Top Banner
Data Centre Security Presented by: M. Javed Wadood Managing Director (MEA)
34

Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Mar 06, 2018

Download

Documents

dokhanh
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Data Centre Security

Presented by:

M. Javed Wadood

Managing Director (MEA)

Page 2: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e EPI – history and global locations

UK origin, 1987

UK origin, 1987

Singapore office, 1999 Singapore

office, 1999

9 EPI offices worldwide

9 EPI offices worldwide

Global partner network spanning 60+ countries, 130+ cities

Global partner network spanning 60+ countries, 130+ cities

Page 3: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e EPI is a Data Centre Expert company

• EPI offers and extensive range of expert data centre services

• We do evaluation and validation of data centre plans to make sure they are designed to meet the business requirements or industry standards

• We do data centre audits and certifications to the standards in the industry

• We design and write data centre training programs from our hands-on experience

design evaluation

and validation

audits and

certification

professional training

Page 4: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e

Some of Our Customers

They trust us, So can you!

Some of Our Customers

They trust us, So can you!

Page 5: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Agenda

• The data centre

• Data centre standards addressing security

• Security set-up at the physical level

• Controls for securing the perimeter

• Controls for the facility

• Why security fails

• Process controls

• Monitor, review and improve

• Audit and control

• Training

Page 6: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e What is a data centre

• According to Gartner: the data centre is the

department in an enterprise that houses and

maintains back-end information technology (IT)

systems and data stores, its mainframes,

servers and databases.

• The data centre is supported by a physical

facility and a utility infrastructure such as

power, cooling, water, physical network

infrastructure, fire

suppression

systems, etc.

Page 7: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Data centre – supporting areas

• Common supporting areas:

– Network Operations Center (NOC)

– Security room

– UPS (Uninterruptable Power Supply) room

– Battery room

– Gen Set area

– Staging area

– Holding area

Page 8: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Data centre standards

• Standards and guidelines supporting data centre’s in implementing information security, with emphasis on physical security and access controls:

– ANSI/TIA-942

• Specifies physical controls depending on Rated/Rating

level required

– DCOS 2016

• Specifies operational controls required for certification

• Maturity level based

Page 9: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Perimeter controls

• Fence / wall / moat

• Visible intrusion detection systems

• Visible signs

• Guard house

• Boom barrier

• Security guards

• Security dogs

Page 10: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e

• CCTV (Closed-Circuit Television) cameras installation to monitor the following:

– All entrances into and exits of the premises

– All entrances and exits of restricted facility areas

– Areas immediately surrounding the perimeter of the premises.

– Perimeter fences and/or walls of the premises

– Areas between perimeter fence and/or wall and buildings within the premises.

– Areas supporting the facility that may fall outside the perimeter.

Perimeter control – CCTV cameras

Page 11: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Facility controls

• Cages • Mantraps • CCTV Cameras • Door control

– Key lock – Electronic lock

• Card reader • Security code • Biometrics

• Equipment control – Computer racks – Power Distribution Unit (PDU) – Computer Room Air-Conditioner (CRAC)

Page 12: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Why security fails

• Possible causes of why security fails in data centres:

– Human error

– Lack of process

environment.

– Lack of training

– Low awareness level

– Budget limitations

Page 13: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Process controls – security patrol

• Security guards need to be appropriately dressed

• Should have tools / equipment which is in good working conditions such to be inspected before going on patrol:

– Radio (Walky-Talky)

• Proper channel setting

• Charged battery

– Torch light with full battery

– Arms (where allowed and required)

Page 14: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Process controls – security patrol

• The facility should be inspected on a periodic basis, covering the following:

– All entrances and exits from the perimeter

– Areas immediately surrounding the perimeter of the

premises.

– Perimeter fences and or wall of the premises

– Any used and unused side entrance of buildings

– All restricted areas outside and inside the building

– Areas supporting the facility that may fall outside the perimeter (where applicable and feasible).

– Lifts / Emergency paths

Page 15: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Process controls – security patrol

• Patrol scheduling:

– Round the clock

– Different routes

– Different start times

• Focus more on the night patrol

• Use call home / heart beat principal

• Activate response procedure upon detection of a security breach.

• Follow pre-defined checklists

Page 16: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Process controls – security patrol

• Checklist should include door number, location and items to be inspected:

– Time stamp and signature at every checkpoint

• Electronic clocking devices

– Camera in working condition

• Verify with security command room

– Physical testing of doors

• Door open test

– Taking photographs of any suspicious matters

– Inspection of equipment such as fire panel, water leak

panel, cooling systems etc.

Page 17: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Process controls – holding area

• Delivery and loading areas should be controlled and isolated from information processing facilities to avoid unauthorized access.

• The holding area should be designed like a buffer zone, allowing delivery staff to unload materials without gaining access to other areas of the building.

• During opening hours, the holding area should be manned with a security guard overseeing all activities.

• The holding area is supervised on a 24x7 basis, having CCTV cameras installed covering all angles of the area.

