Migrating to IP-Based Physical Security in the Data Centre

Barney Tomasich
RCDD/NTS/OSP/WD/ESS/DCDC BDM Anixter Australia

Agenda
BICSI Material Industry drivers Developing the physical security plan for data centres
Physical protection guidelines and strategies Crime Prevention Through Environmental Design (CPTED)

Security technologies for data centres

Perimeter-layer controls Facility-layer controls Computer room controls Cabinet-level controls

BICSI Material
Electronic Safety and Security (ESS)
Layered physical security
CPTED IP Video surveillance

Data Centre Design Consultant (DCDC)

BICSI-002
Includes 5 chapters from NDRM & 2 chapters from ESSDRM 2 hours, 100 questions (for both DCDC & ESS)

Critical infrastructure Delay, Deter, Detect, Decide and Act Electronic, Operational and Architectural security measures

Industry Drivers for DC Security

Sensitive data
Medical records
Social Security numbers Financial transactions and cardholder data Intellectual property and confidential information

Critical infrastructure and key resources

As defined by the Department of Homeland Security: The assets, systems, and networks, whether physical or virtual, so
vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, public health or safety, or any combination thereof.

These industries have data centres vital to national and economic security:
Banking, chemical, manufacturing, communications, energy, healthcare, transportation, water

Data Up For Grabs

Source: InformationWeek, Workers All Too Ready to Steal Company Data and Data Up for Grabs, Nov. 30, 2009. Cyber-Ark survey of 600 financial industry workers in New York and London via InformationWeek and Actimize surveys

Data Security Breaches

Source: http://www.privacyrights.org/ar/ChronDataBreaches.htm#2010

Cyber Security Measures Not Sufficient

Physical Security

Logical Security Only

Physical Security
Tracks people Limits access to areas, spaces Provides audit trail of who accessed what area Integrates with video to provide visual record of person

Logical Security
Tracks logins Limits access to servers, folders and applications Provides audit trail of what login accessed what data

DCs Present Unique Challenges

Lack of security awareness and cooperation between security and IT staff Co-location and stand-alone data centre facilities need and may be required by law to comply with internal, external and disparate security measures PCI DSS, HIPAA, SarbanesOxley, et al. require physical areas, materials, data and hardware to be secured

Business Trends in Security Systems

Moving from reactive toward predictive response Integrating with other systems Providing additional operator control Reducing costs of traditional systems Preserving existing capital investment

Technology Trends in Security

Standardized structured approach
Modular, flexible implementation Easy moves, adds and changes (MAC) Mainstream methods and practices

Analog-to-digital migration
Digital allows better image management
Record, store, search, retrieve, share and send Takes advantage of innovations of computer industry

Developing Physical Security Plan

Physical Protection Guidelines and Strategies Technologies for Data Centre Security

Physical Protection Guidelines/Strategies

Crime Prevention Through Environmental Design (CPTED)
Perimeter-layer controls Facility-layer controls Computer room controls Cabinet-level controls

Physical Protection Guidelines/Strategies

Crime Prevention Through Environmental Design
Awareness of how people use space
All space has a designated purpose Social, cultural, legal and physical dimensions affect behavior

Control physical setting to change behavior

Understand and change behavior in relation to physical surroundings Redesign space to encourage legitimate behaviors and discourage illegitimate use

Physical Protection Guidelines/ Strategies

Defense in depth
Use cyber security Implement layers of protection Ensure failure of one element in the system will not create a critical vulnerability in the whole system
Assets Being Protected
Inner protective layer (e.g., doors within building)

Middle protective layer (e.g., exterior building)

Outer protective layer (e.g., natural or man-made barrier at property line)

Source: ASIS Facilities Physical Security Guideline

Security Technologies for DCs

Perimeter Facility

Site location considerations Security measures

Perimeter-layer controls Facility-layer controls Computer room controls Cabinet-level controls

Computer Room Cabinets

Perimeter Layer Controls

Goals
Deter, detect and delay Integrate systems Provide layers of protection Perimeter Facility Computer Room Cabinets

Security measures
Physical barriers Site hardening Lighting Intrusion detection Video surveillance Physical entry and access control

Site Hardening
Parking away from building Clear zones Security walls and gates No signage indicating data centre purpose Intimidating doors and hardware
Steel doors and heavy-duty locks

No windows or skylights
Six-wall border for data centre assets Secure air-handling systems

