G1-031 Physical Protection of Computer Servers

Physical Security Guide
Lead Agency Publication   G1-031

Issued: March 2008

Table of Contents

• 1.  Introduction
  • 1.1  Purpose and Scope
  • 1.2  Roles and Responsibilities
  • 1.3  Methodology
  • 1.4  Risk Summary
• 2.  Physical Security Requirements for Server Rooms
  • 2.1  Minimum Requirements
  • 2.2  Server Room Location
  • 2.3  Shared Server Rooms
• 3.  Summary and Recommendations
• 4.  Advice and Guidance
• 5.  References

• Appendix A - Safeguards
  • 1.  Locked Server Room
  • 2.  Lock up the Server
  • 3.  Secure Server Room
  • 4.  Secure Data Centre

• Appendix B - Examples of server rooms meeting basic requirements
  • Example B1
  • Example B2
  • Example B3
  • Example B4
  • Example B5
  • Example B6
  • Example B7
  • Example B8
  • Example B9

1.  Introduction

An important asset of government departments¹ is the information they store and process on a daily basis. This information must be protected against threats to confidentiality, availability and integrity. In the past, paper documents were the most common form on which information was recorded. Various guidelines and requirements have been developed for the storage of information in this form. Today, information is also stored electronically. The most valuable component of an electronic information system is the information stored on network devices such as domain controllers, file servers, storage area network (SAN), network area storage (NAS) and backup servers. For the sake of simplicity, we will categorize these devices as ‘servers’.

1.1  Purpose and Scope

The purpose of this document is to provide guidelines for the physical protection of computer servers used to store classified and protected information.

The scope of this guide is limited to the physical protection of servers from unauthorized access. Departments must also consider protection from fire, water, earthquakes, power failures, temperature and humidity. In addition, departments with servers handling signals intelligence (SIGINT) information must contact the Communications Security Establishment (CSE) for advice on physical, IT and emanation security which may include additional physical separation and zoning measures.

1.2  Roles and Responsibilities

The Departmental Security Officer (DSO) and the IT Security Coordinator (ITSC) are required to ensure that physical, personnel and IT security stakeholders coordinate their efforts to protect information and IT assets and ensure an integrated, balanced approach.

Custodians are responsible for integrating tenant requirements into their base building infrastructure. When a department determines that the most effective method for protecting servers from unauthorized access requires modifications to areas outside the tenants’ control, the custodian is responsible for coordinating the measures required by the department. The department remains responsible for paying for the modifications, including ongoing maintenance and repairs, as required.

1.3  Methodology

The Government Security Policy defines IT security as the "safeguards to preserve the confidentiality, integrity, availability, intended use and value of electronically stored, processed or transmitted information." This document describes the physical security safeguards required depending on the level of confidentiality of information, and is only one part of the IT security risk analysis process. Departments must also evaluate their requirements for integrity and availability, and provide additional safeguards as necessary. In this document, progressively higher levels of protection are prescribed depending on the sensitivity of information stored on the server. Departments should determine if they require enhanced or additional safeguards by conducting an internal threat and risk assessment.

Vulnerabilities, both logical² and physical, are more easily exploited when servers are not protected from unauthorized physical access. To address this concern, physical security safeguards must include the elements of protection, detection and response. This document describes the minimum requirements for protection and detection in order to reduce the likelihood of unauthorized physical access. Departments must ensure they can provide an appropriate response when unauthorized physical access has been detected.

Protection from physical access can be provided by locating the server in a container. Servers may be housed individually or in small numbers in containers such as those listed in the Security Equipment Guide G1-001. In cases where numerous servers require protection, the use of approved containers may become impractical. Servers should then be located in server rooms. These rooms should be constructed in conformity with the requirements listed in Table 1 and described in Appendix A.

The detection requirements outlined in this document are intended to identify unauthorized physical access to the servers. They do not detect unauthorized activity by authorised users. Departments must ensure that those who are permitted access have a need to access and possess the appropriate security clearance. Departments should also contact their ITSC or DSO for guidelines and/or assistance in preventing and detecting unauthorized logical activity on the server.

Additional information can be obtained from RCMP guide G1-025 Protection, Detection and Response.

