Data Centre Security Presented by: M. Javed Wadood Managing Director (MEA)
EPI history and global locations UK origin, 1987 Singapore office, 1999 9 EPI offices worldwide Global partner network spanning 60+ countries, 130+ cities
EPI is a Data Centre Expert company design evaluation and validation audits and certification professional training EPI offers and extensive range of expert data centre services We do evaluation and validation of data centre plans to make sure they are designed to meet the business requirements or industry standards We do data centre audits and certifications to the standards in the industry We design and write data centre training programs from our hands-on experience
Bringing Cyber Security to Data Centre Some of Our Customers They trust us, So can you!
Agenda The data centre Data centre standards addressing security Security set-up at the physical level Controls for securing the perimeter Controls for the facility Why security fails Process controls Monitor, review and improve Audit and control Training
What is a data centre According to Gartner: the data centre is the department in an enterprise that houses and maintains back-end information technology (IT) systems and data stores, its mainframes, servers and databases. The data centre is supported by a physical facility and a utility infrastructure such as power, cooling, water, physical network infrastructure, fire suppression systems, etc.
Data centre supporting areas Common supporting areas: Network Operations Center (NOC) Security room UPS (Uninterruptable Power Supply) room Battery room Gen Set area Staging area Holding area
Data centre standards Standards and guidelines supporting data centre s in implementing information security, with emphasis on physical security and access controls: ANSI/TIA-942 Specifies physical controls depending on Rated/Rating level required DCOS 2016 Specifies operational controls required for certification Maturity level based
Perimeter controls Fence / wall / moat Visible intrusion detection systems Visible signs Guard house Boom barrier Security guards Security dogs
Perimeter control CCTV cameras CCTV (Closed-Circuit Television) cameras installation to monitor the following: All entrances into and exits of the premises All entrances and exits of restricted facility areas Areas immediately surrounding the perimeter of the premises. Perimeter fences and/or walls of the premises Areas between perimeter fence and/or wall and buildings within the premises. Areas supporting the facility that may fall outside the perimeter.
Facility controls Cages Mantraps CCTV Cameras Door control Key lock Electronic lock Card reader Security code Biometrics Equipment control Computer racks Power Distribution Unit (PDU) Computer Room Air-Conditioner (CRAC)
Why security fails Possible causes of why security fails in data centres: Human error Lack of process environment. Lack of training Low awareness level Budget limitations
Process controls security patrol Security guards need to be appropriately dressed Should have tools / equipment which is in good working conditions such to be inspected before going on patrol: Radio (Walky-Talky) Proper channel setting Charged battery Torch light with full battery Arms (where allowed and required)
Process controls security patrol The facility should be inspected on a periodic basis, covering the following: All entrances and exits from the perimeter Areas immediately surrounding the perimeter of the premises. Perimeter fences and or wall of the premises Any used and unused side entrance of buildings All restricted areas outside and inside the building Areas supporting the facility that may fall outside the perimeter (where applicable and feasible). Lifts / Emergency paths
Process controls security patrol Patrol scheduling: Round the clock Different routes Different start times Focus more on the night patrol Use call home / heart beat principal Activate response procedure upon detection of a security breach. Follow pre-defined checklists
Process controls security patrol Checklist should include door number, location and items to be inspected: Time stamp and signature at every checkpoint Electronic clocking devices Camera in working condition Verify with security command room Physical testing of doors Door open test Taking photographs of any suspicious matters Inspection of equipment such as fire panel, water leak panel, cooling systems etc.
Process controls holding area Delivery and loading areas should be controlled and isolated from information processing facilities to avoid unauthorized access. The holding area should be designed like a buffer zone, allowing delivery staff to unload materials without gaining access to other areas of the building. During opening hours, the holding area should be manned with a security guard overseeing all activities. The holding area is supervised on a 24x7 basis, having CCTV cameras installed covering all angles of the area.
