Data Centre Security

Presented by:

M. Javed Wadood

Managing Director (MEA)

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e EPI – history and global locations

UK origin, 1987

UK origin, 1987

Singapore office, 1999 Singapore

office, 1999

9 EPI offices worldwide

9 EPI offices worldwide

Global partner network spanning 60+ countries, 130+ cities

Global partner network spanning 60+ countries, 130+ cities

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e EPI is a Data Centre Expert company

• EPI offers and extensive range of expert data centre services

• We do evaluation and validation of data centre plans to make sure they are designed to meet the business requirements or industry standards

• We do data centre audits and certifications to the standards in the industry

• We design and write data centre training programs from our hands-on experience

design evaluation

and validation

audits and

certification

professional training

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e

Some of Our Customers

They trust us, So can you!

Some of Our Customers

They trust us, So can you!

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Agenda

• The data centre

• Data centre standards addressing security

• Security set-up at the physical level

• Controls for securing the perimeter

• Controls for the facility

• Why security fails

• Process controls

• Monitor, review and improve

• Audit and control

• Training

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e What is a data centre

• According to Gartner: the data centre is the

department in an enterprise that houses and

maintains back-end information technology (IT)

systems and data stores, its mainframes,

servers and databases.

• The data centre is supported by a physical

facility and a utility infrastructure such as

power, cooling, water, physical network

infrastructure, fire

suppression

systems, etc.

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Data centre – supporting areas

• Common supporting areas:

– Network Operations Center (NOC)

– Security room

– UPS (Uninterruptable Power Supply) room

– Battery room

– Gen Set area

– Staging area

– Holding area

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Data centre standards

• Standards and guidelines supporting data centre’s in implementing information security, with emphasis on physical security and access controls:

– ANSI/TIA-942

• Specifies physical controls depending on Rated/Rating

level required

– DCOS 2016

• Specifies operational controls required for certification

• Maturity level based

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Perimeter controls

• Fence / wall / moat

• Visible intrusion detection systems

• Visible signs

• Guard house

• Boom barrier

• Security guards

• Security dogs

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e

• CCTV (Closed-Circuit Television) cameras installation to monitor the following:

– All entrances into and exits of the premises

– All entrances and exits of restricted facility areas

– Areas immediately surrounding the perimeter of the premises.

– Perimeter fences and/or walls of the premises

– Areas between perimeter fence and/or wall and buildings within the premises.

– Areas supporting the facility that may fall outside the perimeter.

Perimeter control – CCTV cameras

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Facility controls

• Cages • Mantraps • CCTV Cameras • Door control

– Key lock – Electronic lock

• Card reader • Security code • Biometrics

• Equipment control – Computer racks – Power Distribution Unit (PDU) – Computer Room Air-Conditioner (CRAC)

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Why security fails

• Possible causes of why security fails in data centres:

– Human error

– Lack of process

environment.

– Lack of training

– Low awareness level

– Budget limitations

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Process controls – security patrol

• Security guards need to be appropriately dressed

• Should have tools / equipment which is in good working conditions such to be inspected before going on patrol:

– Radio (Walky-Talky)

• Proper channel setting

• Charged battery

– Torch light with full battery

– Arms (where allowed and required)

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Process controls – security patrol

• The facility should be inspected on a periodic basis, covering the following:

– All entrances and exits from the perimeter

– Areas immediately surrounding the perimeter of the

premises.

– Perimeter fences and or wall of the premises

– Any used and unused side entrance of buildings

– All restricted areas outside and inside the building

– Areas supporting the facility that may fall outside the perimeter (where applicable and feasible).

– Lifts / Emergency paths

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Process controls – security patrol

• Patrol scheduling:

– Round the clock

– Different routes

– Different start times

• Focus more on the night patrol

• Use call home / heart beat principal

• Activate response procedure upon detection of a security breach.

• Follow pre-defined checklists

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Process controls – security patrol

• Checklist should include door number, location and items to be inspected:

– Time stamp and signature at every checkpoint

• Electronic clocking devices

– Camera in working condition

• Verify with security command room

– Physical testing of doors

• Door open test

– Taking photographs of any suspicious matters

– Inspection of equipment such as fire panel, water leak

panel, cooling systems etc.

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Process controls – holding area

• Delivery and loading areas should be controlled and isolated from information processing facilities to avoid unauthorized access.

• The holding area should be designed like a buffer zone, allowing delivery staff to unload materials without gaining access to other areas of the building.

• During opening hours, the holding area should be manned with a security guard overseeing all activities.

• The holding area is supervised on a 24x7 basis, having CCTV cameras installed covering all angles of the area.