1.4  Risk Summary

The safeguards in this document have been selected to counter two threats considered to have a medium likelihood. The first threat is the loss of confidentiality due to unauthorized access resulting from the theft of a server. Although servers have a relatively low resale value, there is some history of servers being stolen and resold. Servers can be stolen for the information stored within or simply for their monetary value. The replacement cost of the server unit itself is insignificant compared to the disclosure of confidential information. Server theft is typically perpetrated using a low skilled attack.

The second threat is the loss of confidentiality resulting from information disclosure to an unauthorized individual who has physical access to the server. This is different from the “hacker” type of threat that is the responsibility of the IT security section. In most cases, hackers attempt to exploit vulnerabilities logically from a remote location. Certain server vulnerabilities can be more easily exploited, however, when physical access to the server (the physical box) is possible. In addition, we may also want to consider how the unauthorized installation of a ‘rogue’ device could support a ‘combined’ attack (both physical and logical). For example, an insider could attach a hardware key-logger to a server for a set period of time and retrieve it later. The captured information could then be used to support a logical / remote attack via the network or Internet. The level of skill required for this threat is considered medium.

2.  Physical Security Requirements for Server Rooms

2.1  Minimum Requirements

Table 1 outlines the minimum safeguards required for a server room dedicated to one government department and containing only servers serving that department. A description of each safeguard is found in Appendix A. Additional safeguards are required for server rooms when the room contains servers and/or additional telecom equipment owned and operated by more than one government department. These safeguards are discussed in section 2.3 and illustrated in Appendix B, examples B4, B8 and B9.

The safeguards specified in Table 1 vary depending on the sensitivity of the information stored on the server and the zone from which the server (room) is accessed. Information on security zones can be found in RCMP security guide G1-026 Application of Security Zones.

Table 1

Maximum level of Information	Minimum safeguards (refer to Appendix A)	Zoning examples (refer to Appendix B)
Protected A	No additional safeguards for servers located in an Operations Zone or higher
	OR Locked server room (1)	B1
Protected B	Locked server room (1)	B2
	OR Lock up the servers (2) located in an Operations Zone or higher
	OR Secure server room (3)	B1
Protected C	Secure server room (3)	B3
	OR Secure Data Center 24/7	B6
	OR Secure Data Center	B7
Confidential	Secure Data Center 24/7 (4)	B5
	OR Secure Data Center	B6
	OR Secure server room (3)	B2
	OR Locked server room (1)	B3
	OR Lock up the servers (2) located in a Security Zone or higher
Secret	Secure Data Center 24/7 (4)	B5
	OR Secure server room (3)	B3
	OR Secure Data Center (4)	B7
	OR Container listed in Security Equipment Guide when located in a Security Zone or higher
Top Secret	Secure Data Center 24/7 (4)	B6
	OR Secure server room (3)	B3
	OR Secure Data Center (4)	B7

2.2  Server Room Location

In many buildings, the most practical place to locate servers is in the main telecommunications room, now called the telecommunications equipment room (formerly called the main terminal/equipment room). Access to this room is often from a Public Access Zone. This room can be used as long as the minimum safeguards described herein are applied. The telecommunications equipment room should not be confused with the entrance room. The entrance room is used as a terminal for cables owned by various telecommunications common carriers to enter the building from the street. Equipment owned by the telecommunications common carriers serving the building can also be stored in this room. Consequently, the telephone companies and other telecom service providers require access to the entrance room. In order for servers to be kept in the telecommunications equipment room (or any other room) access to the room must be controlled by the Crown. In other words, such a room must essentially be an Operations Zone or higher.

2.3  Shared Server Rooms

Government facilities can often comprise more than one organization. In most cases it is more economical to locate servers from different organizations in the same area to take advantage of economies of scale. In addition, organizations may from time to time expand or reduce their space usage requirements within a facility. A shared server room allows for such changes without the need for wholesale relocation of the server room every time there is a modification to tenant areas.

However, since shared server rooms can result in additional vulnerabilities. Sharing a server room with other organizations increases the risk to the servers since the probability of compromise increases with the number of people who have access to the server room. Users of the shared server rooms must develop a joint policy regarding the required access privileges and security clearances. Organizations should then assess the increased risk and consider applying the safeguards described in Appendix A to servers that contain classified or protected information. Telecommunications equipment rooms containing servers should be treated as shared server rooms. Shared server rooms are illustrated in Appendix B.

