Dr. Natheer Khasawneh Sara Ismail This chapter presents access control options for a Data Center and recommends standards of operations for people working in the room. The chapter also provides best practices for equipment installations and suggested guidelines when touring visitors through a server environment. 1. It is important to physically protect your environment from intentional theft or vandalism, from accidental damage by personnel not trained to work in a Data Center, and from unauthorized personnel obtaining sensitive information. The most fundamental way of physically protecting the items housed in a Data Center is control over who can enter: Door controls: Data center doors might be equipped with sturdy locks. Keep a log of who has such access and prohibit copies of the keys from being made or the combination from being further distributed. Most businesses choose a more automated approach known as: a card reader or badge access system. There are even biometric security features that scan the shape of a person's hand or fingerprints or focus on their voice, facial features, or iris patterns. It is also possible to install a revolving door mechanism that allows only one person to enter at a time, this prevents tailgating. 2. cages: Pros: It is an easy way to provide a restrictive barrier within a server environment. Fencing prevents unauthorized personnel from entering a given space. It is cheaper to build and generates less of a mess during construction than a traditional wall. Cons: A cage still enables people to look in and know that something of value is inside. It attracts more curiosity than a regular room with walls. A cage also can't protect what it doesn't surround. A break in the conduit or cabling can cause downtime to equipment within a cage, no matter where the damage occurs. If you do cage in a portion of a Data Center, take the following precautions: Extend cage walls below the raised floor and above the false ceiling. Cover cage walls with a hard, opaque surface. The more electrical conduits, structured cabling, and source equipment feeding them that are located outside of a cage, the easier it is for someone to cut, break, or shut down power and connectivity into the space. 3. Locking cabinets: These locks come in several forms—key, combination, or even card reader. The use of locking cabinets requires you to administrate their access controls as you do the controls for the Data Center itself. 4. Closed-Circuit Television Coverage: can be installed to monitor and record who enters and leaves the Data Center, and point at the room's most important servers and networking devices. You might install cameras under a raised floor to view the condition of infrastructure there. 5. Access Policies and Procedures: Establish a Data Center access policy that defines who is allowed to enter the room and under what circumstances based on job classifications. Apply policies that distinguish between long-term and short-term access. Among the questions that should be addressed by your company's Data Center access policy are: What job functions qualify someone to enter a Data Center? How does an employee request Data Center access? Is badge access provided for vendors, contractors, or other nonemployees? How is access granted during an emergency? How often are access privileges reviewed and by whom? What are the penalties for access violations? The point is that, as valuable as the rules are, it is more important that anyone entering the Data Center simply understands the sensitivity of what is inside the room and treats those items accordingly. Requiring people to have a certain minimum knowledge of the server environment and its rules can reduce downtime caused by user errors. Implement Change Management: Change management is a method of planning, coordinating, and communicating about activities in and around a company's vital facilities—the Data Center, Network Room, areas that house primary and standby electrical infrastructure—that are vital for the business to remain operational and serve its customers. Change defined: Change is an alteration of any Data Center element—an infrastructure component, a server application, power availability, or connectivity status—that might affect a client or hamper the ability of a company to provide its regular services. Typical Data Center-related activities that do require a change request include: Any event known to require downtime by servers or networking devices accessed by customers Work on major electrical infrastructure supporting the Data Center, be it a power distribution unit, uninterruptible power source, or standby generator Work on a Data Center air handler, chiller, or other cooling component Any activity involving Data Center emergency power off controls Work on infrastructure within the network room where Data Center connections terminate. Change Request Essentials: Under change management, plans for upcoming activity in a Data Center are spelled out in a document called a change request. The requestor must explain the work that is to be done, justify why it needs to occur, provide specific start and end times, define what systems are to be affected, state potential risk by doing the work, and provide a plan to stop and return things to their prior condition in the event a problem occurs. Write change requests in plain language and include as much detail as possible. • • • Examples: Change request for infrastructure maintenance. Change request for a server repair. Change Request for Minor Electrical Infrastructure Changes. Example: Change request for a server repair. CHANGE TITLE: Replace faulty CPU on PRODSERV1 CHANGE REQUESTOR: Jane Systemadministrator NOTIFICATIONS: systemadministrators@company.com, clientgroup1@company.com CHANGE REQUEST ID#: 000002 START TIME: Tuesday, Aug-16-2005 14:00 STOP TIME: Tuesday, Aug-16-2005 16:00 HOSTS AFFECTED: PRODSERV1 APPLICATIONS AFFECTED: APP4, APP6, and APP8 DESCRIPTION OF ACTIVITY: PRODSERV1 has a faulty CPU that caused the machine to crash recently. We have arranged for the manufacturer to come out and replace the failed component. It will take about an hour to replace the CPU and boot the machine back up. Once this is done, we will confirm that the system is functioning normally. RISK ASSESSMENT: This work requires bringing PRODSERV1 offline, but no other hosts in the Data Center will be affected. BUSINESS BENEFIT: The new CPU will restore the server to its normal working condition and reliability. INSTALLATION IMPACT: The server will be off line while the CPU is replaced. Downtime for this event has been scheduled with the client group, so they are prepared to not have access to this machine and its applications for two hours. BACKOUT PLAN: If a replacement CPU is unavailable, this work will be postponed. NOTES: None. 1. 