Hardware Today: Anchoring Your Servers

by Drew Robb

While news of viruses and phishing scams takes center stage, an equally serious, yet more pedestrian, type of attack seldom receives much notice.

Whenever a virus is unleashed or a phishing scam claims its latest victims, the media gets to work scaring the world about the dangers of cyber security. Rarely, however, is another serious, and more old-fashioned, form of attack discussed: hardware theft — someone picking up a server and taking it away undetected.

"Sometimes we spend so much time worrying about cyber attacks that we forget about the basic problem of physical threats," said Pete Lindstrom, research director at the Malvern, Pennsylvania-based research firm Spire Security. "Information security professionals are distracted by worms and viruses, physical security guards monitor the entrances and exits to buildings, and facilities personnel are spread thin trying to keep the entire site up and running."

Will Schmit, proprietor of Anchor Desktop Security in Albuquerque, N.M., agrees with Lindstrom. Schmit has been a locksmith for more than 20 years and now customizes computer security hardware for healthcare and utility clients. He's been fighting an uphill battle to convince IS organizations to take better care of the physical side of security.

"Servers with the whole cookie jar have to be taken seriously. The guy with the most to lose has the most to save." — Will Schmit, Anchor Desktop Security

"It has been a difficult task illuminating the public of the dangers of data loss as computers have been getting cheaper every year," says Schmit. "It usually takes a data theft for people to reach for answers."

For example, U.K.-based online bookseller WH Smith's Web site crashed when a thief strolled away with a server. And a stolen server at a regional office of the Canadian Customs and Revenue Agency compromised the personal data of 120,000 individuals.

So what steps can be taken to deter theft or prevent it all together? Let's examine some simple actions and technologies that can make your server room more secure.

Entrapment Hardware

Not surprisingly, various levels of physical protection can be attached to servers. Cables and base plates are better than nothing and probably good enough for laptops and PCs. But when it comes to mission-critical servers, server entrapment hardware is the way to go.

"With today's servers costing in the neighborhood of $799 to $10,000 (or more) each, server entrapment prevents theft of the unit, the internal components, and the data," says Dedrick Martin, Western Region Sales Manager for AnchorPad Security, an Anaheim, Calif.-based company specializing in physical computer security products. "No plate system or security cable can provide that level of security."

AnchorPad units typically consist of a steel case glued or bolted to the floor, pick-resistant locks, and steel straps to prevent the removal of individual components. The basic choice is the Universal Tower Entrapment ($155) or the higher-end XL Covert model ($250). The latter option fits most servers and gives users more mounting and locking options. For quantities of 50 or more, AnchorPad can manufacture custom-measured units.

For those with very specific needs, customization is available at a price. Anchor Desktop Security (not to be confused with AnchorPad Security) sells units from $900 to $2,000. Instead of trying to make the servers fit into the security box, Schmit designs them to meet organizational needs. It takes into account requirements, such as extra ventilation, secure storage for server keyboards, tamper sensors, cellular phone links, fire protection, and liquid cooling equipment. Further, if, for example, the server must be mounted on a wall seven feet off the ground or has to be a specific color, it is built that way.

Such equipment is not for everyone, though. Small businesses or servers with less than mission-critical data are probably the best candidates for the $200 answers from the likes of AnchorPad. Schmit reports that the largest user of what he calls "real deal" entrapments are in the power, telecommunications, and data network industries. They are buying the products to protect their gear in remote locations or keep confidential information safe.

"Servers with the whole cookie jar have to be taken seriously," says Schmit. "The guy with the most to lose has the most to save."

>> Thinking Beyond the Box

Outside the Box

The idea of "thinking outside the box" has been hyped in the past decade to the point of becoming a cliche. Yet, it is certainly smart to think of physical security beyond the server box itself. This means rigidly adhering to such common sense tips as keeping servers behind a locked door, logging who enters the data center, locking consoles so those who do gain physical access must log in, creating a policy to lock the console when the machine is idle for a few minutes, storing backups under lock and key (and in a fire safe location), and not writing down passwords anywhere near the machine.

Another vital area, but one that has yet to catch on, is monitoring the data center with a camera. Sanford, Maine-based Ravica sells the cameraProbe8 (CP8), a Web-based camera option that enables security personnel to view who enters the room. It also provides e-mail and SMS notification for the triggering of intelligent security sensors and can be linked to other Ravica units that monitor environmental conditions (such as heat and humidity) inside a server room.

"A good mixture of physical security, access protection and remote monitoring is the key to making sure only the right people enter you data room." — John Mills, monitoring director, Ravica

"If someone trips a door, security sensor or a motion detector sensor, CP8 captures this and e-mails snapshots of whatever is on screen at that exact moment," said John Mills, monitoring director at Ravica. "It's nice to be notified when someone is entering a secure location, but it's best to know exactly who is entering."

Cameras must be used wisely, however. That means monitoring all access points: Don't position a camera on the front door when anyone can sneak in the back way undetected. And don't be foolish enough to only install the cameras. They are just one element of a sound physical security system.

"A good mixture of physical security, access protection and remote monitoring is the key to making sure only the right people enter you data room," says Mills.

Keeping Employees Honest

Although keeping interlopers from entering the facility may appear to be the driver for this physical security, in-depth security surveys from the FBI have found internal theft to be a far bigger threat to any server room. Most hard drive thefts, it turns out, are inside jobs. So simply keeping the front entrance well-guarded is not enough.

Similarly, don't set things up so the hardware is well protected, but the data is easily accessed. The cost of lost data usually dwarfs the price of the hard drive, server, or device that walks.

Ultimately, "server entrapments protect computers, but their real job is protecting the data by preventing your employees (usually) from walking out the door with it," says Schmit. "Server entrapments keep your entrusted employees honest."

This article was originally published on Monday Apr 25th 2005
Mobile Site | Full Site