Institut Tadbiran Awam Negara (INTAN)

Jabatan Perkhidmatan Awam (JPA)

National Institute of Public Administration

Public Service Department of Malaysia

Data Center Security

& Control
Smolianets Vladyslav
Lesson Contents

A. Security
 Information Security Risk Assessment Guide
 Security Standards, Policies & Systems
 Common Data Center Security Risk Signs
 Security Audit Checklist
B. Controls
 Physical Controls
 Logical Controls
 Administrative Controls
Security?

3
 Malaysian Public Sector Information Security
Risk-Assessment Guidelines

1. The Malaysian Public Sector Information Security High Level

Risk Assessment (HiLRA Guide)

2. The Malaysian Public Sector Information Security Risk

Assessment Methodology (MyRAM).

4
SECURITY STANDARDS
 Adopt ISO-27001 (replaces BS 7799 – Part 2)
 Information Security Management System (ISMS)
 Adopt ISO/IEC-27002 (replaces ISO-17799)
 Controls for Security Management

BCC, Inc. Report GB-185R

5
SECURITY POLICY
Any security strategy begins with a security policy that aligns business needs with
security goals and defines how to implement them through processes and
technologies. A first step must be to ensure that any existing security policy is updated
to address the particular requirements of the data center: its specific application
requirements, access permissions, protection of sensitive information, and compliance
with regulatory requirements.

An effective security policy results from collaboration among all stakeholders in the
Data Center, including various management teams, the executive board, and user
Groups throughout the organization. The policy determines security design,
Management processes, and technologies that enable policy implementation and
enforcement. A security policy is not static; it should be refined and adjusted regularly,
especially as the security posture of the data center changes.

6
 SECURITY SYSTEM
 Security has to be implemented at various levels
 Physical layer (perimeter, building, data center etc.)
 Infrastructure layer (network, servers etc.)
 Organizational layer (people, process etc.)
 Security is strong as the weakest list

7
 Most Common Security Risk Signs of Data Center
 Out-of-date physical wiring diagrams
 Out-of-date logical equipment configuration diagrams and schematics
 Infrequent testing of UPS
 Failure to recharge UPS batteries
 Failure to test generator and fuel levels
 Lack of preventive maintenance on air conditioning equipment
 Fire suppression system not recharged
 Emergency power-off system not tested
 Emergency power-off system not documented
 Infrequent testing of backup generator system
 Equipment not properly anchored
 Evacuation procedures not clearly documented
 Circumvention of physical security procedures
 Lack of effective training for appropriate personnel
8
TIERING REFERENCE GUIDE (from TIA942)
Security Access Tier I Tier II Tier III Tier IV
Control/ Monitoring
at:
Generators Industrial Intrusion Intrusion Intrusion
grade lock detection detection detection
UPS, Telephone & Industrial Intrusion Card access Card access
MEP Rooms grade lock detection
Fiber Vaults Industrial Intrusion Intrusion Intrusion
grade lock detection detection detection
Emergency Exit Industrial Monitor Delay egress Delay egress
Doors grade lock per code per code
Accessible exterior Off site Intrusion Intrusion Intrusion
windows/ opening monitoring detection detection detection

9
TIERING REFERENCE GUIDE (con’t…)
Security Access Tier I Tier II Tier III Tier IV
Control/ Monitoring
at:
Security Operations n/a n/a Card access Card access
Center
Network Operations n/a n/a Card access Card access
Center
Security Equipment n/a Intrusion Card access Card access
Rooms detection
Doors into Computer Industrial Intrusion Card or Card or
Room grade lock detection biometric biometric
access for access for
ingress and ingress and
egress egress

10
TIERING REFERENCE GUIDE (con’t…)
CCTV Monitoring Tier I Tier II Tier III Tier IV
Building parameter No No Yes Yes
and parking requirement requirement

Generators n/a n/a Yes Yes

Access Controlled No Yes Yes Yes
Doors requirement
Computer Room No No Yes Yes
Floors requirement requirement
UPS, Telephone & No No Yes Yes
MEP Rooms requirement requirement
CCTV Recording of No No Yes; digital Yes; digital
all activities on all requirement requirement
cameras

11
 SECURITY AUDIT

• Facilities Security Audit Checklist

• Sample Internal Control Questionnaire

• Data Center Review Program

12
 PHYSICAL CONTROL

Potential for damage or loss can be categorized into 7

categories of threats to objects, persons and intellectual
property:-

Temperature sunlight, freezing, fire & excessive heat

commercial vapors, humidity, dry air,

Gases suspended particles, smoke, cleaning fluid

Liquids water & chemicals

13
 PHYSICAL CONTROL

contamination from virus, bacteria,

Organisms people, animals

Projectiles falling objects, wind, explosions

Movement collapse, shearing, shaking, vibration,

Energy electric surges/failure, magnetism, static

anomalies electricity, radiation, sound, light

14
 PHYSICAL CONTROL

(Preventive)

 To prevent unauthorized personnel from entering

computing facilities.
(i.e., locations housing computing resources,
supporting utilities, computer hard copy, and input
data media)
 To help protect against natural disasters.