Page 18: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Process controls – holding area

• The external door should be secured/closed when the internal door is open

• Incoming items should be accounted for

• Incoming items should be inspected for potential hazards before movement into the building

• Incoming items should be inspected for eaves dropping devices

• Incoming items should be registered

Page 19: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Process controls – vehicle control

• All vehicles which are allowed inside the perimeter need to be pre-registered depending on the individual: – Staff

– Vendor / contractor

– Public transport / visitors / customers

• Vehicle registration should include at the minimum: – Owner and driver name

– Type of vehicle

– Make and model

– Color

– Registration / license plate

– Any special marks

Page 20: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Process controls – vehicle control

• Security personnel need to verify registered details before allowing entry inside the perimeter.

• All compartments of the vehicle must be opened.

• Scan under the vehicle

• For highly secure facilities additional equipment might be utilized such as explosive sniffers, metal detectors etc.

Page 21: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Process controls – individual control

• Physical access control is based on two principals

– Personnel categories

– Security zones

• Personnel categories

– Internal staff

– External staff (same organization)

– Vendors / contractors

– Visitors

– Customers

Page 22: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e

• To control physical security in the data centre, different security zones may exist:

– Common (public) facility

• Areas/rooms used by all personnel and not subject to any

internal security restrictions.

– Restricted areas

• Areas/rooms housing key equipment such as UPS systems, air-

conditioners and batteries.

– Highly secure area

• Areas such as the computer and media storage room

Process controls – individual control

Page 23: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Process controls – individual control

• All individuals should be authenticated / authorized on accessing the perimeter.

• All non-staff individuals should sign in and present a valid identification document.

• Security personnel performs countercheck

• Inspection of incoming items if applicable

• If clearance is given, a badge should be assigned (if applicable) based on the category of the visitor.

• Visitors to be escorted to designated supervised waiting area to be collected by internal staff.

Page 24: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Process controls – individual control

• Internal staff verifies presence of badge and worn visibly by the visitor.

• Contractors on site for a predetermined period of time are restricted to only areas/rooms designated to accomplish authorized tasks.

• External staff working in restricted areas should be physically supervised.

• Inspection of incoming/outgoing items

• A log is maintained for all restricted areas

• A key management system is maintained for all restricted facility areas.

Page 25: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Process controls – general rules

• It is recommended to impose restrictions for secure areas:

– Prohibition of smoking

– Prohibition of foods and drinks

– Conditions for the use of devices generating radio frequency, such as wireless devices and mobile

phones, near sensitive equipment/copper network cabling

– Conditions for the use of storage and photo taking devices, such as cameras (including mobile phones),

PDAs (Personal Digital Assistant), USB drives and other similar devices.

Page 26: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Monitor, review and improve

• Security policies and measures need continuous monitoring, review and improvement.

• Security incidents need to be reviewed and immediate action needs to be taken to ensure that in the future no similar incidents will occur.

• At least once a year a full review is required

Page 27: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Monitor, review and improve

• A security incident response process should exist to address security breaches and potential weaknesses:

– Detection of security incidents

– Reporting and logging of security incidents

– Logging the response and the corrective/preventive action taken.

– Periodic evaluation of all information security incidents

– Improvements to further reinforce the security infrastructure.

Page 28: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Monitor, review and improve

• Information that can be recorded during security incident response:

– Date and time of event

– By whom reported

– Location where the incident occurred

– Sensitivity level

– Affected areas

– Detailed description of the event

– Corrective action taken

– Details of loss, damage or destruction

Page 29: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Audit and control

• Audit and review needs to take place on a regular basis:

– Internal audits

• Readiness approach

• Maintenance of management system

– External audits

• Mandatory compliance with regulations and standards

• Voluntary conformance with standards

Page 30: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e ANSI/TIA-942 - DCOS

• ANSI/TIA-942

– Focus on design (validation) and build (certification)

– Covers all facility related matters of the data center

• Telecommunication

• Electrical

• Architectural

• Mechanical (includes; security, safety, fire suppression etc.)

• DCOS (Data Centre Operations Standard)

– Focus on operations (certification)

– Progressive standard covering 11 disciplines

(security management included)

– Maturity level based

Page 31: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Audit

• Type of audit

– Certification (1st year)

– Surveillance (2nd and 3rd year)

– Re-certification (4th year)

• Potential audit results

– Conform (ANSI/TIA-942) / Maturity level (DCOS)

– AOI (Area Of Improvement) (ANSI/TIA-942)

– CAT 2 ( Category 2) (ANSI/TIA-942)

– CAT 1 (Category 1) (ANSI/TIA-942)

Page 32: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Training

• Continuous training of staff is recommended to maintain the corporate information security baseline

• EPI courses which amongst other topics addresses all layers of security: – CDCP (Certified Data Centre Professional)

– CDCS (Certified Data Centre Specialist)

– CDFOM (Certified Data Centre Facilities Operations Manager)

– CITP (Certified Information Technology Professional)

– CITS (Certified Information Technology Specialist)

– CITE (Certified Information Technology Expert)

Page 33: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e

Questions ?

Page 34: Data Centre Security - securejordan.com Center... · –Covers all facility related matters of the data center •Telecommunication •Electrical ... –CDCP (Certified Data Centre

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e

M. Javed Wadood

[email protected] www.epi-ap.com