More Related Content Similar to Securing your DC JLBK (DSC).ppt (20) More from Jeffrey Lam (10) Securing your DC JLBK (DSC).ppt1. Datacenter Strategics, Shanghai
14th May 2010
Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Securing your datacenter
Jeffrey Lam RCDD
Regional Manager, Anixter Greater China
2. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Agenda
Industry drivers
Business trends
Developing the physical security plan for data centers
– Physical protection guidelines and strategies
– Crime Prevention Through Environmental Design
(CPTED)
– TIA-942 standard
Security technologies for data centers
– Perimeter layer controls
– Facility layer controls
– Computer room layer controls
– Cabinet-level controls
3. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Industry Drivers for Data Center Security
Sensitive data
– Medical records
– Social Security numbers
– Financial transactions and cardholder data
– Intellectual property and confidential information
Critical infrastructure and key resources
– As defined by the Department of Homeland Security:
“The assets, systems, and networks, whether physical or
virtual, so vital to the United States that their incapacitation or
destruction would have a debilitating effect on security,
national economic security, public health or safety, or any
combination thereof.”
4. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Data Security Breaches
Source: http://www.privacyrights.org/ar/ChronDataBreaches.htm#2010
5. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Logical Security Only
Physical Security
Protecting your information!
Physical Security
Tracks people
Limits access to areas, spaces
Provides audit of who accessed
what
Integrates with video to provide
visual record
Logical Security
Tracks logins
Limits access to servers, folders
and applications
Provides audit trail of what login
accessed what data
6. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Business Trends in Security Systems
Moving from reactive toward predictive response
Providing additional operator control
Preserving existing capital investment
Regulatory requirements
– PCI DSS, HIPAA, Sarbanes-Oxley, etc.
7. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Technology Trends in Security Systems
Analog-to-digital migration
– Digital allows better image management
Record, store, search, retrieve, share, send
System Integration for greater efficiency
Standardized structured approach
– Modular, flexible implementation
– Easy moves, adds and changes (MAC)
Anywhere - anytime monitoring
Video Analytics
8. Datacenter Strategics, Shanghai
14th May 2010
Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Developing the
Physical Security Plan
Physical Protection Guidelines & Strategies
Technologies for Data Center Security
9. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Crime Prevention Through Environmental Design
(CPTED)
– Perimeter layer controls
– Facility layer controls
– Computer room layer controls
– Cabinet-level controls
ANSI/TIA-942
Physical Protection Guidelines & Strategies
10. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Crime Prevention Through Environmental Design
(CPTED)
– Awareness of how people use space
All space has a designated purpose
Social, cultural, legal and physical dimensions
affect behavior
– Control physical setting to change behavior
Understand and change behavior in relation to
physical surroundings
Redesign space to encourage legitimate
behaviors and discourage illegitimate use
Physical Protection Guidelines and Strategies
11. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Security Technologies for Data Centers
Perimeter
Perimeter
Facility
Computer Rooms
Cabinets
Site Selection
Defense in depth
– Implement layers
of protection
– Ensure failure of one
element in the system
will not create a critical
vulnerability in the
whole system
– Delay penetration in event
of breaches
12. Datacenter Strategics, Shanghai
14th May 2010
Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Perimeter Layer Controls
Selection of Site
Site hardening
Video surveillance
13. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Perimeter Layer Controls
Goals
– Deter, detect and delay
– Integrate systems
– Provide layers of protection
Security measures
– Physical barriers
– Site hardening
– Lighting
– Intrusion detection
– Video surveillance
– Physical entry and
access control
Perimeter
Facility
Computer Rooms
Cabinets
14. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
TIA-942 Data Center Site Selection Criteria
Secure all cooling equipment, generators, fuel tanks or access
provider equipment situated outside the customer space
The computer room should not be located in close proximity to a
parking garage
The building should not be located:
– In a 100-year flood plain, near an earthquake fault, on a hill
subject to slide risk, or downstream from a dam or water tower
– Within 0.4 km (¼ mile) of an airport, research lab, chemical
plant, landfill, river, coastline or dam
– Within 0.8 km (½ mile) of a military base
– Within 1.6 km (1 mile) of a nuclear, munitions or defense plant
– Adjacent to a foreign embassy
– In high-crime areas
15. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Site Hardening
Security walls and gates
No signage indicating
data center purpose
Keep access points to a
minimum
Parking away from building
Clear zones
Intimidating doors and
hardware
–Steel doors and
heavy-duty locks
16. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
TIA-942 – Data Center Security Tiers (Cont.)
