When it comes to the physical security of core mission critical components, location and placement really do matter. No other single factor weighs as heavily or pays as handsomely as wisely choosing the location and placement of your key mission critical components.
This includes the selection of a secure location and placement of all mission critical hardware, software and services along with the core communications and network infrastructure that provide them with support.
Physical Connectivity, Availability and Accessibility
Physical security encompasses physical connectivity, availability and accessibility. It is no good having the most physically secure mission critical components if they are inaccessible. The access types and capabilities will vary in accordance with the purpose of the access and the entity requesting that access.
Limiting user access in a Microsoft Windows Server 2003 environment involves domain controllers, the local machine, security descriptors, NTFS File and Folder permissions, Group Policy to name but a few.
The feature that I use most is to “hide” the resource from users. They will not try to access that which they cannot see.
Will all this said the main thing we need to do now is to define exactly what are your mission critical components, devices, infrastructure and services. We also need to examine possible scenarios and solutions that others have proven to work. There is no need to reinvent the wheel if you do not have to.
Mission Critical Components and Devices
Mission critical devices are those core mission critical components and services without which your organisation would not survive. Servers and communications and networking devices and infrastructure, including cabling all fall into the mission critical category.
Whenever it comes to mission critical devices, infrastructure and services if in doubt always take the most draconian restrictive measures. Now apply these measures with rigidity to your mission critical devices, infrastructure and services.
If necessary, you can always loosen security to better cater for special requirements and access rights and privileges. It is no good shutting the gate after the horse has bolted. So always, err on the side of higher security (the safe side).
Leveling The Playing Field
One of the more common reasons for adopting this strategy is that all devices and services for all users will start from a common set of conditions on a level playing field. Now you have a set of baseline metrics and quantified assets, attributes and services.
You can refer to your baseline values in the future. On top of this, these baseline values are useful when making head-to-head comparisons between different devices at different points in time. A reliable set of known “good” configuration parameters makes for a very handy troubleshooting strategy and tool.
Lock and Key - Ensure that all those devices classifiable as “mission critical” are permanently under lock and key at all times
Accessibility - Enforce strict physical access rights, permissions and policies
Assimilation and Unification - Consider incorporating your physical security initiatives into your overall security plans
Identifying Mission Critical Devices and Services
I will explain in another article how to determine precisely which components are your mission critical components. They will vary from one network or implementation to the next. For now just think of what would affect your job and your users most and make a list of them.
Now think of what outages would affect your boss the most and make another list. Do not forget to include those factors that would affect your boss's secretary as what affects the boss's secretary also affects the boss.
Crosscheck both lists and then compile a new list containing both sets of elements. Now begin prioritizing the items on your lists. Start with the things that would affect your boss, the boss's secretary and users alike.
You will be surprised as to how many factors will be common to both groups of people. Then list the remaining items from your boss list. Finally add in the user factorials.
Have a break and let the list for at least 30 minutes. Now review the list. This time make a note next to each item of the services that are required to deliver each item on your list.
Some of these services will be dependent upon more than one other service/machine. Other services will be common to quite a few of the items identified on your list.
Now make another list containing the prioritized services identified in the previous step. Identify which components are required to deliver these services.
Write them down alongside each of the services that you have just listed in your “must have” mission critical (job keeping) services list that you created in the last step.
Review and test the items on your list. Change priorities as and when required. You have now identified those elements that you deem to be “mission critical”. Once identified it is now time to test and rate those items on the list.
Implement changes that you deem appropriate for your current situation. These will include those changes that represent the greatest overall reduction in your vulnerability to the risks and threats already identified.
Review and test the changes that you just made. Continue watching and monitoring the changes and impacts resulting from your changes.
High Impact Threats and Vulnerabilities
Place all mission critical components into a secure controlled environment. Securely lock and monitor this facility at all times. Personal do not generally need physical access to your servers on an hourly basis.
Administrative functions performed in regards to an organisation's servers take place via “middle” machines such as the administrator's workstation. Enjoy next time enjoy!