Large data centers shared by more than one organization also have additional requirements. This occurs when the size of the data center is too large to allow those in the monitoring room to adequately monitor access to the servers. In these situations, servers should be protected as if they are located within the Security Zone of a single department (see Table 1 and Appendix B).

3.  Summary and Recommendations

The requirements of Section 2 refer to various alternatives for the physical protection of computer servers. Departments need to determine the most cost effective means of meeting these requirements. Departments should also consider their requirements relating to protection from fire, water, earthquakes, power failures, temperature and humidity. It may be more cost effective to co-locate servers with another organization in the same server room or data centre in order to take advantage of the economies of scale when safeguards such as backup generators and air conditioning units are taken into account. Some recommended layouts of shared server rooms and data centres are illustrated in Appendix B.

4.  Advice and Guidance

For advice and assistance regarding this guide or on site specific issues that are not covered herein, contact:

Client Services, Technical Security Branch
Royal Canadian Mounted Police
1426 St. Joseph Boulevard
Ottawa, Ontario  K1A 0R2

E-mail: TSB-ClientServices@rcmp-grc.gc.ca

5.  References

• Government Security Policy
  http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_12A/gsp-psg_e.asp


• Operational Standard on Physical Security
  http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_12A/osps-nosm_e.asp


• Operational Standard: Management of Information Technology Security (MITS)
  http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_12A/23RECON_e.asp


• RCMP Security Equipment Guide - G1-001
  http://www.rcmp-grc.gc.ca/tsb-genet/seg/html/home_e.htm


• RCMP Guide G1-025 - Protection, Detection and Response
  RCMP Guide G1-026 - Application of Security Zones
  RCMP Guide G1-029 - Secure Rooms
  http://www.rcmp-grc.gc.ca/tsb-genet/pubs/phys_sec/g1-025_e.pdf

Appendix A - Safeguards

The following is a description of the physical security safeguards referred to in Table 1:

1.  Locked Server Room

• Locate the server in a separate room and control access to this room. Limit access to those individuals having an operational or job-related need;
• The room should be built with walls that extend from the floor slab to the underside of the floor/roof slab above. Rooms with walls that extend to the underside of a suspended ceiling would not meet the definition of “locked server room”; and
• Control of access can be achieved though a variety of means, such as mechanical keyed locks or electronic card readers. In addition, many systems include an audit trail to indicate who has had access to the room and when. For further information refer to RCMP Guide G1-024 Control of Access.

2.  Lock up the Server

Servers can be locked up by a variety of methods in order to control access to them. The following are examples of how a server can comply with the “locked up” requirements of this guide.

• Servers can be considered “locked up” when physical protection is provided to the server unit (box) itself. These are devices which are attached directly to a server. The following can be used:
  1. Secure lid lock to help prevent physical intrusion into the server,
  2. Secure drive locks to help prevent access to the floppy drive and /or CD ROM drive,
  3. Devices designed to lock-out all possible sources of input/output such as USB ports, serial ports, network interfaces, ps/2 ports, etc.,
  4. Anchoring pads or cables which secure the server to the rack/table etc. where it is located to prevent removal of the server.
• Servers can also be considered as locked up when they are placed within a lockable caged-in area within a server room (see example B4 in Appendix B). Air circulation for cooling may be more easily provided when subdividing a room with cages instead of fixed walls. Lockable cages can incorporate separate access control and intrusion detection devices in addition to those installed for the server room access. Cameras can also be used to monitor access to the caged areas.
• Servers can also be considered as locked up when they are located in a lockable server rack. Lockable racks can incorporate additional security features. The door to the rack can be fitted with a contact to indicate when the door is opened. A motion detector can be installed within the cabinet. Additionally, a closed-circuit video equipment (CCVE) camera can be installed within or outside the cabinet.


Example of lockable server racks

• Servers can also be considered as locked up when they are located in a container listed in the RCMP Security Equipment Guide G1-001.

