Setting Physical Security Policies for your MSP
Security is still a big concern for customers – and potential customers – of managed services. MSPs know it’s a question that’s going to come up, and one you’d better be prepared to answer. However, sometimes we get so focused on securing the software that we forget what every network administrator knows: to start at Layer 1, the physical layer. I discussed some high level security concepts for MSPs in a previous article, Security: A “Make It or Break It” Issue for MSPs. This time, we’ll drill down a little deeper into the subject of physically securing your assets.
You deliver managed services through your network. Physical security is aimed at protecting the components of your network from attackers, thieves, vandals, accidental damage and perhaps even incidentally from natural disasters. Physical security is about creating barriers to access that will prevent or at least delay an attacker from doing damage, stealing the actual devices, or accessing the devices on premises to steal or destroy information stored on them.
A physical breach is in some ways the easiest and in other ways the most difficult for an attacker to pull off. It’s easy because in general, it requires less in-depth technical knowledge and skill than a remote attack. It’s also easy because so many organizations are lax in implementing physical controls; there is an assumption that if someone is inside, on premises, he/she belongs there and poses no threat. It can be difficult because the attacker must expose him/herself to a much great extent and runs the risk of being apprehended, in person, with no ambiguity about “who done it” or ability to claim someone else did it in his name, as with a remote attack.
Layers of physical defense
An effective physical security policy will define layers of defense encircling the valuables that you’re protecting (in this case, the data on your servers). That can be represented by concentric circles, as shown in figure 1.
So you see that we have, working from the outside in:
- Perimeter controls surrounding the premises; this can include fences, exterior motion detectors, cameras, guard dogs, human guards and so forth.
- Building access controls to prevent unauthorized personnel from entering the building, to include locks (manually keyed or electronic, possibly incorporating biometric scanners), cameras, motion detectors, door/window sensors, security alarm systems, security personnel, logging of visitors, and so forth.
- Server room access controls, again including locks, cameras, logs, and such.
- Mechanisms to prevent someone who gets into the server room from damaging, destroying or stealing the servers themselves.
- Physical barriers to prevent someone from removing hard drives, using removable media to load viruses or malware, or using removable media to copy data from the server.
This is a broad overview of the protective layers. You also want to pay attention to the data cables that run throughout the building and the network devices (routers, switches, wireless access points and relays that may be located in places other than the secure server room), to prevent someone from tapping in and intercepting data at those points.
Parallel defense strategy
Remember that the physical defense plan works parallel to the technological defenses in place at various levels, such as bootup and logon access controls, share level and file level security, encryption of data at rest and encryption of data in transit, wi-fi encryption, and so forth.
The human factor
The “wildcard” that permeates all the layers is the human factor. You physically control who has access at various levels through the use of “something you know” (PINs and passwords, lock combinations), “something you have” (a metal key, an electronic keycard or smart card, a USB token or smart phone token) or “something you are” (a biometric characteristic such as fingerprints or retinal patterns or a behavioral or physiological characteristic such as voice print or facial recognition).
However, the first step is to determine who should be allowed physical access in the first place. That presupposes a detailed background investigation and assignment of access on a strict “need” basis. For best security, follow the premise of “deny by default” and then allow only those who must have access at the lowest level at which they can get their jobs done.