Perimeter Video Surveillance

Monitor
Perimeter Parking lots Entry and exit points Garbage bins External storage, power or cooling facilities Building facade and rooftop

Detect
Motion detection
Trigger alarm or recording on motion in FOV

Intelligent video analytics

Object left behind People counting Trip line Wrong way

Image courtesy of Bosch Security Systems

Edge-based vs. server-based analytics

Perimeter Video Surveillance

Integrated systems
Features
Data and events from multiple systems integrated See video or access control events from either GUI Data exchanged across IP network via open interfaces

Benefits
Saves time correlating events and timelines Resolves faster Offers automated alerts: e-mail, pager, etc.

Image courtesy of Bosch Security Systems

5.0 MP 2560x1920

Resolutions Compared
3.1 MP 2048x1535 2.0 MP 1600x1200 1.3 MP 1280x1024 PAL 720x576 VGA 640x480 CIF 352x288

Image courtesy of IQinVision

HDTV Camera Resolution

Up to 5 times higher resolution than analog TV Standardized color fidelity 16:9 format
Discards non relevant parts Makes it easier for the operator Saves bandwidth Saves storage
4:3 ratio

HDTV 720 (1280x720)

SMPTE 296M, 16:9 Progressive Scan

HDTV 1080 (1920x1080)

SMPTE 274M Both 50 fps at 50 Hz, 16:9 Interlaced or Progressive Scan
16:9 ratio
Image courtesy of Axis Communications

Video Surveillance: Network Video Megapixel Resolution

VGA (640x480)
Image courtesy of IQinVision

Video Surveillance: Network Video Megapixel Resolution

HDTV 720 (1280x720)

Image courtesy of IQinVision

Video Surveillance: Network Video Megapixel Resolution

HDTV 1080 (1920x1080)

Image courtesy of IQinVision

Video Surveillance: Network Video Megapixel Resolution

3.1 MP (2048x1535)
Image courtesy of IQinVision

5.0 MP (2560x1920)
Image courtesy of IQinVision

Video Management Platforms

Hybrid DVR
Familiar interface Analog and IP cameras Proprietary and limited scalability

Hardware NVR
Designed for IP surveillance cameras Proprietary

VMS on PC/server platform

Nonproprietary Off-the-shelf hardware Simplicity in system maintenance Widespread knowledge, simple to understand Upgrade single components: memory, CPU Best-of-breed hardware components Preconfigured options available

Perimeter-Layer Controls Summary

Physical barriers Video surveillance
Monitor parking lots, neighboring property and building entrances and exit Perimeter Facility Computer Room Cabinets

Access control
Keep access points to a minimum

Facility-Layer Controls
Goals
Secondary layer of protection Further restrict access Redundant power and communications Integrated systems Perimet er Facility Computer Room Cabinets

Security measures
Access control
Man-traps Turnstiles Visitor management

Video surveillance

Access Control: No Tailgating

Man-traps
Two interlocking doors open only one at a time after presenting authorized credential

Turnstiles
Physically allow only one person to pass through at a time

Video analytics
Count the number of people going through a doorway

Video Analytics
Analyzes pixels in a frame of video Detects behaviors in the pixels Makes decisions based on set characteristics
From simple
Motion detection Camera tampering Object recognition and tracking People counting

To complex
License plate readers Facial recognition Fire and smoke detection

Is edge-based or server-based
Server-based allows more complexity

Indoor Video Surveillance

Monitor exits as well as entrances Integrate with access control to monitor internal access Use high-resolution cameras for identification purposes Configure systems to record on motion or event to save storage requirements Consider video compression technology Open standards recommended (ONVIF)
Axis, Sony, Bosch Anixter a member

High-Resolution Images

Image courtesy of Scientific Working Group on Imaging Technology and APTA Draft Guidelines for Cameras and Digital Video Recording Systems

Resolution: Identification Guidelines

General surveillance Traffic, Shop Forensic detail Eg Bank, Airport High Detail Eg Casino, Cash Counting
Source: Univision

Impact of the Cabling Infrastructure

IP Video Minimally Compliant Category 5e IP Video Category 6A

A Category 5e cabling infrastructures absence of headroom minimizes the infrastructures ability to compensate for marginal electronics A Category 6A cabling infrastructure provides headroom to overcome issues related to the electronics, temperature, humidity, poor installation