2. When to Make Changes: One approach is to conduct all work outside of traditional business hours. This has the advantage of eliminating intentional downtime during peak usage hours for customers. The main drawback of this approach is that it can significantly increase the labor costs for a project. Contractors for certain trades need to be paid time-and-a-half or even double-time to work late or weekend hours. If all Data Center activities are restricted to after business hours, company employees might also face long workdays during times of great activity. The second approach is performance of Data Center work during the regular business day. If a company has customers around the world, there aren't really any off hours during which downtime is more palatable. This approach has the benefit that, if something unexpected occurs during the work, the company's normal personnel are at the site and able to respond immediately. Employees might be harder to reach after business hours, potentially lengthening downtime that occurs. 1. the things that they aren't supposed to do: Don't Leave Trash in the Data Center: A clean Data Center can also reduce confusion and the loss of valuable items. Prohibit food and drink. Don't Steal Items or Infrastructure:. No one should take data ports, electrical receptacles, and other tools without permission. Don't String Cables Between Cabinets: Stringing cables between cabinets unintentionally binds them together. If someone needs to relocate one cabinet, they are unlikely to know that devices from other cabinets are tethered to it. When they move the cabinet, they can easily yank the connecting lines free and cause unexpected downtime. If cables crisscross among multiple cabinets, this can affect dozens of servers in a row. 2. If the cables that are strung to another cabinet are plugged in to the infrastructure at that second location, there is an additional danger of overloading the provided components. If the practice involves patch cords, the problem is simply one of occupying data ports that should be available. 3. Stringing cabling across cabinets leads to unanticipated vulnerabilities. The best way to prevent Data Center users from stringing cables between cabinets: is to make sure that an adequate amount of electrical receptacles and data ports are provided at each cabinet location and that anyone working in the room is thoroughly educated as to what is available. A fundamental way to protect both the Data Center itself and the servers and networking devices it hosts is equipment installed deliberately and strategically. That is, reduce exposure to accidental downtime by following good installation practices. Manage cabinet space: For example, If a server environment has limited floor space, servers should be installed as tightly as possible to maximize how many can fit in to cabinets. Finally, reserve space at the bottom of server cabinets for the largest devices. Putting the most weight at the bottom of a cabinet makes it more stable. This practice can also save a Data Center user's back, because it is easier to install or remove a bulky item that is closer to the ground than one that is at eye level or above. Properly Use Rack Units: No matter how you want to install equipment into server cabinets you need to understand how the screw holes on a cabinet's vertical rails are configured. The screw holes on most server cabinets and Data Center devices follow a deliberate pattern, an Electronic Industries Alliance (EIA)standard that delineates rack units. A rack unit is the measurement of installable space within a server cabinet. Figure. Screw Hole Pattern on a Cabinet Mounting Rail The Balance of Power: when you install multiple servers into a cabinet, don't plug all of their power cables into one power strip, Alternate between the two strips. When a server cabinet contains only servers with single power supplies, balancing power between its power strips reduces the number of devices that go off line in the event that a power strip, electrical receptacle, or power distribution unit fails. Only half of the servers can be affected when power cables alternate between power strips. Route Cabling Neatly: Threading cables—both patch cords and power cables—so that they are well organized and carefully arranged eases troubleshooting. When plugging a server in to cabinet power strips, connect them to the power strip outlets that are at the same height as the device. Plugging cords in to outlets that are significantly higher or lower leads to tangled cables. Label Thoroughly: is essential when equipment is inventoried and can greatly reduce the time it takes to find a machine's owner in the event of a problem. customers or employees might be interested in touring your server environments. Whatever the reason and whoever the guests, follow a handful of guidelines when conducting Data Center tours: Keep visitors together, preferably in main aisles— don’t allow people to wander throughout the room without supervision. Don't touch. Designate a demonstration area: If you consistently highlight certain Data Center features during a tour, consider creating a dedicated area to showcase these details. Use tacky mats: The mats are meant to stop dirt from being tracked in.