Data Centre Security Presented by: M. Javed Wadood Managing Director (MEA)
Data Centre Security
Presented by:
M. Javed Wadood
Managing Director (MEA)
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e EPI – history and global locations
UK origin, 1987
UK origin, 1987
Singapore office, 1999 Singapore
office, 1999
9 EPI offices worldwide
9 EPI offices worldwide
Global partner network spanning 60+ countries, 130+ cities
Global partner network spanning 60+ countries, 130+ cities
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e EPI is a Data Centre Expert company
• EPI offers and extensive range of expert data centre services
• We do evaluation and validation of data centre plans to make sure they are designed to meet the business requirements or industry standards
• We do data centre audits and certifications to the standards in the industry
• We design and write data centre training programs from our hands-on experience
design evaluation
and validation
audits and
certification
professional training
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e
Some of Our Customers
They trust us, So can you!
Some of Our Customers
They trust us, So can you!
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e Agenda
• The data centre
• Data centre standards addressing security
• Security set-up at the physical level
• Controls for securing the perimeter
• Controls for the facility
• Why security fails
• Process controls
• Monitor, review and improve
• Audit and control
• Training
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e What is a data centre
• According to Gartner: the data centre is the
department in an enterprise that houses and
maintains back-end information technology (IT)
systems and data stores, its mainframes,
servers and databases.
• The data centre is supported by a physical
facility and a utility infrastructure such as
power, cooling, water, physical network
infrastructure, fire
suppression
systems, etc.
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e Data centre – supporting areas
• Common supporting areas:
– Network Operations Center (NOC)
– Security room
– UPS (Uninterruptable Power Supply) room
– Battery room
– Gen Set area
– Staging area
– Holding area
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e Data centre standards
• Standards and guidelines supporting data centre’s in implementing information security, with emphasis on physical security and access controls:
– ANSI/TIA-942
• Specifies physical controls depending on Rated/Rating
level required
– DCOS 2016
• Specifies operational controls required for certification
• Maturity level based
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e Perimeter controls
• Fence / wall / moat
• Visible intrusion detection systems
• Visible signs
• Guard house
• Boom barrier
• Security guards
• Security dogs
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e
• CCTV (Closed-Circuit Television) cameras installation to monitor the following:
– All entrances into and exits of the premises
– All entrances and exits of restricted facility areas
– Areas immediately surrounding the perimeter of the premises.
– Perimeter fences and/or walls of the premises
– Areas between perimeter fence and/or wall and buildings within the premises.
– Areas supporting the facility that may fall outside the perimeter.
Perimeter control – CCTV cameras
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e Facility controls
• Cages • Mantraps • CCTV Cameras • Door control
– Key lock – Electronic lock
• Card reader • Security code • Biometrics
• Equipment control – Computer racks – Power Distribution Unit (PDU) – Computer Room Air-Conditioner (CRAC)
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e Why security fails
• Possible causes of why security fails in data centres:
– Human error
– Lack of process
environment.
– Lack of training
– Low awareness level
– Budget limitations
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e Process controls – security patrol
• Security guards need to be appropriately dressed
• Should have tools / equipment which is in good working conditions such to be inspected before going on patrol:
– Radio (Walky-Talky)
• Proper channel setting
• Charged battery
– Torch light with full battery
– Arms (where allowed and required)
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e Process controls – security patrol
• The facility should be inspected on a periodic basis, covering the following:
– All entrances and exits from the perimeter
– Areas immediately surrounding the perimeter of the
premises.
– Perimeter fences and or wall of the premises
– Any used and unused side entrance of buildings
– All restricted areas outside and inside the building
– Areas supporting the facility that may fall outside the perimeter (where applicable and feasible).
– Lifts / Emergency paths
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e Process controls – security patrol
• Patrol scheduling:
– Round the clock
– Different routes
– Different start times
• Focus more on the night patrol
• Use call home / heart beat principal
• Activate response procedure upon detection of a security breach.
• Follow pre-defined checklists
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e Process controls – security patrol
• Checklist should include door number, location and items to be inspected:
– Time stamp and signature at every checkpoint
• Electronic clocking devices
– Camera in working condition
• Verify with security command room
– Physical testing of doors
• Door open test
– Taking photographs of any suspicious matters
– Inspection of equipment such as fire panel, water leak
panel, cooling systems etc.
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e Process controls – holding area
• Delivery and loading areas should be controlled and isolated from information processing facilities to avoid unauthorized access.
• The holding area should be designed like a buffer zone, allowing delivery staff to unload materials without gaining access to other areas of the building.
• During opening hours, the holding area should be manned with a security guard overseeing all activities.
• The holding area is supervised on a 24x7 basis, having CCTV cameras installed covering all angles of the area.