15
 PHYSICAL CONTROL

(Preventive)
Examples:
• Backup files and documentation.
• Fences.
• Security guards.
• Badge systems.
• Double door systems.
• Locks and keys.
• Backup power.
• Biometric access controls.
• Site selection.
• Fire extinguishers.

16
17
 PHYSICAL CONTROL

(Detective)

• Warn protective services personnel that physical

Motion detectors
security measures are being violated.

Examples:

• Motion detectors.
• Smoke and fire detectors. VESDA
• Closed-circuit television monitors.
• Sensors and alarms.

18
CAMERA NVR
DIGITAL DISK RECORDER

SECURITY MONITORING SCREEN

19
DDR/NVR

20
 Ways to Build Physical Security into a
Data Center
 Build on the right spot.
 Have redundant utilities
 Pay attention to walls
 Avoid windows
 Use landscaping for protection
 Keep a 100-foot buffer zone around the site
 Use retractable crash barriers at vehicle entry
points
 Plan for bomb detection

21
Ways to Build Physical Security into a Data Center
(cont’d)
 Limit entry points
 Make fire doors exit only
 Use plenty of cameras
 Protect the building's machinery
 Plan for secure air handling
 Ensure nothing can hide in the walls and ceilings
 Use two-factor authentication
 Harden the core with security layers
 Watch the exits too
 Prohibit food in the computer rooms
 Install visitor rest rooms
22
Layered Physical Security

Site
Perimeter
Building
Data Center
Computer
Room

23
24
DATA CENTER PHYSICAL SECURITY CHECKLIST

1. Site Location
a) Natural Disaster Risk
b) Man made Disaster Risk
c) Infrastructure
d) Sole purpose

2. Site Perimeter
a) Perimeter
b) Surveillance
c) Outside Windows & Computer Room Placement
d) Access Points

25
DATA CENTER PHYSICAL SECURITY CHECKLIST

3. Computer Rooms 5. Disaster Recovery

a) Access a) Disaster Recovery Plan
b) Infrastructure b) Offsite Backup
c) Environment c) Redundant Site
d) Fire Prevention
e) Shared Space

4. Facilities 6. Ousiders
a) Cooling Towers a) Guards
b) Power b) Cleaning Staff
c) Trash c) Service Engineers
d) NOC

26
DATA CENTER PHYSICAL SECURITY CHECKLIST

7. Users
a) Education
b) Policy

8. Disaster Recovery (people)

a) Organizational Chart
b) Job Function Documentation
c) Cross Training
d) Contact Information
e) Telecommuting
f) Disparate Locations

27
 LOGICAL CONTROL

 Use software and data to monitor and control access to

information and computing systems.

(E.g. passwords, network and host based firewalls, network intrusion

detection systems, access control lists, and data encryption)

 Level of access granted is limited to certain task that need

to be perform by an individual, program and systems.

28
 LOGICAL CONTROL

(Preventive)
 to prevent unauthorized personnel or programs from
gaining remote access to computing resources.

Examples:
• Access control software.
• Antivirus software.
• Passwords.
• Smart cards.
• Encryption.
• Dial-up access control and callback systems.
• Authentication

29
 LOGICAL CONTROL

(Detective)

 To warn personnel of attempted violations.

Examples:
• Audit trails
• Intrusion Detection Expert Systems

30
 ADMINISTRATIVE CONTROL

• Also called procedural controls

• Consist of approved written policies, procedures,

standards and guidelines.

• Form the framework for running the business and

managing
people. They inform people on how the business is to be run
and how day to day operations are to be conducted.

• Laws and regulations created by government bodies

is also a type of administrative control

31
 ADMINISTRATIVE CONTROL

• Form the basis for the selection and

implementation
of logical and physical controls.

• Used to control individual behaviour towards

access
of facility, equipment, resources and information.

32
 ADMINISTRATIVE CONTROL
(Preventive)

Personnel-oriented techniques for controlling

people’s behavior to ensure the
confidentiality, integrity, and availability of
computing data and programs.

33
 ADMINISTRATIVE CONTROL

(Preventive)

Examples:
• Security awareness and technical training.
• Separation of duties.
• Procedures for recruiting and terminating employees.
• Security policies and procedures.
• Supervision.
• Disaster recovery, contingency, and emergency plans.
• User registration for computer access.

34
 ADMINISTRATIVE CONTROL

(Detective)

To determine how well security policies and procedures

are complied with, to detect fraud, and to avoid
employing persons that represent an unacceptable
security risk.

35
 ADMINISTRATIVE CONTROL

(Detective)

Examples:
• Security reviews and audits.
• Performance evaluations.
• Required vacations.
• Background investigations.
• Rotation of duties.

36
THANK YOU

37