palm print readers or, voice or facial recognition to gain entry. While this may be excessive for your business there are physical security measures that must be considered.
Many businesses are installing security cameras and door access control systems even if they only have a suite in a larger office building. The camera systems can record and save data to the cloud so even if they are stolen the recorded data is not lost. Door access control can be integrated into active directory so a single account can control staff access to not only the network and appropriate folders and files but, also which rooms they have access to. They also, keep track of when they enter and leave. These systems can be used with an electronic name badge to track and record where visitors are in the building and which doors they can open. For building owners or businesses with higher security needs, perimeter protection is very important. For example, external cameras with heaters can be used year around, infrared cameras are used for night protection, and license plate recognition software can be used to let one know if cars in the parking lot are employees or visitors.
Now back to the server. Business owners are now being held liable for loss of data leading to employee identity theft, breach of private client data, exposure of intellectual property, etc. To mitigate the exposure, business owners must use due diligence to protect the data on their networks. Having a server on a shelf in a hallway, under desk or in the kitchen, or even in the bathroom (yes, we have seen them there) is not due diligence. The server has to be stored in a locked room with appropriate environmental controls and monitoring. Servers should be kept in racks so both the front and back are accessible. If there other items in the server room such as file cabinets that require non-technical staff to have access to the room then, the server rack needs to have sides and front and back doors and be kept locked. The room should have a separate air conditioning unit from the rest of the building or at least separate controls. An environmental sensor is also required. A couple of years ago one client had located their servers and switches in small utility closet. The building was sold to a new owner who decided to save money by turning the air conditioning off over the weekends. The staff returned Monday morning to find they could not log on to the network. Upon investigation we found the server had internal parts that had melted due to the high heat in the closet. With an environmental sensor, we would have been notified and shut down the server before it was damaged.
Another area to consider if you have a larger office is any additional wiring closets and the demarcation area where telephone and Internet come into the building. These rooms need to be kept clean and locked.
While physical security alone cannot completely protect your network it is the first line of defense. Proper planning and implementation is a good place to start. Next time we will explain the purpose of firewalls and why you need more than one.