There have been several information security incidents in which thieves gained unauthorized access to sensitive information by defeating physical access control mechanisms. Therefore, restricting physical access is just as critical as restricting logical access. In a data center environment, physical access control mechanisms consist of the following:
Exterior doors and walls
Access control procedures
Physical authentication mechanisms
Other mechanisms and procedures used to secure sensitive areas
A data center's first and most formidable line of defense should be the walls and doors used in its construction. As auditors, we will look closely at how well doors and walls protect against intrusion and other hazards such as projectiles or blasts.
Data center exterior walls should be reinforced with steel and concrete to protect the facility. If the data center resides within a building, the walls may be constructed of sheet-rock but should be reinforced with steel to prevent intrusion. Exterior doors also should be reinforced and should be able to withstand intrusion attempts. The auditor should obtain this information through interviews and observation. When auditing a data center, the auditor should verify that data center walls and doors are reinforced, identify all potential entry points, and validate that entry points are protected properly.
Raised Floors and Drop Ceilings Most data centers use either raised floors or drop ceilings to conceal ventilation ducts and power and network cables. Interior building walls sometimes are constructed with spaces below raised floor or spaces above drop ceilings left unwalled. Someone trying to gain unauthorized access to the secured area could remove either a tile or a section of the drop ceiling to crawl over or under the wall. During the building tour, the auditor should remove a section of raised floor and a ceiling tile at a data center wall to verify that walls extend from floor to ceiling.
Man Traps Man traps are an effective means of controlling access to critical facilities. They are used often in data center facilities to prevent unauthorized access. In auditing physical security, auditors should verify through observation that man traps exist where appropriate and that they are working properly. Man traps are equipped with two locking doors with a corridor in between. To ensure security, one door should be locked before the other is allowed to open. Obviously, the man trap should be constructed of reinforced walls and doors as well.
Physical authentication devices such as card-key readers, biometric devices, and traditional key locks serve to allow access to authorized personnel and keep out unauthorized personnel. The failure or misuse of these devices can allow unauthorized persons access to the data center or prevent authorized personnel for entering at a time when intervention is required.
Data centers employ a few different types of authentication mechanisms, including card keys, proximity badges, biometric devices, and key locks in some areas. These devices also should incorporate PIN-code devices to provide two-factor authentication. When auditing the data center, the auditor should obtain a sample of data center authentication device logs and verify that the device is logging the following information:
Time and place of the access attempt
Success or failure of the access attempt
Card-Key and Proximity Devices Card-key devices use magnetic stripes or radio frequency identification (RFID) chips to authenticate users who possess the card. Because a stolen card can be used for unauthorized authentication, a PIN-code device normally is coupled with the card-key reader. The auditor should verify that all card-key readers are working properly and are logging access attempts.
Biometric Devices Biometric authentication devices have become more accurate and cost-effective over the past few years. As a result, more and more data centers are now employing the technology. Biometric devices are able to measure fingerprint, retina, and hand geometry. Since these biometric characteristics are unique to each individual, biometric authentication devices are difficult to defeat. The auditor should review the quality of the biometric system being used to determine if there are an inordinate number of false negatives or any observed false positives.
Security guards can be one of the most effective physical access controls. They act as a deterrent and also have the ability to control facility access and respond to incidents. If the security personnel function is ineffective, emergency response most likely would be slow and ineffective, doors could be left unlocked, and unauthorized personnel could have the opportunity to enter the data center facility.
When auditing a data center, the auditor should verify that documentation of building rounds, access logs, and incident logs/reports exist and that this information is recorded properly by obtaining samples from the security staff. Look for consistent entry and exit times, regular building tours, and comprehensive incident logs/reports. Visit the main security post to obtain this documentation.
Data centers typically have some areas that are more sensitive than others, such as equipment staging areas, generators, and computer systems that are processing sensitive information. If these areas are not secured adequately, information could be altered or disclosed to unauthorized personnel or destroyed due to a system failure caused by either sabotage or an accident.
Access to sensitive areas should be restricted further than access to the main facility. Computer systems that process sensitive information may be locked within a cage or locking cabinet, with only a select number of personnel given access. During interviews and tours of the data center, the auditor should verify that these areas are protected appropriately with proper access control mechanisms and, if appropriate, are monitored by CCTV cameras and/or alarm systems.