Professional Documents
Culture Documents
Data Center Security & Control: Smolianets Vladyslav
Data Center Security & Control: Smolianets Vladyslav
Data Center Security & Control: Smolianets Vladyslav
A. Security
Information Security Risk Assessment Guide
Security Standards, Policies & Systems
Common Data Center Security Risk Signs
Security Audit Checklist
B. Controls
Physical Controls
Logical Controls
Administrative Controls
Security?
3
Malaysian Public Sector Information Security
Risk-Assessment Guidelines
4
SECURITY STANDARDS
Adopt ISO-27001 (replaces BS 7799 – Part 2)
Information Security Management System (ISMS)
Adopt ISO/IEC-27002 (replaces ISO-17799)
Controls for Security Management
5
SECURITY POLICY
Any security strategy begins with a security policy that aligns business needs with
security goals and defines how to implement them through processes and
technologies. A first step must be to ensure that any existing security policy is updated
to address the particular requirements of the data center: its specific application
requirements, access permissions, protection of sensitive information, and compliance
with regulatory requirements.
An effective security policy results from collaboration among all stakeholders in the
Data Center, including various management teams, the executive board, and user
Groups throughout the organization. The policy determines security design,
Management processes, and technologies that enable policy implementation and
enforcement. A security policy is not static; it should be refined and adjusted regularly,
especially as the security posture of the data center changes.
6
SECURITY SYSTEM
Security has to be implemented at various levels
Physical layer (perimeter, building, data center etc.)
Infrastructure layer (network, servers etc.)
Organizational layer (people, process etc.)
Security is strong as the weakest list
7
Most Common Security Risk Signs of Data Center
Out-of-date physical wiring diagrams
Out-of-date logical equipment configuration diagrams and schematics
Infrequent testing of UPS
Failure to recharge UPS batteries
Failure to test generator and fuel levels
Lack of preventive maintenance on air conditioning equipment
Fire suppression system not recharged
Emergency power-off system not tested
Emergency power-off system not documented
Infrequent testing of backup generator system
Equipment not properly anchored
Evacuation procedures not clearly documented
Circumvention of physical security procedures
Lack of effective training for appropriate personnel
8
TIERING REFERENCE GUIDE (from TIA942)
Security Access Tier I Tier II Tier III Tier IV
Control/ Monitoring
at:
Generators Industrial Intrusion Intrusion Intrusion
grade lock detection detection detection
UPS, Telephone & Industrial Intrusion Card access Card access
MEP Rooms grade lock detection
Fiber Vaults Industrial Intrusion Intrusion Intrusion
grade lock detection detection detection
Emergency Exit Industrial Monitor Delay egress Delay egress
Doors grade lock per code per code
Accessible exterior Off site Intrusion Intrusion Intrusion
windows/ opening monitoring detection detection detection
9
TIERING REFERENCE GUIDE (con’t…)
Security Access Tier I Tier II Tier III Tier IV
Control/ Monitoring
at:
Security Operations n/a n/a Card access Card access
Center
Network Operations n/a n/a Card access Card access
Center
Security Equipment n/a Intrusion Card access Card access
Rooms detection
Doors into Computer Industrial Intrusion Card or Card or
Room grade lock detection biometric biometric
access for access for
ingress and ingress and
egress egress
10
TIERING REFERENCE GUIDE (con’t…)
CCTV Monitoring Tier I Tier II Tier III Tier IV
Building parameter No No Yes Yes
and parking requirement requirement
11
SECURITY AUDIT
12
PHYSICAL CONTROL
13
PHYSICAL CONTROL
14
PHYSICAL CONTROL
(Preventive)
15
PHYSICAL CONTROL
(Preventive)
Examples:
• Backup files and documentation.
• Fences.
• Security guards.
• Badge systems.
• Double door systems.
• Locks and keys.
• Backup power.
• Biometric access controls.
• Site selection.
• Fire extinguishers.
16
17
PHYSICAL CONTROL
(Detective)
Examples:
• Motion detectors.
• Smoke and fire detectors. VESDA
• Closed-circuit television monitors.
• Sensors and alarms.
18
CAMERA NVR
DIGITAL DISK RECORDER
19
DDR/NVR
20
Ways to Build Physical Security into a
Data Center
Build on the right spot.
Have redundant utilities
Pay attention to walls
Avoid windows
Use landscaping for protection
Keep a 100-foot buffer zone around the site
Use retractable crash barriers at vehicle entry
points
Plan for bomb detection
21
Ways to Build Physical Security into a Data Center
(cont’d)
Limit entry points
Make fire doors exit only
Use plenty of cameras
Protect the building's machinery
Plan for secure air handling
Ensure nothing can hide in the walls and ceilings
Use two-factor authentication
Harden the core with security layers
Watch the exits too
Prohibit food in the computer rooms
Install visitor rest rooms
22
Layered Physical Security
Site
Perimeter
Building
Data Center
Computer
Room
23
24
DATA CENTER PHYSICAL SECURITY CHECKLIST
1. Site Location
a) Natural Disaster Risk
b) Man made Disaster Risk
c) Infrastructure
d) Sole purpose
2. Site Perimeter
a) Perimeter
b) Surveillance
c) Outside Windows & Computer Room Placement
d) Access Points
25
DATA CENTER PHYSICAL SECURITY CHECKLIST
4. Facilities 6. Ousiders
a) Cooling Towers a) Guards
b) Power b) Cleaning Staff
c) Trash c) Service Engineers
d) NOC
26
DATA CENTER PHYSICAL SECURITY CHECKLIST
7. Users
a) Education
b) Policy
27
LOGICAL CONTROL
28
LOGICAL CONTROL
(Preventive)
to prevent unauthorized personnel or programs from
gaining remote access to computing resources.
Examples:
• Access control software.
• Antivirus software.
• Passwords.
• Smart cards.
• Encryption.
• Dial-up access control and callback systems.
• Authentication
29
LOGICAL CONTROL
(Detective)
Examples:
• Audit trails
• Intrusion Detection Expert Systems
30
ADMINISTRATIVE CONTROL
31
ADMINISTRATIVE CONTROL
32
ADMINISTRATIVE CONTROL
(Preventive)
33
ADMINISTRATIVE CONTROL
(Preventive)
Examples:
• Security awareness and technical training.
• Separation of duties.
• Procedures for recruiting and terminating employees.
• Security policies and procedures.
• Supervision.
• Disaster recovery, contingency, and emergency plans.
• User registration for computer access.
34
ADMINISTRATIVE CONTROL
(Detective)
35
ADMINISTRATIVE CONTROL
(Detective)
Examples:
• Security reviews and audits.
• Performance evaluations.
• Required vacations.
• Background investigations.
• Rotation of duties.
36
THANK YOU
37