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e Process controls – holding area
• The external door should be secured/closed when the internal door is open
• Incoming items should be accounted for
• Incoming items should be inspected for potential hazards before movement into the building
• Incoming items should be inspected for eaves dropping devices
• Incoming items should be registered
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e Process controls – vehicle control
• All vehicles which are allowed inside the perimeter need to be pre-registered depending on the individual: – Staff
– Vendor / contractor
– Public transport / visitors / customers
• Vehicle registration should include at the minimum: – Owner and driver name
– Type of vehicle
– Make and model
– Color
– Registration / license plate
– Any special marks
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e Process controls – vehicle control
• Security personnel need to verify registered details before allowing entry inside the perimeter.
• All compartments of the vehicle must be opened.
• Scan under the vehicle
• For highly secure facilities additional equipment might be utilized such as explosive sniffers, metal detectors etc.
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e Process controls – individual control
• Physical access control is based on two principals
– Personnel categories
– Security zones
• Personnel categories
– Internal staff
– External staff (same organization)
– Vendors / contractors
– Visitors
– Customers
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e
• To control physical security in the data centre, different security zones may exist:
– Common (public) facility
• Areas/rooms used by all personnel and not subject to any
internal security restrictions.
– Restricted areas
• Areas/rooms housing key equipment such as UPS systems, air-
conditioners and batteries.
– Highly secure area
• Areas such as the computer and media storage room
Process controls – individual control
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e Process controls – individual control
• All individuals should be authenticated / authorized on accessing the perimeter.
• All non-staff individuals should sign in and present a valid identification document.
• Security personnel performs countercheck
• Inspection of incoming items if applicable
• If clearance is given, a badge should be assigned (if applicable) based on the category of the visitor.
• Visitors to be escorted to designated supervised waiting area to be collected by internal staff.
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e Process controls – individual control
• Internal staff verifies presence of badge and worn visibly by the visitor.
• Contractors on site for a predetermined period of time are restricted to only areas/rooms designated to accomplish authorized tasks.
• External staff working in restricted areas should be physically supervised.
• Inspection of incoming/outgoing items
• A log is maintained for all restricted areas
• A key management system is maintained for all restricted facility areas.
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e Process controls – general rules
• It is recommended to impose restrictions for secure areas:
– Prohibition of smoking
– Prohibition of foods and drinks
– Conditions for the use of devices generating radio frequency, such as wireless devices and mobile
phones, near sensitive equipment/copper network cabling
– Conditions for the use of storage and photo taking devices, such as cameras (including mobile phones),
PDAs (Personal Digital Assistant), USB drives and other similar devices.
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e Monitor, review and improve
• Security policies and measures need continuous monitoring, review and improvement.
• Security incidents need to be reviewed and immediate action needs to be taken to ensure that in the future no similar incidents will occur.
• At least once a year a full review is required
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e Monitor, review and improve
• A security incident response process should exist to address security breaches and potential weaknesses:
– Detection of security incidents
– Reporting and logging of security incidents
– Logging the response and the corrective/preventive action taken.
– Periodic evaluation of all information security incidents
– Improvements to further reinforce the security infrastructure.
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e Monitor, review and improve
• Information that can be recorded during security incident response:
– Date and time of event
– By whom reported
– Location where the incident occurred
– Sensitivity level
– Affected areas
– Detailed description of the event
– Corrective action taken
– Details of loss, damage or destruction
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e Audit and control
• Audit and review needs to take place on a regular basis:
– Internal audits
• Readiness approach
• Maintenance of management system
– External audits
• Mandatory compliance with regulations and standards
• Voluntary conformance with standards
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e ANSI/TIA-942 - DCOS
• ANSI/TIA-942
– Focus on design (validation) and build (certification)
– Covers all facility related matters of the data center
• Telecommunication
• Electrical
• Architectural
• Mechanical (includes; security, safety, fire suppression etc.)
• DCOS (Data Centre Operations Standard)
– Focus on operations (certification)
– Progressive standard covering 11 disciplines
(security management included)
– Maturity level based
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e Audit
• Type of audit
– Certification (1st year)
– Surveillance (2nd and 3rd year)
– Re-certification (4th year)
• Potential audit results
– Conform (ANSI/TIA-942) / Maturity level (DCOS)
– AOI (Area Of Improvement) (ANSI/TIA-942)
– CAT 2 ( Category 2) (ANSI/TIA-942)
– CAT 1 (Category 1) (ANSI/TIA-942)
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e Training
• Continuous training of staff is recommended to maintain the corporate information security baseline
• EPI courses which amongst other topics addresses all layers of security: – CDCP (Certified Data Centre Professional)
– CDCS (Certified Data Centre Specialist)
– CDFOM (Certified Data Centre Facilities Operations Manager)
– CITP (Certified Information Technology Professional)
– CITS (Certified Information Technology Specialist)
– CITE (Certified Information Technology Expert)
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e
Questions ?
Copyright 2017
B
rin
gin
g C
yber
Se
curi
ty t
o D
ata
Ce
ntr
e
M. Javed Wadood
[email protected] www.epi-ap.com