Ensuring your networks remain safe is a top priority for every organisation and while putting your equipment in a data centre is great, it’s not an opportunity for letting your Operational Security become lax.

7 Straightforward ways to increase the security of your rack are:

1. Religiously Lock Your Racks

Even if your stepping away from your rack for only a couple of minutes this is plenty of time for an attacker to tamper with your equipment. This could be something as innocent as borrowing a screwdriver without asking or tampering with equipment to steal data or intentionally cause a disruption.

2. Never leave bags and equipment unattended

Very similar to locking the lack, unattended equipment like laptops signed into server consoles and portable hard disks containing backups are items you don’t to go missing or misused. If you need to step away these items should go back in your backpack and taken with you, or at the very minimum locked and put away.

3. Remove all identifying labels from the equipment

While Data Halls are not public places, they are shared spaces and do get foot traffic through them from all types of people. Where possible try to avoid having any identifying labels or marks on the equipment that could identify your organisation or provide clues about the network, this includes asset tags with company names or logos and labels with hostnames & IP addresses. Blend into the crowd and just be another rack of unexciting servers.

4. Have an E-Waste Policy

Equipment failure and replacement is a normal part of IT. Ensure your organisation has a defined process to ensure this e-waste is sanitised before it is thrown out, and never gets into the hands of others with data still contained on it. End Of Life equipment such as Routers, Switches should have all configurations securely wiped before disposal and on servers both the storage disks wiped or destroyed and configurations reset to factory.

Failed equipment such as HDD’s and old tapes must be securely destroyed prior to being thrown out. If using third-party contractors or the data centres ‘remote hands’ it is a good idea for them to ask them to leave the failed components at the bottom rack clearly marked for destruction at a later date.

With a significant amount of equipment eventually finding second lives either through professional refurbishment or on marketplaces such as eBay it’s critical there is nothing usable once it has left your ownership. Data Erasure specialists Blanco performed a study titled ‘The Leftovers: A Data Recovery Study‘ based on used hard disks purchased on marketplaces and found companies are simply not properly wiping all data from them at all or done so improperly where it could be recovered.

“67 percent of the used drives contained personally identifiable information and 11 percent held sensitive corporate data, including company emails, CRM records and spreadsheets containing sales projections and product inventories.”

Blanco

Many data centres can arrange the secure destruction of equipment and media, ensure you ask for a report which confirms the serial numbers and number of equipment destroyed.

5. Review the Authorised Access List For Your Account

Staff come and go over the years. Double-check with your data centre and service providers who exactly is still registered on the account. Former Employees and staff who do not have a reason to be on the account should immediately have access revoked and ID badges surrendered.

The primary contact for the account should be going to a mailbox which is actively monitored by technical staff and the online portal access protected with 2FA.

6. Install or Monitor Electronic Access Alarms

Modern facilities are now installing digital locking mechanisms instead of traditional key locks. Not only is this very convenient, but it allows rack owners to review when the rack has been accessed and by who. If your provider does not offer this solution, there are aftermarket solutions available to log whenever a door is opened and send an alarm.

7. Don’t Publicly Publish the Location or Name of Your Data centre

It’s far more challenging to gain physical access to infrastructure or launch a phishing attack against a provider if the adversary doesn’t know who or where they are. In many cases it is unnecessary to publicity publish the exact location of your equipment.

What strategies do you use to keep your equipment safe? Let us know in the comments below