Physical Security
Datacenters hold sensitive and crucial information and services. Software-based protection on your servers becomes far less effective or even useless as soon as an attacker can gain physical access to the hardware. Even though you do not have your own Datacenters and are renting space or even just Infrastructure as a Service, always check how the physical security is arranged and if it fits your security policy.
If you host Veeam Backup for Microsoft 365 systems and repositories in a cloud environment, make yourself familiar with the providers security standards and make sure they align to your requirements.
Role Based Access Controls on a physical level
If you host Veeam Backup for Microsoft 365 systems in your own physical location, make sure that anyone that is authorized to enter the datacenter can only access those parts they are entitled to. Follow the principle of least privilege, give people the correct rights to do their job properly, nothing more, nothing less. For example, an UPS and generator engineer does not need access to any of the racks in the datacenter and a Compute engineer should not have access to the UPS and generators. This can be very easily done, for example by locking racks (see below) or supervising any intervention in the datacenter.
Screening
An important part of a layered security defence is always knowing who entered the Datacenter and that access is being logged. Make sure people are screened before they become an authorized person to access the datacenter.
Tailgating
Prevent tailgating and unauthorized access by enforcing CCTV monitored airlock doors.
Surveillance
It is crucial to protect a data center from external threats and attacks and to make sure only authorized personnel has access to the areas where they need to be. Monitor for suspicious activity using footage from surveillance cameras (CCTV) installed along the outside perimeter but also inside the datacenter.
Multi-factor authentication
Use multi-factor authentication at the physical level. MFA should combine at least two factors including something the user knows (PIN, password…), something the user is (fingerprints, retina…), something the user has (Security token, Key, Key Card…).
Equipment Racks
By placing and using locks on racks you can shrink the physical security domain from the whole datacenter to a single rack. By smartly placing the different hardware components and their specific roles in different racks you can enable RBAC rights to that particular security domain. For example, do not place the Veeam Repositories in the same racks as the production storage or the hypervisor hardware.
Embedded electronic security
Security on a chip mechanisms can be leveraged to enhance the protection against the risks of compromission of your systems and the risk of data theft. Trusted Platform Module cryptoprocessors can be used to encrypt data on disks making it unusable in case of physical theft, as well as ensuring the integrity of the platform, preventing any unexpected code from being loaded at boot time for example.
Response
People should be trained to alert and respond properly in the case of a physical intrusion or intrusion attempt. Awareness of relevant procedures is key and anyone onsite should know how to react properly for any incident to be taken into account with shortest delays and maximum security.