Source: ANSI/TIA-942
17. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
TIA-942 –Data Center Security Tiers (Cont.)
Source: ANSI/TIA-942
18. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Perimeter Video Surveillance
Monitor
– Perimeter
– Parking lots
– Entry and exit points
– Garbage bins
– Power or cooling facilities
– Building facade and rooftop
Detect
– Motion detection
Sound alarm or recording when triggered
– Intelligent video analytics
Object left behind
People counting
Wrong way
– Edge-based vs. server-based analytics
Image courtesy of Bosch Security Systems
19. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
5.0 MP
2560x1920
3.1 MP
2048x1535
2.0 MP
1600x1200
Resolutions Compared
1.3 MP 1280x1024
PAL 720x576
VGA
640x480
CIF
352x288
Image courtesy of IQinVision
20. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
HDTV Camera Resolution
Up to 5 times higher resolution than analog TV
SMPTE (Society of Motion Picture and Television
Engineers
Standardized color fidelity
16:9 format
– Discards nonrelevant parts
– Makes it easier for the operator
– Saves bandwidth
– Saves storage
HDTV 720 (1280x720)
HDTV 1080 (1920x1080)
16:9 ratio
4:3 ratio
Image courtesy of Axis Communications
21. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Image courtesy of IQinVision
VGA (640x480)
Video Surveillance: Network Video
Megapixel Resolution
HDTV 720 (1280x720)
HDTV 1080 (1920x1080)
3.1 MP (2048x1535)
5.0 MP (2560x1920)
22. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Video Management Platforms
Hybrid DVR
– Familiar interface
– Analog and IP cameras
– Proprietary and limited scalability
Hardware NVR
– Specifically designed for IP surveillance cameras
– Proprietary
VMS on PC/server platform
– Nonproprietary
– Off-the-shelf hardware
– Simplicity in system maintenance
– Upgrade single components: memory, CPU, etc.
– Best-of-breed hardware components
– Preconfigured options available
23. Datacenter Strategics, Shanghai
14th May 2010
Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Facility Layer Controls
Access Control and Video Analytics
24. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Goals
– Secondary layer of protection
– Further restrict access
– Redundant power
and communications
– Integrated systems
Security measures
– Access control
Man-traps
Turnstiles
Visitor management
– Video surveillance
Facility Layer Controls
Perimeter
Facility
Computer Rooms
Cabinets
25. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Access Control:
Prevent Tailgating
Man-traps
– Two interlocking doors open
only one at a time after
presenting authorized credential
Turnstiles
– Physically allow only one
person to pass through at
a time
Video analytics
– “Count” the number of people
going through a doorway
26. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Final design
Batteries
C
R
A
U
C
R
A
U
Comms.
UPS UPS UPS
Reserved for future racks
racks
racks
Operating
Console
Elect.
FM200
cylinders
MDA
Separate
Facility area
27. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Video Analytics
Analyzes pixels in a frame of video
Detects behaviors in the pixels
Makes decisions based on set characteristics
– From simple
Motion detection
Camera tampering
Object recognition and tracking
People counting
– To complex
License plate readers
Facial recognition
Fire and smoke detection
Is edge-based or server-based
– Server-based allows more complexity
28. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Visitor Management
Paper sign-in sheets not secure
– Incomplete, illegible and any visitor can
view the log
Use a driver’s license, passport or
business card
– Scanned, recorded in a secure database
– Customizable
High-quality badges printed
automatically or by guard
– Integrate with existing access
control systems
Badges can automatically expire
– “VOID” may appear across the badge
– Change in color
– Prox rendered inactive after a certain time
or date
29. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Indoor Video Surveillance
Monitor exits as well
as entrances
Integrate with access control
to monitor internal access
Use high-resolution cameras
for identification purposes
Configure systems to record
on motion or event to save
storage requirements
Consider video compression
technology
30. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Camera Resolution: Identification Guidelines
Source: Univision
High detail
General
surveillance
Forensic
detail
31. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
The Potential Impact of the Cabling
Infrastructure
IP Video Surveillance
A Category 5e cabling infrastructure’s absence of headroom
minimizes the infrastructure’s ability to compensate for
marginal electronics
A Category 6A cabling infrastructure provides headroom to
overcome issues related to the electronics
IP Video
Minimally Compliant Category 5e
