Server room door security

security server-room physical-security

Solution 1:

Are those nice biometric and what have you devices of yours attached to UPS power? Is the entire chain, from reader, electric lock, any switches / distribution layer, to the authentication server and its database on emergency power?

I'm just asking because a few years ago we had the largest regional power loss in 25 years around here. I know of one major installation where they to their horror discovered that they couldn't enter their server room while the electricity was out. Their emergency procedures required them to power down non-essential servers, because their UPS power couldn't run the air conditioning at full output, so the server park heat output exceeded the A/C cooling when on emergency power. So they stood outside their server room, and wondered how hot it was getting in there...

I would suggest to keep it simple, with a good certified steel door, a steel door-frame that is well fastened to solid walls, and 2 good mechanical locks on the door (say 1 Medeco and 1 Kaba).

You can of course replace one of the mechanical locks with a swipe card, to gain a entry log during normal operation. Just be sure that the electric lock automatically disengages if power is out. Strictly speaking, this makes you more vulnerable against a James Bond style burglary, where the attackers cut power to the building before going in. This is a small risk, but one I'd much rather take than risk being locked out of my server room during an emergency.

Solution 2:

Proximity cards are your best bet. The logging is there in a clean, concise format. Our data centers are secured by the same badge system that our external doors are secured with which allow for group access configurations.

Security cameras are another option, but the maintenance is problematic and it takes a little longer to sift through the video to find what you're looking for.

EDIT:
Bioscanners are another option, as Zypher pointed out, but then you start getting into privacy issues. In many countries this quickly gets legal involved.

Solution 3:

Don't try to secure things too much, put the usual swipe or promixity card on and audit access. Lots of swipe locks can be further secured with a pin for trusted employees.

I know of a site where the server room is secured by the outsourced company, and access has to be requested in advance and a key provided to gain entry. As a result a minimum of 2 employees are required to be in the room at any given time - if 1 person went in, fell or had a server fall on him or otherwise was unable to get to the door to open it, they'd have to raise an emergency request to get a new key sent over, which would take far too long (personally, I'd smash the door open in such a case). Don't try to restrict access too much.

Related

How can I audit a file to see who deleted it?
Can't connect to my FTP server, why?
What is the disadvantage to cascading multiple switches?
Windows VPN client connect on different port
What is the 'cacert.pem' and for what to use that?
How do I increase the maximum number of concurrent remote connections in Windows Server 2003?
Nginx/PHP-FPM long log lines get truncated
mod_security - PCRE limits exceeded
Can strace show me the filename/path for read/write syscalls
SNI and wildcard SSL certificates on the same server with IIS
rsync - exclude all directories except a few
How to synchronize time on ESXi Windows virtual machines within one second?