Figure 9.2. NT Build Lab door. 
Physical security should be the first line of defense in trying to protect your sources. Too many groups and companies take this for granted until they get burned by their lack of security. Microsoft Sidenote: The Hidden Camera in the NT Lab In the NT 3.5 timeframe, hardware mysteriously started to disappear from our build lab, and we couldn't figure out who was taking it. We reported this to Microsoft security, who then decided it was time to install a hidden camera in the lab. Security didn't bother telling anyone that it was planning to do this not even our build manager. One day we looked up at an air vent and saw a tiny red light and wondered what it was. Sure enough, it was a hidden camera (not very well hidden of course). We pointed it out to our boss, the build manager, and he was livid. He opened one of the ceiling tiles and proceeded to rip out the camera. The security team claimed that it could not tell anyone what it was doing because it could have been any of us stealing the hardware. It turns out that it was a help desk repair contractor (non-Microsoft employee) who was ripping off our lab. Thus, the era of video cameras in our build lab began. If there were going to be cameras in the lab, we were going to be the ones that installed and monitored them. We will let corporate security monitor the outside perimeters of the building or who is accessing the lab, but we have enough trust in our colleagues to monitor our own lab. |
In Chapter 4, "The Build Lab and Personnel," I outlined how to set up a build lab. Now, I'd like to expand that setup to source and release labs (if they're at different locations) and add the following elements: Video cameras that are visible and hidden. Having cameras where people can see them is good because it deters possible thieves. It's also good to hide some cameras. As the previous sidenote implies, you don't know who you can really trust. Limited card key access to the lab and machines, with the lab locked 24x7. Only build personnel need access to the lab all hours of the day and night. If you feel the need for other people to have access, limit it to regular hours such as 8 AM to 5 PM. Central location for all machines. It's a good idea to keep all the build machines together, not spread around sites or labs. Biometrics. This is a new technology that is proving to be safe and convenient, especially biometric fingerprint keyboards. Not allowing laptops to check in or check out sources. At the very least, laptops should go through some kind of security scan before being allowed to log in to the network.
Physical security is more of a deterrent than a means of actually catching criminals, but it is important because it sends a message that your company values the work your development team does and is conscious about keeping it secure. It provides the illusion of being secure just like the wand searches at every U.S. airport. |