IP Video
Category 6A
32. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
H.264 compression (example savings)
Motion JPEG
Bandwidth
and storage
consumption
MPEG-4 Part 2
Bandwidth
and storage
consumption
H.264
Bandwidth
and storage
consumption
80%
50%
Lower TCO: Bandwidth and Storage
H.264: the ultimate video compression
Image courtesy of Axis Communications
33. Datacenter Strategics, Shanghai
14th May 2010
Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Computer Room Layer Controls
Identification
Asset tracking
34. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Computer Room Layer Controls
Goals
– Third layer of protection
– Further restrict access
Multiple forms of verification
– Monitor all authorized access
– Redundant power & communications
– Integrated systems for enhanced awareness
Security measures
– Man-traps and turnstiles
– Video analytics
– Biometrics
– RFID
– Environmental monitoring
No windows or skylights
– “Six-wall” border
– Secure air-handling systems
Perimeter
Facility
Computer Rooms
Cabinets
35. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Methods
– Carried
Item carried by the individual:
metal keys, proxy cards, mag cards,
photo ID, smart cards
– Known
Private information:
PIN, passwords, code words
– Inherent
Biometric features
finger and thumb prints, hand geometry,
iris scan, speech pattern
Identity Verification
Image courtesy of HID Global and Ingersoll Rand Security Technologies
36. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
RFID for the Data Center Environment
Eliminate manual spreadsheets
for tracking
– Inventory
– Asset locations
– Life-cycle data
RFID technologies can provide
instant awareness of data center
assets
– Rack-mounted equipment
– Mobile equipment such as laptops
– Employees (e.g., credential tags)
– Some systems also offer
environmental monitoring sensors
37. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Zone Manager – Example Data Center
Deployment
Staging Area
Loading Dock
Storage Area
Racks
#
1-8
Racks
#
9-16
Racks
#
17-24
Racks
#
25-32
Racks
#
33-40
Racks
#
41-48
• Connected to each reader in each zone
• Determines precise zone level location
Example Output:
Tag RFCRCK00000050 is located in Storage
Area, which is located in Building 1.
Example Output:
Tag RFCRCK00000050 is located in Staging
Area, which is located in Building 1.
Example Output:
Tag RFCRCK00000050 is located in Loading
Dock, which is located in Building 1.
Example Output:
Tag RFCRCK00000050 is located in Rack 48,
which is located in Building 1.
38. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Computer Room Layer Controls: Summary
Restrict access
Eliminate tailgating
Monitor exit and entry points
Require multiple identity
verification methods
Maintain “six-wall” border
Address proper
thermal management
Implement RFID system for
asset tracking
Perimeter
Facility
Computer Rooms
Cabinets
39. Datacenter Strategics, Shanghai
14th May 2010
Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Cabinet Layer Controls
Cabinet Level access control
Intelligent Infrastructure Management
40. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Cabinet-Level Controls
Goals
– Fourth layer of protection
– Further restrict access
– Integrated systems for
enhanced awareness
Security measures
– Cabinet-level locking
– Audit trails
– Intelligent infrastructure
Perimeter
Facility
Computer Rooms
Cabinets
41. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Data Center Solution
TZ Praetorian Cablinet Locking System
Increase security at the
cabinet level
Work with existing
enterprise access
control systems
Efficiently bring
electronic security and
audit trail capability to
the cabinet or
enclosure level
42. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
The Power of Integrated Systems
IP Data
UPS
Fiber Panel
Access Control Server
Core Switch/Router
Network Video Recorder (NVR)
Response
– Resolves issues faster
– Saves time correlating
events and timelines
– Moves from reactive
toward predictive
– Provides real-time
anywhere alerts for
monitoring and recording
Operation
– Provides additional
operator control
– Reduces deployment,
training and support costs
– Preserves and protects
capital investments
43. Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Summary
Perimeter, facility and computer
room physical security may not
be sufficient to prevent breaches
IP-enabled physical security
systems increase reaction time
– Technology maturing
– Moving toward
predictive response
Leverage existing physical
security best practices and
industry standards to develop
security plan
Perimeter
Facility
Computer Rooms
Cabinets
44. Datacenter Strategics, Shanghai
14th May 2010
Migrating to IP-Based Physical Security in the Data Center
Proprietary and Confidential. © 2010 Anixter Inc.
Thank you!
AFCOM
Data Center World 2010