3.  Secure Server Room

• For purposes of this guide, a “secure server room” means a room in which the walls, door and hardware are constructed as per the specification for Secure Room 1. The construction of Secure Room 1 is described in RCMP security guide G1-029 Secure Rooms.
• The room must also be monitored with an electronic intrusion detection system.
• The room should be monitored by closed circuit video equipment CCVE when indicated by a TRA. CCVE can have the effect of deterring unauthorized access, as well as providing a visual record of activity at a server. Cameras should be placed such that they can record who accessed the server and when, but not record any sensitive or protected information such as passwords.

4.  Secure Data Centre

• The server room can be monitored by having personnel occupy a control room adjacent to the server room with a glazed wall in between. For purposes of this guide, this configuration of rooms will be referred to as a “Secure Data Centre”. The glazing should permit observation of the servers. Any areas considered out of view should be monitored by cameras. The layout should allow to observe anyone entering the room, and for a monitoring area for signing in and presenting identification.
• The perimeter of a Secure Data Centre must meet all the construction requirements of a Secure Server Room.
• The monitoring room must be occupied during hours in which access to the servers is permitted. When 24/7 is indicated, the control room must be occupied continuously.
• See Appendix B for illustrations of Secure Data Centres.

Appendix B - Examples of server rooms meeting basic requirements

The following are typical examples of server rooms which meet the requirements of this guide:

Example B1

This server room qualifies as an Operations Zone when access is limited to personnel whose duties require them to work on the servers or equipment within.

• This server room can contain servers that store protected information up to Protected A when the safeguards described in "1. Locked Server Room" in Appendix A are applied.
• This server room can contain servers that store protected information up to Protected B when the safeguards described in "3. Secure Server Room" in Appendix A are applied.

Example B2

• This server room can contain servers that store protected information up to Protected B when the safeguards described in "1. Locked Server Room" in Appendix A are applied and the room is located within an Operations Zone or higher.
• This server room can contain servers that store protected information up to Protected B and classified information up to Confidential when the safeguards described in "3. Secure Server Room" in Appendix A are applied.

Example B3

• This server room can contain servers that store protected information up to Protected B and classified information up to Confidential when the safeguards described in "‘1. Locked Server Room"’ in Appendix A are applied and the room is located within a Security Zone or higher.
• This server room can contain servers that store protected information up to Protected C and classified information up to Top Secret when the safeguards described in "3. Secure Server Room" in Appendix A are applied.

Example B4

Additional compartmentalization should be considered when more than one organization share a server room (see section 2.3). This can be achieved by locking up servers containing protected or classified information (see Appendix A2 - Lock up the Server). These examples show server rooms compartmentalized with lockable racks and cages.

Example B5

This server area qualifies as a Security Zone when the safeguards described in “4. Secure Data Center” are applied.

• This room can contain servers that store protected information up to Protected B and classified information up to Confidential.
• When the monitoring area is occupied 24/7 the server room can contain servers that store protected information up to Protected B and classified information up to Secret.

Example B6

• This server area qualifies as a Security Zone when the safeguards described in “4. Secure Data Center” are applied.
• This server room can contain servers that store protected information up to Protected B and classified information up to Confidential when the Secure Data Center is located in an Operations Zone.
• When the monitoring area is occupied 24/7 the room can contain servers that store protected information up to Protected C and classified information up to Top Secret.

Example B7

• This server area qualifies as a High Security Zone when the safeguards described in “4. Secure Data Center” are applied and the Secure Data Center is located in a Security Zone.
• This server room can contain servers that store protected information up to Protected C and classified information up to Top Secret.

Example B8

Additional compartmentalization should be considered when more than one organization share a server room (see section 2.3). This can be achieved by locking up servers containing protected or classified information (see Appendix A 2 - Lock up the Server). These examples show server rooms compartmentalized with lockable racks and cages.

Example B9

This example is similar to Example B8, except that cages are used to compartmentalize the data center. This layout could be used to allow two organizations to separately control access to selected servers. Secure Data Centres are described in safeguard #4, Appendix A. Shared data centers are discussed in Section 2.3.

 

---

Endnotes

¹ For the purposes of this document, the term “department” includes departments, agencies and any other entity governed by the Government Security Policy.

² ”Logical” vulnerabilities refer to vulnerabilities in the way data or systems are organized. Logical access control refers to the collection of policies, organizational structures and procedures such as identification, authentication and authorization, designed to restrict access to computer software and files. It differs from physical access control, which restricts the ability to physically interact with the servers.