I wanted to know if anybody had any recommendations as to how to keep the server room secure from employees. There is a lock on the door, however, anybody with a building master (maintenance, owners, custodians, etc) can open it. It would be nice if it required the key and also had a proximity card lock so that we could log entry and restrict it further. Has anyone done this before? What are some other ways to make sure it is secure?
SnapOverflow
Are those nice biometric and what have you devices of yours attached to UPS power? Is the entire chain, from reader, electric lock, any switches / distribution layer, to the authentication server and its database on emergency power?
I'm just asking because a few years ago we had the largest regional power loss in 25 years around here. I know of one major installation where they to their horror discovered that they couldn't enter their server room while the electricity was out. Their emergency procedures required them to power down non-essential servers, because their UPS power couldn't run the air conditioning at full output, so the server park heat output exceeded the A/C cooling when on emergency power. So they stood outside their server room, and wondered how hot it was getting in there...
I would suggest to keep it simple, with a good certified steel door, a steel door-frame that is well fastened to solid walls, and 2 good mechanical locks on the door (say 1 Medeco and 1 Kaba).
You can of course replace one of the mechanical locks with a swipe card, to gain a entry log during normal operation. Just be sure that the electric lock automatically disengages if power is out. Strictly speaking, this makes you more vulnerable against a James Bond style burglary, where the attackers cut power to the building before going in. This is a small risk, but one I'd much rather take than risk being locked out of my server room during an emergency.
Proximity cards are your best bet. The logging is there in a clean, concise format. Our data centers are secured by the same badge system that our external doors are secured with which allow for group access configurations.
Security cameras are another option, but the maintenance is problematic and it takes a little longer to sift through the video to find what you're looking for.
EDIT:
Bioscanners are another option, as Zypher pointed out, but then you start getting into privacy issues. In many countries this quickly gets legal involved.
Don't try to secure things too much, put the usual swipe or promixity card on and audit access. Lots of swipe locks can be further secured with a pin for trusted employees.
I know of a site where the server room is secured by the outsourced company, and access has to be requested in advance and a key provided to gain entry. As a result a minimum of 2 employees are required to be in the room at any given time - if 1 person went in, fell or had a server fall on him or otherwise was unable to get to the door to open it, they'd have to raise an emergency request to get a new key sent over, which would take far too long (personally, I'd smash the door open in such a case). Don't try to restrict access too much.
I'm a big fan of simple solutions that don't require too much extra hardware to function. I like strong doors, strong locks, and large, intimidating security guys named 'Larry', who can bench press the entire IT staff.
Locks do have a problem that many lock manufacturers are in denial about how easy their products are to pick right now, but that's where Larry comes in - you can't use a lockpick when Larry is around because he'll turn you into a pretzel.
Further, if the number of people who go in and out of the special door is small, Larry will learn to recognize them. And when someone who doesn't normally go through that door approaches, Larry will ask them what they are doing. And if they don't have a good explanation for their presence, well, it's pretzel time again!
Larry does have the downside of being an ongoing expense for your organization, but if you really need that door protected, then Larry can be a really big contributor to that protection.
We have our door at the local office setup with a badge reader that ties into our normal system. The lock is also keyed so that a master key cannot open it and only IT has a copy of the key as a just in case backup. In our data center we additionally have a hand scanner that ties into the system so you need both your hand and badge ID to get into the door, along with being in the group that allows access.
I would talk to whoever provides your normal badge entry systems for options on how to integrate it to your existing system (if you have one)
In response to jesper.mortensen:
I agree that a good steel door, steel door frame, supported by solid walls, is ideal. That said, I don't see the point of having two mechanical locks on the door. A single swipe/proximity reader should be sufficient unless your business rules require both a physical key and an electronic key. Biometric access would be a good addition to proximity, IMO. I simply see no need for physical keys for routine access.
As for auto-disengage on power failure -- I think that's a horrible idea. If someone wanted in the office, they'd be able to defeat most or all of the locks just by finding a way to cut power to the facility. What we've done in some of our facilities is replacing the steel door frame with one that is specifically designed to permit key override. I've honestly not examined the mechanism to see how it works, but I do know that our electronic key system is set to fail-secure. If we need to get through a secured door and electronic locking is unavailable, we still have physical keys that we insert into a lock on the door frame, and the lock is released. Definitely more secure than just fail-insecure.
In any case, I'd also very strongly advocate a monitoring system in the room for both motion and entrance -- if anyone uses an electronic bypass key while the system is operational, an alarm would sound.
SmartCards etc so it's per-employee and logged.
Remember:
All good answers. I would also install a camera inside the server room. They are relatively inexpensive and can record on event and can be monitored remotely.
We have installed a mechanical push-button lock on one of our server room doors. The lock has number and letter buttons. Authorized personnel do not need a key and changing the combo is very easily done if staff leave or get fired.
We install S,E,A,P rated doors and partitions for many list x cxompanies ,these are approved by the Home Office asnd no one is getting in with out permission
I'd recommend the Handscan Biometric reader - for example: Handpunch 2000. You can ntework it, use modems or a serial link. Perfect for user verification tasks. There's a SDK available (and even an api for .Net/c# etc..). We use it for our employees clock in/out.
-js