Professional Documents
Culture Documents
Barney Tomasich
RCDD/NTS/OSP/WD/ESS/DCDC BDM Anixter Australia
Agenda
BICSI Material Industry drivers Developing the physical security plan for data centres
Physical protection guidelines and strategies Crime Prevention Through Environmental Design (CPTED)
BICSI Material
Electronic Safety and Security (ESS)
Layered physical security
CPTED IP Video surveillance
Critical infrastructure Delay, Deter, Detect, Decide and Act Electronic, Operational and Architectural security measures
These industries have data centres vital to national and economic security:
Banking, chemical, manufacturing, communications, energy, healthcare, transportation, water
Source: InformationWeek, Workers All Too Ready to Steal Company Data and Data Up for Grabs, Nov. 30, 2009. Cyber-Ark survey of 600 financial industry workers in New York and London via InformationWeek and Actimize surveys
Source: http://www.privacyrights.org/ar/ChronDataBreaches.htm#2010
Physical Security
Physical Security
Tracks people Limits access to areas, spaces Provides audit trail of who accessed what area Integrates with video to provide visual record of person
Logical Security
Tracks logins Limits access to servers, folders and applications Provides audit trail of what login accessed what data
Analog-to-digital migration
Digital allows better image management
Record, store, search, retrieve, share and send Takes advantage of innovations of computer industry
Physical Protection Guidelines and Strategies Technologies for Data Centre Security
Security measures
Physical barriers Site hardening Lighting Intrusion detection Video surveillance Physical entry and access control
Site Hardening
Parking away from building Clear zones Security walls and gates No signage indicating data centre purpose Intimidating doors and hardware
Steel doors and heavy-duty locks
No windows or skylights
Six-wall border for data centre assets Secure air-handling systems
Detect
Motion detection
Trigger alarm or recording on motion in FOV
Benefits
Saves time correlating events and timelines Resolves faster Offers automated alerts: e-mail, pager, etc.
5.0 MP 2560x1920
Resolutions Compared
3.1 MP 2048x1535 2.0 MP 1600x1200 1.3 MP 1280x1024 PAL 720x576 VGA 640x480 CIF 352x288
VGA (640x480)
Image courtesy of IQinVision
3.1 MP (2048x1535)
Image courtesy of IQinVision
5.0 MP (2560x1920)
Image courtesy of IQinVision
Hardware NVR
Designed for IP surveillance cameras Proprietary
Access control
Keep access points to a minimum
Facility-Layer Controls
Goals
Secondary layer of protection Further restrict access Redundant power and communications Integrated systems Perimet er Facility Computer Room Cabinets
Security measures
Access control
Man-traps Turnstiles Visitor management
Video surveillance
Turnstiles
Physically allow only one person to pass through at a time
Video analytics
Count the number of people going through a doorway
Video Analytics
Analyzes pixels in a frame of video Detects behaviors in the pixels Makes decisions based on set characteristics
From simple
Motion detection Camera tampering Object recognition and tracking People counting
To complex
License plate readers Facial recognition Fire and smoke detection
Is edge-based or server-based
Server-based allows more complexity
High-Resolution Images
Image courtesy of Scientific Working Group on Imaging Technology and APTA Draft Guidelines for Cameras and Digital Video Recording Systems
A Category 5e cabling infrastructures absence of headroom minimizes the infrastructures ability to compensate for marginal electronics A Category 6A cabling infrastructure provides headroom to overcome issues related to the electronics, temperature, humidity, poor installation
MPEG-4
Only the differences are coded in some pictures
Motion vector
Target block
P-frame
Security measures
Man-traps and turnstiles Video analytics Biometrics RFID Environmental monitoring
Identity Verification
Methods
Carried
Token or other item carried by the individual: metal keys, proxy cards, mag cards, photo ID, smart cards
Known
Private information: PIN, passwords, code words
Inherent
Biometric features: finger and thumb prints, hand geometry, iris scan, speech pattern, vascular
Variations
Facial scan difficult to authenticate, background lighting required Fingerprint since 1858 Hand geometry easier , may not be unique Iris non-intrusive, high accuracy, difficult to authenticate Vascular
Cabinet-Level Controls
Goals
Fourth layer of protection Further restrict access Integrated systems for enhanced awareness
Perimeter Facility Computer Room Cabinets
Security measures
Cabinet-level locking Audit trails Intelligent infrastructure
Response
Resolves issues faster Saves time correlating events and timelines Moves from reactive toward predictive Provides real-time anywhere alerts for monitoring and recording
IP
Data
Operation
UPS
Provides additional operator control Reduces deployment, training and support costs Preserves and protects capital investments
Legacy Approach
Important role for single function systems
Summary
BICSI materials available Perimeter, facility and computer room physical security may not be sufficient to prevent breaches IP-enabled physical security systems increase reaction time
Technology maturing Moving toward predictive response
Perimeter Facility Computer Room Cabinets
Leverage existing physical security best practices and industry standards to develop security plan