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Process controls – holding area

• The external door should be secured/closed when the internal door is open

• Incoming items should be accounted for

• Incoming items should be inspected for potential hazards before movement into the building

• Incoming items should be inspected for eaves dropping devices

• Incoming items should be registered

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Process controls – vehicle control

• All vehicles which are allowed inside the perimeter need to be pre-registered depending on the individual: – Staff

– Vendor / contractor

– Public transport / visitors / customers

• Vehicle registration should include at the minimum: – Owner and driver name

– Type of vehicle

– Make and model

– Color

– Registration / license plate

– Any special marks

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Process controls – vehicle control

• Security personnel need to verify registered details before allowing entry inside the perimeter.

• All compartments of the vehicle must be opened.

• Scan under the vehicle

• For highly secure facilities additional equipment might be utilized such as explosive sniffers, metal detectors etc.

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Process controls – individual control

• Physical access control is based on two principals

– Personnel categories

– Security zones

• Personnel categories

– Internal staff

– External staff (same organization)

– Vendors / contractors

– Visitors

– Customers

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e

• To control physical security in the data centre, different security zones may exist:

– Common (public) facility

• Areas/rooms used by all personnel and not subject to any

internal security restrictions.

– Restricted areas

• Areas/rooms housing key equipment such as UPS systems, air-

conditioners and batteries.

– Highly secure area

• Areas such as the computer and media storage room

Process controls – individual control

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Process controls – individual control

• All individuals should be authenticated / authorized on accessing the perimeter.

• All non-staff individuals should sign in and present a valid identification document.

• Security personnel performs countercheck

• Inspection of incoming items if applicable

• If clearance is given, a badge should be assigned (if applicable) based on the category of the visitor.

• Visitors to be escorted to designated supervised waiting area to be collected by internal staff.

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Process controls – individual control

• Internal staff verifies presence of badge and worn visibly by the visitor.

• Contractors on site for a predetermined period of time are restricted to only areas/rooms designated to accomplish authorized tasks.

• External staff working in restricted areas should be physically supervised.

• Inspection of incoming/outgoing items

• A log is maintained for all restricted areas

• A key management system is maintained for all restricted facility areas.

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Process controls – general rules

• It is recommended to impose restrictions for secure areas:

– Prohibition of smoking

– Prohibition of foods and drinks

– Conditions for the use of devices generating radio frequency, such as wireless devices and mobile

phones, near sensitive equipment/copper network cabling

– Conditions for the use of storage and photo taking devices, such as cameras (including mobile phones),

PDAs (Personal Digital Assistant), USB drives and other similar devices.

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Monitor, review and improve

• Security policies and measures need continuous monitoring, review and improvement.

• Security incidents need to be reviewed and immediate action needs to be taken to ensure that in the future no similar incidents will occur.

• At least once a year a full review is required

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Monitor, review and improve

• A security incident response process should exist to address security breaches and potential weaknesses:

– Detection of security incidents

– Reporting and logging of security incidents

– Logging the response and the corrective/preventive action taken.

– Periodic evaluation of all information security incidents

– Improvements to further reinforce the security infrastructure.

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Monitor, review and improve

• Information that can be recorded during security incident response:

– Date and time of event

– By whom reported

– Location where the incident occurred

– Sensitivity level

– Affected areas

– Detailed description of the event

– Corrective action taken

– Details of loss, damage or destruction

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Audit and control

• Audit and review needs to take place on a regular basis:

– Internal audits

• Readiness approach

• Maintenance of management system

– External audits

• Mandatory compliance with regulations and standards

• Voluntary conformance with standards

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e ANSI/TIA-942 - DCOS

• ANSI/TIA-942

– Focus on design (validation) and build (certification)

– Covers all facility related matters of the data center

• Telecommunication

• Electrical

• Architectural

• Mechanical (includes; security, safety, fire suppression etc.)

• DCOS (Data Centre Operations Standard)

– Focus on operations (certification)

– Progressive standard covering 11 disciplines

(security management included)

– Maturity level based

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Audit

• Type of audit

– Certification (1st year)

– Surveillance (2nd and 3rd year)

– Re-certification (4th year)

• Potential audit results

– Conform (ANSI/TIA-942) / Maturity level (DCOS)

– AOI (Area Of Improvement) (ANSI/TIA-942)

– CAT 2 ( Category 2) (ANSI/TIA-942)

– CAT 1 (Category 1) (ANSI/TIA-942)

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e Training

• Continuous training of staff is recommended to maintain the corporate information security baseline

• EPI courses which amongst other topics addresses all layers of security: – CDCP (Certified Data Centre Professional)

– CDCS (Certified Data Centre Specialist)

– CDFOM (Certified Data Centre Facilities Operations Manager)

– CITP (Certified Information Technology Professional)

– CITS (Certified Information Technology Specialist)

– CITE (Certified Information Technology Expert)

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e

Questions ?

Copyright 2017

B

rin

gin

g C

yber

Se

curi

ty t

o D

ata

Ce

ntr

e

M. Javed Wadood

javed@epi-ap.com www.epi-ap.com