Process controls holding area The external door should be secured/closed when the internal door is open Incoming items should be accounted for Incoming items should be inspected for potential hazards before movement into the building Incoming items should be inspected for eaves dropping devices Incoming items should be registered
Process controls vehicle control All vehicles which are allowed inside the perimeter need to be pre-registered depending on the individual: Staff Vendor / contractor Public transport / visitors / customers Vehicle registration should include at the minimum: Owner and driver name Type of vehicle Make and model Color Registration / license plate Any special marks
Process controls vehicle control Security personnel need to verify registered details before allowing entry inside the perimeter. All compartments of the vehicle must be opened. Scan under the vehicle For highly secure facilities additional equipment might be utilized such as explosive sniffers, metal detectors etc.
Process controls individual control Physical access control is based on two principals Personnel categories Security zones Personnel categories Internal staff External staff (same organization) Vendors / contractors Visitors Customers
Process controls individual control To control physical security in the data centre, different security zones may exist: Common (public) facility Areas/rooms used by all personnel and not subject to any internal security restrictions. Restricted areas Areas/rooms housing key equipment such as UPS systems, airconditioners and batteries. Highly secure area Areas such as the computer and media storage room
Process controls individual control All individuals should be authenticated / authorized on accessing the perimeter. All non-staff individuals should sign in and present a valid identification document. Security personnel performs countercheck Inspection of incoming items if applicable If clearance is given, a badge should be assigned (if applicable) based on the category of the visitor. Visitors to be escorted to designated supervised waiting area to be collected by internal staff.
Process controls individual control Internal staff verifies presence of badge and worn visibly by the visitor. Contractors on site for a predetermined period of time are restricted to only areas/rooms designated to accomplish authorized tasks. External staff working in restricted areas should be physically supervised. Inspection of incoming/outgoing items A log is maintained for all restricted areas A key management system is maintained for all restricted facility areas.
Process controls general rules It is recommended to impose restrictions for secure areas: Prohibition of smoking Prohibition of foods and drinks Conditions for the use of devices generating radio frequency, such as wireless devices and mobile phones, near sensitive equipment/copper network cabling Conditions for the use of storage and photo taking devices, such as cameras (including mobile phones), PDAs (Personal Digital Assistant), USB drives and other similar devices.
Monitor, review and improve Security policies and measures need continuous monitoring, review and improvement. Security incidents need to be reviewed and immediate action needs to be taken to ensure that in the future no similar incidents will occur. At least once a year a full review is required
Monitor, review and improve A security incident response process should exist to address security breaches and potential weaknesses: Detection of security incidents Reporting and logging of security incidents Logging the response and the corrective/preventive action taken. Periodic evaluation of all information security incidents Improvements to further reinforce the security infrastructure.
Monitor, review and improve Information that can be recorded during security incident response: Date and time of event By whom reported Location where the incident occurred Sensitivity level Affected areas Detailed description of the event Corrective action taken Details of loss, damage or destruction
Audit and control Audit and review needs to take place on a regular basis: Internal audits Readiness approach Maintenance of management system External audits Mandatory compliance with regulations and standards Voluntary conformance with standards
ANSI/TIA-942 - DCOS ANSI/TIA-942 Focus on design (validation) and build (certification) Covers all facility related matters of the data center Telecommunication Electrical Architectural Mechanical (includes; security, safety, fire suppression etc.) DCOS (Data Centre Operations Standard) Focus on operations (certification) Progressive standard covering 11 disciplines (security management included) Maturity level based
Audit Type of audit Certification (1 st year) Surveillance (2 nd and 3 rd year) Re-certification (4 th year) Potential audit results Conform (ANSI/TIA-942) / Maturity level (DCOS) AOI (Area Of Improvement) (ANSI/TIA-942) CAT 2 ( Category 2) (ANSI/TIA-942) CAT 1 (Category 1) (ANSI/TIA-942)
Training Continuous training of staff is recommended to maintain the corporate information security baseline EPI courses which amongst other topics addresses all layers of security: CDCP (Certified Data Centre Professional) CDCS (Certified Data Centre Specialist) CDFOM (Certified Data Centre Facilities Operations Manager) CITP (Certified Information Technology Professional) CITS (Certified Information Technology Specialist) CITE (Certified Information Technology Expert)
Questions?
M. Javed Wadood javed@epi-ap.com www.epi-ap.com