Video Compression Technologies

Motion JPEG
All pictures in the video are complete (just like a digital still camera)

MPEG-4
Only the differences are coded in some pictures

Image Courtesy of Axis Communications

Video Compression Technologies

H.264 or MPEG-4 Part 10/Advanced Video Coding (AVC)
Search window Matching block

Motion vector

Target block

Earlier reference frame

P-frame

Image courtesy of Axis Communications

Lower TCO: BW and Storage

H.264: the ultimate video compression
H.264 compression (example savings) Motion JPEG MPEG-4 Part 2 H.264

50% 80% Bandwidth and storage consumption

Bandwidth and storage consumption

Bandwidth and storage consumption

Image courtesy of Axis Communications

Facility Controls Summary

Provide multiple layers of protection Install integrated systems to provide greater awareness Implement multiple identity verification methods Install indoor surveillance for identification and monitoring Keep all visitor areas separate (including restrooms) Maintain six-wall borders Supply power back-up Ensure redundant communications out of NOC (separate providers, cell tower networks, etc.)

Perimet er Facility Computer Room Cabinets

Computer Room Controls

Goals
Third layer of protection Further restrict access Multiple forms of verification Monitor all authorized access Redundant power and communications Integrated systems for enhanced awareness
Perimeter Facility Computer Room Cabinets

Security measures
Man-traps and turnstiles Video analytics Biometrics RFID Environmental monitoring

Identity Verification
Methods
Carried
Token or other item carried by the individual: metal keys, proxy cards, mag cards, photo ID, smart cards

Known
Private information: PIN, passwords, code words

Inherent
Biometric features: finger and thumb prints, hand geometry, iris scan, speech pattern, vascular

Image courtesy of HID Global and Ingersoll Rand Security Technologies

Identity Verification: Biometrics

High-level security applications
Inherent and unique to user Much more difficult to replicate than passwords or PINs Cannot be lost or stolen

Variations
Facial scan difficult to authenticate, background lighting required Fingerprint since 1858 Hand geometry easier , may not be unique Iris non-intrusive, high accuracy, difficult to authenticate Vascular

RFID for the DC Environment

Eliminate manual spreadsheets for tracking
Inventory Asset locations Life-cycle data

RFID technologies can provide instant awareness of data centre assets

Rack-mounted equipment Mobile equipment such as laptops Employees (e.g., credential tags) Some systems also offer environmental monitoring sensors

Computer Room Controls Summary

Restrict access Eliminate tailgating Monitor exit and entry points Require multiple identity verification methods Maintain six-wall border Address proper thermal management Implement RFID system for asset tracking
Perimeter Facility Computer Room Cabinets

Cabinet-Level Controls
Goals
Fourth layer of protection Further restrict access Integrated systems for enhanced awareness
Perimeter Facility Computer Room Cabinets

Security measures
Cabinet-level locking Audit trails Intelligent infrastructure

Access Control at the Cabinet Level

Increase security at the cabinet level Work with existing enterprise access control systems Efficiently bring electronic security and audit trail capability to the cabinet or enclosure level

The Power of Integrated Systems

Fibre Panel Core Switch/Router Network Video Recorder (NVR)

Response
Resolves issues faster Saves time correlating events and timelines Moves from reactive toward predictive Provides real-time anywhere alerts for monitoring and recording

IP

Data

Access Control Server

Operation
UPS

Provides additional operator control Reduces deployment, training and support costs Preserves and protects capital investments

Convergence and the IP Migration

Migration from analog to digital and IP Building systems converge Standardized structured approach Utility-grade connectivity Open-architecture Interoperability

Legacy Approach
Important role for single function systems

Convergence and the IP Migration

Migration from analog to digital and IP Building systems converge Standardized structured approach Utility-grade connectivity Open-architecture Interoperability

Migration to Network Approach

Isolated systems join IP Connected Enterprise

Convergence and the IP Migration

Migration from analog to digital and IP Building systems converge Standardized structured approach
IP Connected Enterprise
IP Connected Enterprise replaces isolated systems

Utility-grade connectivity Open-architecture Interoperability

Summary
BICSI materials available Perimeter, facility and computer room physical security may not be sufficient to prevent breaches IP-enabled physical security systems increase reaction time
Technology maturing Moving toward predictive response
Perimeter Facility Computer Room Cabinets

Leverage existing physical security best practices and industry standards to develop security plan