Access control is a vital component of any data security plan, and organizations must carefully plan out how people interact with physical machines. A Network World report pointed out that effectively restricting access to systems is a vital component of the Critical Security Controls that have been established by the Center for Internet Security. While firewalls and network access are important parts of this conversation, businesses must also focus on physical controls to ensure nobody is able to manipulate or steal data through direct access to machines.
While establishing access control for data centers, server rooms and similar locations is common practice, many organizations do not consider the need to provide similar protections when decommissioning hardware. In particular, most access control strategies include multiple layers of protection, something that tends to fall apart when dealing with hardware that has been cast aside for disposal. With this in mind, let’s look at three critical layers of physical access control and what they all mean when it comes to data decommissioning.
1. Multiple security checkpoints
Offering multiple layers of security prior to access to any data systems is critical to ensuring unauthorized individuals are not able to steal data. For major data centers, such as colocation facilities or cloud hosting locations, it is often common to have multiple layers of security prior to accessing the building in the first place. The specifics will vary from facility to facility, but having at least two layers of protection prior to even getting into the data center or server room is common.
For example, consider even a small server room in the back of an office. The office itself acts as a checkpoint as any attacker must pass to the server room without raising suspicion. From there, many businesses lock the door or have IT personnel serving as gatekeepers. Regardless of the method, however, the theme is the same – anybody wanting to get to active data assets will likely need to pass through multiple layers of protection.
2. Documentation systems
Tracking who can access data and when they do so is also common. Configuring systems to log when they have been changed or altered combines with user documentation to create a simple check system. Security teams can periodically check their access logs next to those in the system to identify any discrepancies. Putting this sort of system in place can dissuade attackers because they will know that, in the event of a discrepancy between documentation forms, any suspicious activities will be thoroughly investigated.
This documentation can also be used alongside biometric locks, user passcards or similar rack- or cabinet-level access control mechanisms to provide an added level of visibility into system use.
3. Specialized locks and surveillance setups
Doorways configured with features ranging from anti-passback, man-traps and similar capabilities effectively bottleneck users entering the data center into preset pathways where they can be monitored with security cameras. Controlling these specific entry points into the data center itself plays a vital role in safeguarding data, and many organizations have specialized systems in place to protect data in this way.
Bringing access control beyond active systems
All of these precautions are taken to prevent data theft and service disruption, but they often go out the window once organizations begin decommissioning hardware. Whether they are dealing with old PCs spread throughout the office or disused servers and storage arrays, many companies will move inactive systems out of their highly regulated environments and leave them somewhere out of the way. This creates inherent vulnerabilities that organizations must deal with during the hardware decommissioning process.
“Degaussers help companies incorporate existing access control strategies into decommissioning.”
On top of all of this, many organizations will send hard disks out to third-party specialists for destruction. Throughout this process, disks may be stored in boxes in a warehouse, in the back of a truck or in unknown locations at the disposal organization’s facility. Essentially, all of the layers of protection that organizations put in place to protect active systems can quickly disappear and be replaced by single points of failure during the decommissioning phase. However, data is no less vulnerable during this process, especially if insider threats are aware of any weak points in the access control plan.
Using disk degaussers to alleviate access control complexity
Disk degaussers provide an unrecoverable wipe of data on hard drives using a magnetic charge that erases all data. This is completely reliable – so much so that leading degaussers are certified by regulatory bodies – and can be accomplished through handheld tools, such as a degaussing wand. The end result is a situation in which organizations can ask authorized IT workers to wipe hard disks immediately upon closing down a system. With this strategy in place, companies can more easily incorporate their existing access control strategies into their decommissioning processes and avoid putting data at risk.
