Updating server software is all well and good. But if a malicious hacker gets into the data center, there will be hell to pay. Experienced sysadmins and security experts offer advice on how to lock out intruders from your server hardware and control physical access in the data center.

Today's security headlines repeat common stories. One company after another had its secrets and customer records hacked due to phishing, malware, or failing to patch software and operating systems. But, at day's end, if you don't lock down your servers' physical hardware, you're still going to be in a world of trouble. A malicious hacker who can access a server keyboard can type in dangerous commands that bring down the entire network.

You aren’t a newbie. Your building has locked doors and card access controls. What further steps can you take to secure the server room? I spoke to sysadmins and security experts to gather their collected wisdom.

Let’s start with the basics. Before you think about securing access to the hardware, give some attention to its physical organization and office workflow.

Secure the space

The server room must have restricted access. All access points should be alarmed for entry and egress. Access control also requires monitored access. After all, you need to know who gets into the room and when as well as when someone tries to break in.

The room should not have external windows. In addition to introducing security issues, windows also give you climate control problems. If you're forced to use a room with windows, the windows need to be electronically locked to prevent Joe Walkabout from cracking them open.

Your server room must also have fire alarms, fire extinguishers, and suppression systems. You may also want moisture-detection systems. After all, who cares if no bad guys can get into your server room if fire and floods can invade it.

Decide who’s allowed in

Access policies should allow no one except specific IT personnel to enter the server room. It's all too common for some employees to decide the server room is a great place to store ladders, brooms, and, on at least one notable occasion reported to me by a sadder but wiser system administrator, beer kegs. Don't let them! As one sysadmin put it, “The only people who should have access to the server room are IT people: Full stop.”

The room needs access policies—and someone to set and enforce them. For example, can you smoke in the room? Drink a beverage? Allow visitors? That individual or department is responsible for ensuring those rules are known, understood, and followed.

One budget-friendly practice is to keep the lights turned off in the room. That way, one sysadmin told me, "if someone walks by and the lights are on, we check to see who's in there and why." Use automated lighting so that lights go on when someone enters and turn off when they leave. Replacing light switches with these sensors is simple and cost-effective.

Lock things up

It's not enough to secure the racks. You need to lock down the cages as well. That means securing the rear of the rack, too. This may require a combination of products, all targeted at limiting access.

Racks of storage devices merit the same level of security. After all, you don't want someone popping open a rack and snatching the hard drives. This does happen; it’s not merely a staple of heist movies. For example, in 2013, the streaming service Vudu had its servers’ drives stolen, taking with them users’ credit card information.

For rack-level security, you have many choices. They range in price, complexity, and techie appeal—simple key locks, biometrics, fobs—all of which control access to individual racks. Pick one of these and standardize. A mix of products and technologies leaves too many security holes.

Forrester report: The Software-Defined Data Center Comes Of Age Get it now

Don’t forget cable management. Access to network cables should also be strictly controlled. If networking equipment is not colocated with servers and storage, the same access requirements that apply to your server room should be applied to the networking “closet.”

If your patch panel, switches, and routers are in a separate room, treat them just as you would the server room. Access to the network hardware is only slightly less dangerous than access to the servers.

Establish key access, basic and otherwise

The fundamental physical security aspect of server rooms is straightforward. Your server room must be accessible only via controlled doors. The entry door needs one or more locks. Those locks should be electronic, so you can audit access and control authorization. The actual lock mechanism doesn't matter so much. The important takeaway is that you monitor and control it. A physical key doesn't cut it.

If you must use physical keys, use something like the Medeco key system, which requires authorization for copies to be made and which can be done only by the vendor. This removes the issue of casually copying keys.

Implement multiple levels of access control. Locks should use key cards, fobs, or biometrics. IT management grants access. For example, one sysadmin explains, “You might be better served technically by just putting up a camera, not as an authentication factor but as a record of who used the key card.”

Not everyone is a fan of biometric security mechanisms for server room access. One sysadmin wrote in an email, "Biometrics end up being more for show than for practice. It's solid technology, but it's mostly misused in the world of day-to-day medium-security operation."

On the other hand, Ian McClarty, president of PhoenixNAP, Global IT Solutions, thinks biometrics should be part of a server security system. "The best business practice in physical security is to have three-factor authentication,” McClarty says. “This is something you have, something you know, and something you are.” That is, you have a badge, you know a security code, and you prove who you are with an iris scanner, covering all three.

Most sysadmins recommend combining surveillance cameras with contact or motion sensors on your doors. With these combinations, you can monitor when the doors are opened and record only when someone attempts to get in. You can also use this pairing to trigger email or cell phone notifications when someone opens the door when it should be closed, such as after hours.

Beyond locks and keys

Consider a “lights out” data center. In this environment, everything except direct physical maintenance is done remotely. Servers are headless. With very few exceptions, no one goes in the server room. This does, however, require a level of instrumentation of the servers and racks that may not be budget-friendly.

If you have a big enough budget, consider deploying a mantrap. A mantrap is pretty much what it sounds like. It can be as simple as a small entry room with two doors. This method is also known as airlock control. In medieval castles, it’d be the gatehouse (though few server rooms are equipped to pour boiling oil on intruders).

The most effective mantraps require security personnel assigned to them. On the server room level, additional security staffing to watch the door is unlikely, but it may be relevant for some purposes.

The entry door opens to the unsecured area, while the other door opens into the secured area. After you enter the mantrap, the entry door automatically locks behind you. Only then can you unlock the server room door. The entry must lock quickly to prevent tailgating, which is when more than one person enters at a time using one security key.

Another mantrap variation is restricted entry and unrestricted exit. With this method, the outer doors are locked while the internal doors are unlocked. After you enter and the exterior door is relocked, the interior doors are once more unlocked.

Finally, for the most security, there's restricted entry and exit. With this, all the doors are locked. Once you are authorized to enter, you can enter the mantrap. The exterior door is then locked behind you, and you must reauthorize to open the internal door.

Another variation, which is used by the U.S. National Security Agency (NSA), is to require two people to access a server room. While the NSA doesn’t go into any detail, you’ve seen movies of people launching missiles having to use two keys. It’s the same idea.

Make security happen

Securing a server room is always a balancing act among accessibility, cost, and security. There is no perfect mix. What's overkill for one company would be the minimum requirement for another.

Look carefully at what you need and what's practical. Then, once you have a plan of action, get management on your side and make it happen. If you don't, your company's secrets may just walk out the door—along with your job.

Server room security: Lessons for leaders