Who should get access to IT spaces?

charmdnfl · 2024-12-04T14:03:23.285Z

I’m wondering how to decide who gets access to our IT office, besides staff that come and go a lot (couriers, mailroom, etc)? Does anyone give full access to the C-suite folks (besides the CTO)?

BadAtNames · 2024-12-04T14:18:31.585Z

Least privileged access means physical too. They don’t have a need to be there then they don’t get access. I don’t have a need to be in the C-suite area while controlling the badging system so I don’t have access to the C-Suite area until I need it.

Erick_Garcia · 2024-12-04T14:22:50.813Z

We have a door, so many people first knock on the door and depending on who it is, we allow them access or simply if it is a user who comes to “complain” we attend to them from there, only some managers or VIPs enter. Outside of that, all other users usually communicate by email or teams and tickets.

Joe1043 · 2024-12-04T14:29:25.241Z

What do you mean by IT office? Is it just an office space or are we talking about a data room/closet? Are there physical servers, switches and firewall in the office? Our office is extremely accessible as it is just an office with no hardware present other than our laptops, but the data rooms are much more closely regulated.

PatrickFarrell · 2024-12-04T14:35:28.314Z

Ideally nobody except IT access IT spaces unless IT is currently there. In practice that’s rare. Here’s one reason why you need to control it. You come into work every day if you are in the office, go about your day and then go home. Do you check your desktop or back of your dock station to see if someone plugged in an inline keyboard USB logger? They could drop it in one night and collect it the next night, and you would never know, but now they have all of your credentials. While you may have MFA for cloud portals, odds are for access to internal systems you don’t. Someone with bad intentions could now do bad things, and audit logs will show it came from the IT department. Now you have both an employment and legal issue as you could possibly be fired and charged for damage to the company if you can’t prove you didn’t do it.

I have never had a situation where the CEO just wanted to come in without IT being there. Most of them know better. Now from the practical perspective, I’ve worked places where it was an open floor plan and IT was on the floor with everyone else and anyone and everyone could just walk through their area. I’ve also worked places where the main breaker panel for that section of the building was in the server room, and buildings and grounds had to have access to that 24/7. I’ve worked places where servers were in an alcove outside of accounting, so technically accounting had physical access, but so did the cleaning crew as they had a key to get in there and clean at night. I’ve worked places where IT had a dedicated space with a door, and we’d leave it open while we were in there and people could come in and close it if all of us were out of the space.

So there’s what you would ideally like and what you can actually have. My current situation, the infrastructure team is remote, servers are in a data center and azure, and in the one place they are on site they are in a controlled room that non IT people do not have access to. That’s as about ideal as you can get there. This will not describe most peoples situation or even most of the jobs I’ve worked in.

Clean desk policy is a must in a shared or insecure space. Don’t leave sensitive things out on your desk. You should have locking drawers on your desk so that you can secure things when you are not there. You should have locking equipment cabinets. People helping themselves to IT items is a very common thing.

Erick_Garcia · 2024-12-04T14:44:16.797Z

PatrickFarrell:

You come into work every day if you are in the office, go about your day and then go home. Do you check your desktop or back of your dock station to see if someone plugged in an inline keyboard USB logger? They could drop it in one night and collect it the next night, and you would never know, but now they have all of your credentials.

This is why we have a door, when no one is inside, we close that door, every IT member has a key to open that door, and they only know what key it is, maybe not the best practice, but works

Previous job, we have a Samsung Digital Smart Lock, so only IT know the PIN code to access to the Servers and Site

fr0thgar · 2024-12-04T14:45:48.206Z

When I worked IT support for the countrys police force, it was very much like it should be. no-one in spaces with IT equiptment unless authorized personel gave access and individual had a purpose being there.
it was quite a shock going from that to a small to medium private company where the print room is also the server room and office supplies storage

PatrickFarrell · 2024-12-04T14:48:53.615Z

Even better when you go back to the server area and find random employee standing behind your servers looking at all the wiring. Been there done that in a previous life.

Josh-J-Spiceworks · 2024-12-04T14:53:13.817Z

I really liked the way that it worked at a previous job. The IT space was separated into 3 separate sections with increasing security.

Section A was the helpdesk area and had a sort-of “drive-thru” window that folks could walk up to for service, but was still kept locked so that only folks with a key card could enter (IT, Maintenance, C-suite, and special trusted folks in each department who helped triage the easy tech issues for their team)

Section B was behind another locked door inside of section A so that only further privileged folks could get in (Sysadmins, IT managers, & CIO, but maintenance could still get in as well.)

Section C was in a glass fortress between the two so that anyone in IT could see if someone was in there. It was the datacenter. Obviously much more highly regulated and logged, and an even further restricted list of folks were allowed in.

Of course building out such a setup was extremely expensive, and not reasonable for most businesses, but it was great… Until leadership changed and decided we didn’t need that level of physical security, and started putting non-IT folks in Section B…

Here’s a very advanced rendering of a similar setup:

image839×539 7.29 KB

This isn’t exactly what we had, the layout was a bit different, orientations were different, etc. and we also had emergency exits in each section as well as a back entrance for section B, but hopefully it gets the idea across well enough for the 30 seconds of work I put into it.

EDIT: Why didn’t anyone tell me that PAINT HAS LAYERS NOW?!

Erick_Garcia · 2024-12-04T14:57:20.765Z

Josh J (Spiceworks):

Here’s a very advanced rendering of a similar setup:

Let me put on the fridge door

Scott4074 · 2024-12-04T16:06:02.619Z

If they don’t need to be in there, they don’t go in there. Period. It’s just like any other office - would you let people wander in and out of your CEO’s office as they please?

david-scammell · 2024-12-04T18:02:27.261Z

Through the years, I’ve seen so many different implementations of IT work space, varying with different industries. However, I would have to say my current IT office is ideal as our District Superintendent (I now work in the educational sector) decided that no district staff, including IT, would be housed inside the individual school buildings. Therefore, we are now in our own building and about 5 miles away from the rest of the District staff, not to even mention the schools we support. I usually have to drive about 20 minutes, in a company vehicle, to reach the schools I support. Life is good!

somedude2 · 2024-12-04T18:32:56.873Z

PatrickFarrell:

People helping themselves to IT items is a very common thing.

Shhhhh!!!

I have not completed my Smirf collection yet…

OscarOneEye · 2024-12-04T20:29:03.668Z

The manager that is responsible for the area should get to decide. Users should request access (I am assuming that a badge system or something similar is used) then and the manager responsible for the area should sign off. This should be the same for ANY area, not just IT.

Then on at least a yearly basis, all access should be reviewed and re-authorized.

rnpmgm · 2024-12-04T20:35:55.563Z

You’ve defiantly got to perform a security analysis of your site and personnel. Here’s a good resource for that task. I’d say generally speaking the need is very limited, usually only critical IT staff, and then the Owner or Building Manager. Aside from those two, there’s really no reason anyone needs access to IT spaces/equipment at all.

Samael1 · 2024-12-05T11:46:17.617Z

Current place i am in the main office, though all the infrastructure is in a room locked with a code lock that only I know(only one on site) and manager who is in Coventry. When in a school we were stuck in with Janitorial/Cleaning staff but everything else was locked in a room in an IT suite that required a physical key and code for the other lock, which only IT knew.
When at Amazon it was only IT and anyone L9 or above allowed to scan in to the IT cage, there was one L9 on site and he didn’t come in unless he has made us aware. Though he did not have access to the infrastructure or any of the IDF’s. Cage access was used by him to pop in and have a chat and a laugh. Same man had a laptop with half the keys missing but would not have a new one as he didn’t want to be a pain for IT. Access was granted by security team and they refused anyone who asked for it if they weren’t L9. 2 cameras overhead also monitored the cage.
Prior to that everywhere has had infrastructure in a locked/coded room and IT in general office space.

Andrew_F · 2024-12-05T12:16:29.377Z

yup - our server “room” is the cupboard in the corner of the main office.
But - with smaller company, we have fewer staff and I’m as content as I can be that we can trust them.
Previous job was with the council - all sections (housing/planning etc) were behind a swipecard - servers in a server suite - general IT didn’t have access to that either.

shableigh · 2024-12-05T12:35:16.475Z

I work for county government and the only people who have key access to our IT office are the IT employees and the county administrator who oversees all county employees. Everyone else has to knock.

general-tsao · 2024-12-05T13:08:13.404Z

Coded door lock. Only authorized IT staff have a code.
Camera either in the office, or at the doorway.
Log book to sign in and out of when any unauthorized employee or vendor enters the office.
Users/vendors that are not authorized that are allowed into the office, should be accompanied by an IT staff member at all times.
Any time an IT staff member is not in the office, the door should be closed and locked (self closing/locking door).
Workstations/servers should be locked when not in use.

You can never be too careful. If nothing else there is probably sensitive information out on desks during the workday that unauthorized employees should not see or have the opportunity to abscond with.

general-tsao · 2024-12-05T13:12:11.466Z

Scott4074:

If they don’t need to be in there, they don’t go in there. Period. It’s just like any other office - would you let people wander in and out of your CEO’s office as they please?

Where I work, the CEO is FINE with people wandering into his office…they do it all the time.