3.3 Holistic Security: Best Practices

Although you have to think about security vulnerabilities individually, you should plan your security solutions as a system of complementary techniques and technologies. Each level of the security solution should take into account preceding layers, but never assume that those preceding layers will stop an intruder. The following tips are best practices that most companies can use to significantly enhance their physical security:

  • Your network's physical cabling is almost impossible to completely secure. Do the best you can by locking up wiring closets, hubs, switches, and so on, and assume that intruders will find a way to access transmitted data anyway.

  • Use technology-based solutions like IPSec to protect network transmissions against eavesdroppers.

  • Buy a laptop chain lock whenever a new laptop is purchased, and instruct the new laptop owner on its proper use. These simple $20 devices deter many thieves. You should also implement policy that requires their use at all times and specifically states that anyone whose laptop is stolen without the cable connected will repay the company for the laptop and the cost of the security administration (i.e., revoking certificates on the laptop).

  • Keep unauthorized computers off your network completely by not issuing IP addresses to unknown MAC addresses. You can also use nonstandard network plugs and jacks, which make it more difficult for outsiders to physically connect to your network (although expensive, this is a popular technique in high-security government facilities and some technology companies).

  • Secure your data center with electronic locks and, if possible, recording cameras. Require anyone exiting the data center to use his card key and you'll have a complete electronic in-and-out log.

  • Lock servers in cabinets with secure cabinet rear doors and sidewalls. Keep the cabinet keys in a secure location, and require administrators to check keys out using a card key or some other system.

  • Use high-quality locks. You would be surprised how often security consultants find a data center protected by a $15 deadbolt installed in a hollow core door purchased from a building supply store. If you're going to protect the data center, protect it with effective hardware from a qualified locksmith. Many high-end locks have keys that can be duplicated only at the factory or by a factory-authorized locksmith. If you're using a card key system, consider using a multiperimeter approach, with one perimeter secured by lock and the other secured by card key.

  • Physically examine your data center for security vulnerabilities. Does the data center share a common wall with an unsecured portion of your building? If so, the only tool an intruder will need is a screwdriver to get through some drywall. Extra wall studs or rebar in the walls is inexpensive and can shore up those security holes easily. If you've got an elevated data center on a hollow floor, remember to check down there too.

  • Use Remote Desktop to manage servers remotely, reducing the number of administrators who need authority to physically enter the data center.

  • Implement policies that help further protect your physical assets. For example, screensavers that kick in after a few minutes and require a password to disable can help defend a server whose cabinet was left unlocked.

  • Use multiple layers of security. For example, use NTFS to secure files, but don't assume that only authorized users will get to them. Secure your physical network jacks, and also issue IP addresses only to authorized MAC addresses, assuming that the security on the jacks will be bypassed. For every security measure you implement, imagine that it will be broken or circumvented, and take additional steps to protect your resources. This technique is called layered security, because it relies on multiple layers of security techniques to protect assets.

When You're Strapped for Cash

Physical security can, by its very nature, be very expensive. Card-keyed doors, cameras, and lockable server racks are pricey items, and smaller organizations might not be able to afford every precaution. When your budget doesn't include much money for physical security, try and maximize your investment to get the most security you can for your money. Here are some tips:

  • Get some kind of locks for your data center. Even if all you can afford is an off-the-shelf combination lock on the door, get it. Keeping unauthorized users away from your servers is critical.

  • Most data center budgets include server racks, simply because racks provide a space-efficient means of storing servers. Most server racks include lockable doors, or at least the option to add door locks for very little additional money. Get those locks and use them. While an attacker can break a lock, it's one more hurdle between her and a successful attack. Plus, a broken lock leaves evidence for later forensic investigation and possible prosecution.

  • Implement security policies that require users to use password-protected screensavers and other basic security measures. These measures don't cost extra, and they can significantly enhance security. Use group policies to centrally configure security on your client computers.

  • Provide all laptop users with locking cables. Establish a security policy that users must always have their laptops locked to something when not in use, and instruct them on what items are better to attach their laptops to. These locking cables are cheap, simple, and very effective.

You can implement good physical security with very little extra cash, and the extra peace of mind and corporate security are well worth it. You may also be able to increase your budget for physical security measures by helping your company's management understand the risks that a physically insecure environment presents. For example, a bank spends tens of thousands of dollars protecting the bank's cash vaults, but a single compromised server could result in the bank's customer accounts being compromised, making the cash itself useless. Helping the bank's management understand that the data center's physical security is just as important as the cash vault's will help them create a more reasonable budget for physical security.