Beruflich Dokumente
Kultur Dokumente
Facilities interested in complying with these data center physical security best practices
in the context of a Type I or Type II audit will benefit by learning the history and
overview of the auditing standard, along with important facts and SAS 70 benefits.
The need for ironclad virtual security measures, such as managed firewalls, is well
known. Yet physical security is often placed on the back burner, largely forgotten about
until an unauthorized party manages to break into or sneak onto a site and steals or
vandalizes systems.
As with virtual security, physical protection requires building a multi-layer defense using
a variety of tools and techniques. Here’s a look at the basic measures employed by a
state of the art data center:
External Measures
Entry point. Data centers are generally designed with a central access point that’s used
to filter employees and visitors into the data center. All requests are vetted by a security
guard with an intercom link to ensure that they have a legitimate reason for entering the
premises.
Internal Measures
Lobby area. A staffed reception desk, with one or more security guards checking
visitors’ credentials, creates an invaluable first line of access control.
Closed circuit TV. Like their external counterparts, internal cameras provide constant
surveillance and offer documented proof of any observed wrongdoing.
Biometric screening. Once the stuff of science fiction and spy movies, biometric
identification now plays a key role in premises security. Biometric systems authorize
users on the basis of a physical characteristic that doesn’t change during a lifetime, such
as a fingerprint, hand or face geometry or retina or iris features.
Mantrap. Typically located at the gateway between the lobby and the rest of the data
center, mantrap technology consists of two interlocking doors positioned on either side
of an enclosed space. The first door must close before the second one opens. In a typical
mantrap, the visitor needs to first “badge-in” and then once inside must pass a biometric
screening in the form of an iris scan.
Access Control List. Defined by the data center customer, an access control list
includes the names of individuals who are authorized to enter the data center
environment. Anyone not on the list will not be granted access to operational areas.
Badges and cards. Visually distinctive badges and identification cards, combined with
automated entry points, ensure that only authorized people can access specific data
center areas. The most common identification technologies are magnetic stripe,
proximity, barcode, smart cards and various biometric devices.
Guard staff. A well-trained staff that monitors site facilities and security technologies is
an essential element in any access control plan.
Loading and receiving. For full premises security, mantraps, card readers and other
access controls located in public-facing facilities also need to be duplicated at the data
center’s loading docks and storage areas.
Operational areas. The final line of physical protection falls in front of the data
center’s IT resources. Private cages and suites need to be equipped with dedicated
access control systems while cabinets should have locking front and rear doors for
additional protection.
++++++++++
According to a report by the SANS Institute, “IT security and physical security
are no longer security silos in the IT environment; they are and must be
considered one and the same or, as it should be called, overall security.”
Policy Basics
After setting expectations and behavioral ground rules, actual data center access
policies have several common elements. The most essential are definitions of
various access levels and procedures for authenticating individuals in each group
and their associated privileges and responsibilities when in the data center.
Identification Procedures
The next step in a physical security policy is to set up controls and identification
procedures for authenticating data center users and granting them physical access.
Although biometric scanners look flashy in the movies and certainly provide an
added measure of security, Stahl says a magnetic stripe badge reader is still the
most common entry technology, as it’s simple, cheap, and effective and allows
automated logging, which is a necessary audit trail.
One problem with mag readers, according to Stahl, is their susceptibility to
tailgating, or allowing unauthorized personnel to trail a colleague through an
entryway. That’s why Stahl advises supplementing doors and locks with recorded
video surveillance.
Access levels and controls, with identification, monitoring, and logging, form the
foundation of an access policy. But two other major policy elements are standards
of conduct and behavior inside the data center (such as prohibitions on food and
beverages or tampering with unauthorized equipment) and limitations and
controls on the admission of personal electronics such as USB thumb drives,
laptops, smartphones, or cameras.
The PCI DSS (Payment Card Industry Data Security Standard) also includes a
lengthy section (also section 9) on physical security, which, Stahl says, is a “very
practical, tactical, and actionable” starting point that meets at least 80% of most
enterprise needs. One nice feature of the PCI DSS is that, in addition to outlining
specific requirements, it adds corresponding testing and auditing procedures.
Stahl says that any enterprise could use PCI as a baseline, augmenting it as
needed to meet business-specific requirements.
The ability to test and validate access policy compliance is important, and Stahl
recommends integrating physical security audits with existing IT audit processes.
“Auditors can be your friend,” he says, noting that independent third parties are
the best way to establish policy compliance.
Although PCI, SAS, ISO, and various templates such as Info-Tech’s can provide
general guidelines, Beaver feels that, ultimately, access policy must reflect
situations unique to each business. “The best advice I can give is to find out
where you’re weak first,” he says. “Putting policies and procedures in place
without first understanding what you’re up against is simply going through the
motions and is not sustainable long term.”
by Kurt Marko
Levels Of Access