Physical Security is almost always overlooked. A company server in the premises for example, may have a ton of security measures implemented, but no physical security measures. In the past I worked for a company that the server was in the hallway to the... toilets! It would be very easy for me to start doing malicious things to the server, like installing software to allow me gain complete control of the server, as the hallway was not monitored (the camera was always offline). That would be hilarious if I had malicious intend! I could do anything and noone would ever be able to prove it was me.
Previous parts:
1. Introduction
2. General Principles and Guidelines
Common Sense
Physical security requires some "common sense" (and it's not that common). Keep your server out of reach! Here are various ways to do this:
- Keep your server away from frequently-visited areas.
- Secure your server room! You can use anything from a simple lock to biometric security systems. A keycard access system would be price-effecient and would allow you to have a log of who got in, when and for how long.
- Monitor the server room with a camera that is able to stream online.
- Only allow trained staff to enter the room. Someone who doesn't know what they're doing, may not necessarily have malicious intend, but they may -for example- power off a system or disconnect a network cable due to negligence.
- If you have multiple server rooms, restrict access to each room to personnel that have reasons to be there.
- If you need to allow visitors in your server room, make sure they are escorted by personnel to monitor their activities. They may not be malicious (as with people who don't know what they're doing), but having someone from your company with them may prevent a mistake that will cost you money.
- If you have an external technician over because of a problem with the server, make sure they are escorted directly to the server with the problem. They do not have to wander around, and they shouldn't!
No physical access?
You may have opted to colocate your office server with a datacenter because it costs less to run (a server needs electricity, air-conditioning, etc). A datacenter may become a target for the data of the server next to yours. Or even worse, your server may be the target. You must have failsafes in place to protect your data.
If you are thinking of colocating on a datacenter, make sure there are at least some of these access control methods:
- Security Guards and Checkpoints
- DC performs background checks before hiring personnel
- Alarm systems for break ins
- Access-granting & access-revoking policies
- Multifactor auth (for example, you will have to carry an employee with you to gain physical access to your server, who will enter a password to open the door)
- Badges with Photos
- Video monitoring of all areas
You can, of course, use these for your own server room!
But hey... I'm hosting my data in the cloud?
You have to understand that "cloud" is just a fancy name for "virtual server", or "hosting account". A "cloud server" is usually a virtualised instance of a server. You are sharing the same server with other people but (usually) you are shielded from each other due to virtualisation security. That doesn't mean that physical security is not important! Servers can be targeted, so your "cloud" will get targeted too.
Also, keep in mind that your data may be kept in data rooms or arrays of disks that may be accessible by anyone using a couple of techniques. Encryption may/may not help in this case.
Your provider may have access to your virtual disks. Look up your contracts on this. You may be legally bound to allow them access so they can confirm that you do not host illegal data on their hardware.
More detailed info on this will come at a later part!
Thank you for reading this part of my Security 101 Series. The next part is now available here
Craving for more? Until the next part is available, have a look at my Server 101 series:
- Intro and getting into your server - Single Article
- Basic Server Security - 3 Parts
- Setting up a Web Server - 4 Parts
- Managing Your Server - 4 Parts
- caddy - Lightweight Web Server - 1 Part
- Emailify your server! - 6 Parts
- Setting up a Password-Protected proxy server with Squid - 1 Part
- OpenVPN in less than 2 minutes
- Piwik - Your personal Google Analytics alternative
- Email notifications for SSH Logins
- Keeping your server up to date
great post. always appreciate security content. Keep at it with the great posts dude you know what your talking about.
If you dont need to use the USB ports you can fit stoppers to the ports.
Log the hell out of everything. Encrypt it send it offsite.
Cameras are good ideas if they are installed in the rack . you can tie them up to open up locks for engineers.
Using a Bastion host to facilitate connections to your server in a controlled secure way. The best places ive seen tend to do this.
Location? If you have a single server in a single location. if this place gets compromised its over for you. 2 is 1. 1 is none.
I dont trust any data in the cloud whatsoever. If the third party provider gets compromised its over. You can layer the encryption so you hold the keys with stuff like cryptomator.
follow me @shifty0g
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
The cloud can be trusted, if you encrypt your data before sending them, and/or you maintain your own server for cloud sync (I'm not only talking about Dropbox as "cloud", but for partially-DIY solutions, like ownCloud or fully blown DIY solutions with manual sync with rsync or any other secure tool)
For those wondering what a Bastion host is, here is a great read by PCMag
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
❤️
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit