I often think like I'm paranoid. I get paid for it.

So when I think about availability, I can conjure up an amazing array of things that can go wrong. But, instead of discussing the many security-related aspects of your storage systems availability, let's talk about how your systems may be too available. That's right - too available.

When a man wearing a telephone company hard hat and a service belt comes to your offices, where is he permitted to go? Does he have free rein of your offices including your NOC (Network Operations Center)? Can he get to the executive floor and repair phones unescorted? Does he have as much or less physical access than your employees?

Just consider that the hacker magazine 2600 has their van painted almost identically to a Nynex phone truck. Can your receptionist tell the difference?

Faced with two people, both appearing to be from the telephone company, how do you know who is legitimate and who is a hacker, or perhaps from a competing company, an investigation firm...or maybe just a bad guy out to get you? What is your company's policy on letting in the phone man, the power company, or other utility employees? Where can they go? Do they require escorts? Think about how invisible people in well-recognized uniforms are. They are innocuous, in the background like waiters at a cocktail party. We don't notice them, yet there they are and most of us don't even take a second glance.

Do you let the electrician into your NOC or computer room without supervision? Can the telephone man go to the fifth floor phone room that happens to have a network computer with a floppy disk? What damage to your networks can be done from there? Could he, with the insider access he now has, install a network sniffer or install a Trojan horse?

Maybe we make our systems and NOCs a bit too available to those invisible people who are supposed to be providing those critical support services that allow our businesses to function flawlessly.

What compounds this potential for availability problems is poor physical network design. For example, too many companies put routers and other networking components into very convenient locations like telephone or electrical rooms, or basements near shipping/storage areas. Then, receptionists or other staff point the utility man to the utility door with nary a second thought - too much availability. The electrical and telco rooms of companies in industrial parks are often located for easy access from the parking lot, and some firms - I swear it's true - leave those doors unlocked for easy access. The trouble is key networking components are often located there, too.

Some of the more security-aware companies I deal with require an escort for all outsiders, no matter how official looking they may be. The only (paranoid) problem here, though, is do your physical guards understand what the technical people are doing?

Now, ask yourself the following question: What two groups of people have virtually unlimited access to your entire facility? The CEO? The chief information officer? Accounting? Think again. Most companies give unfettered access to their cleaning staffs and private security forces.

Question two: Who are the two lowest-paid groups at your company? You might think yourself, but the right answer is the cleaning staff and physical security guards again. This has always seemed to me to be an oxymoron of security policy, behavior, and attitude. Give the greatest physical access to the lowest rungs on the corporate ladder.

Sure, the cleaning crew is bonded...but what does that really mean? It means that no one on the cleaning crew has committed a crime - or more accurately, no one has been caught. And think about the amount of availability you give them to your offices, your development and technical areas, not to mention NOCs and computer centers. Unless, of course, your security awareness is such that you have them accompanied everywhere they go by...ah...are we thinking guards? Ahem. Is that double jeopardy?

Law enforcement agencies began discovering in the late '80s and early '90s that criminal organizations were getting their people hired into "bonded" maintenance and guard services. The goal was to gain total access to a company that they wanted to victimize. Now that's what I call a bit too much availability.

Solving this problem requires awareness on the part of top management, willingness to design and enforce an effective policy, and a healthy cooperative relationship with the entire company staff. There are several simple things that companies can initiate to lower the risks of too much access and availability by the wrong people. Here are a few thoughts.

• Make your staff aware of the problem of the outsider problem.
• Design and publicize an enforceable policy to your entire staff, contractors and visitors.
• Use shredders for sensitive documents. Don't forget that the cleaning crews empty wastebaskets and take the contents with them. What is your staff throwing away without thinking of the consequences?
• Passwords to company systems are never to be written down on keyboards, monitors, or under desk drawers. This must be vigilantly enforced at all times.
• Rolodexes should be put away each night. They are a key source of proprietary company information.
• Desk drawers should be locked when staff are not at their desks.
• All sensitive files on proprietary company information, customers, and employees should not be left lying around. They should be stored in secure and locked file cabinets.
• For those especially mission-critical areas of the company, a trusted (and better paid) escort should accompany them on their rounds.

The ultimate answer is trust, and some companies are turning to an approach that might be considered draconian by many people: psychological profiling. The concentration is on potential hires for key staff positions and for those to whom you will give high degrees of availability to your critical areas. What are their tendencies under ethical dilemmas? How would they behave in seemingly benign, but psychologically enlightening situations? Your human resources department can coordinate with local industrial psychologists who offer this kind of service, and then with corporate counsel to make sure that employee rights are respected. For those people who resent such profiling, maybe those are some of the very people you don't want in the first place.

Too much availability to critical network components is a real-world concern today. We need to trust our systems administrators to keep our networks going, and we have to make everything available to them to do their job. This is not an issue of trusting your staff; it's an issue of hiring people who can become trusted staff members.

This overlooked aspect of availability is being put on the table of many human resource departments by upper management, as they attempt to make sure their systems availability stays high, while also giving high degrees of availability to people they know little or nothing about. The bottom line is that making critical components of your infrastructure available to too many people, without proper controls in place, can endanger the availability of your systems when you need them most.