Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)

7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)

1/51

Migrating to IP-Based PhysicalSecurity

Barney Tomasich

RCDD/NTS/OSP/WD/ESS/DCDCBDM Anixter Australia


2/51

BICSI Material

Industry drivers

Developing the physicalsecurity plan for data centres

Agenda

ys ca pro ec onguidelines and strategies

Crime PreventionThrough EnvironmentalDesign (CPTED)

Security technologiesfor data centres Perimeter-layer controls Facility-layer controls

Computer room controls Cabinet-level controls


3/51

Electronic Safety and Security (ESS)

Layered physical security

CPTED IP Video surveillance

Data Centre Design Consultant (DCDC)

BICSI Material

BICSI-002 Includes 5 chapters from NDRM & 2 chapters from ESSDRM

2 hours, 100 questions (for both DCDC & ESS)

Critical infrastructure

Delay, Deter, Detect, Decide and ActElectronic, Operational and Architectural security measures


4/51

Sensitive data

Medical records

Social Security numbers Financial transactions and cardholder data

Intellectual property and confidential information

Critical infrastructure and key resources

Industry Drivers for DC Security

As defined by the Department of Homeland Security:The assets, systems, and networks, whether physical or virtual, so

vital to the United States that their incapacitation or destructionwould have a debilitating effect on security, national economicsecurity, public health or safety, or any combination thereof.

These industries have data centres vital to national andeconomic security:

Banking, chemical, manufacturing, communications, energy,healthcare, transportation, water


5/51

Data Up For Grabs

Source: InformationWeek, Workers All Too Ready to Steal Company Data and Data Up for Grabs, Nov. 30, 2009.

Cyber-Ark survey of 600 financial industry workers in New York and London via InformationWeek and Actimize surveys


6/51

Data Security Breaches

Source: http://www.privacyrights.org/ar/ChronDataBreaches.htm#2010


7/51

Logical Security OnlyPhysical Security

Cyber Security Measures Not Sufficient

Physical Security

Tracks people

Limits access to areas, spaces

Provides audit trail of who accessed whatarea

Integrates with video to providevisual record of person

Logical Security

Tracks logins

Limits access to servers, foldersand applications

Provides audit trail of what loginaccessed what data


8/51

Lack of security awarenessand cooperation betweensecurity and IT staff

Co-location and stand-alonedata centre facilities need andmay be required by law to

DCs Present Unique Challenges

comply with internal, externaland disparate securitymeasures

PCI DSS, HIPAA, Sarbanes-Oxley, et al. require physicalareas, materials, data andhardware to be secured


9/51

Moving from reactive towardpredictive response

Integrating with other systems

Providing additionaloperator control

Business Trends in Security Systems

Reducing costs oftraditional systems

Preserving existingcapital investment


10/51

Standardized structured approachModular, flexible implementation

Easy moves, adds and changes (MAC)Mainstream methods and practices

Analo -to-di ital mi ration

Technology Trends in Security

Digital allows better image management Record, store, search, retrieve, share and send

Takes advantage of innovationsof computer industry


11/51

Physical Protection

Developing Physical Security Plan

Technologies for Data Centre

Security


12/51

Crime Prevention Through Environmental Design (CPTED)

Perimeter-layer controls Facility-layer controls

Computer room controls

Cabinet-level controls

Physical Protection Guidelines/Strategies


13/51

Crime Prevention Through Environmental Design

Awareness of how people use space

All space has a designated purpose

Social, cultural, legal and physical dimensions affect behavior

Physical Protection Guidelines/Strategies

on ro p ys ca se ng o c ange e av or

Understand and change behavior in relation to physicalsurroundings

Redesign space to encourage legitimate behaviors anddiscourage illegitimate use


14/51

Defense in depth

Use cyber security

Implement layersof protection

AssetsBeing

Protected

Physical Protection Guidelines/ Strategies

Ensure failure of one elementin the systemwill not create a critical

vulnerability in the

whole system

Source: ASIS Facilities Physical Security Guideline

Inner protectivelayer (e.g., doorswithin building)

Middle protective layer(e.g., exterior building)

Outer protective layer

(e.g., natural or man-made barrierat property line)


15/51

Site location considerations

Security measures

PerimeterPerimeter

Facility

Computer Room

Cabinets

Security Technologies for DCs

Perimeter- ayer contro s

Facility-layer controls

Computer room controls

Cabinet-level controls


16/51

Perimeter Layer Controls

Goals Deter, detect and delay

Integrate systems

Provide layers of protection

Security measures

Perimeter

Facility

Computer Room

Cabinets

Physical barriers

Site hardening

Lighting

Intrusion detection

Video surveillance Physical entry andaccess control


17/51

Parking away from building

Clear zones

Security walls and gates No signage indicating

data centre purpose

Site Hardening

Steel doors andheavy-duty locks

No windows or skylights

Six-wall border for

data centre assets

Secure air-handling systems


18/51

Monitor Perimeter

Parking lots

Entry and exit points Garbage bins

External storage, power or cooling facilities

Perimeter Video Surveillance

Detect Motion detection

Trigger alarm or recording on motion in FOV

Intelligent video analytics

Object left behind

People counting

Trip line

Wrong way

Edge-based vs. server-based analytics

Image courtesy of Bosch Security Systems


19/51

Integrated systems

Features

Data and events from multiplesystems integrated

See video or accesscontrol events from either GUI

Perimeter Video Surveillance

Data exchanged across IPnetwork via open interfaces

Benefits

Saves time correlating eventsand timelines

Resolves faster

Offers automated alerts:

e-mail, pager, etc.

Image courtesy of Bosch Security Systems


20/51

5.0 MP2560x1920

3.1 MP2048x1535

2.0 MP1600x1200

1.3 MP

Resolutions Compared

PAL 720x576

VGA640x480

CIF352x288

Image courtesy of IQinVision


21/51

Up to 5 times higher resolution than analog TV Standardized color fidelity 16:9 format

Discards non relevant parts Makes it easier for the operator

4:3 ratio

HDTV Camera Resolution

aves an w

Saves storage

HDTV 720 (1280x720) SMPTE 296M, 16:9 Progressive Scan

HDTV 1080 (1920x1080) SMPTE 274M Both 50 fps at 50 Hz, 16:9 Interlaced or Progressive Scan

16:9 ratio Image courtesy of Axis Communications


22/51

Video Surveillance: Network Video

Megapixel Resolution


VGA (640x480)


23/51




HDTV 720 (1280x720)


24/51



HDTV 1080 (1920x1080)



25/51



3.1 MP (2048x1535)



26/51

5.0 MP (2560x1920)



27/51

Hybrid DVR Familiar interface

Analog and IP cameras

Proprietary and limited scalability

Hardware NVR Designed for IP surveillance cameras

Video Management Platforms

Proprietary

VMS on PC/server platform Nonproprietary

Off-the-shelf hardware

Simplicity in system maintenance Widespread knowledge, simple

to understand

Upgrade single components: memory, CPU

Best-of-breed hardware components

Preconfigured options available


28/51

Physical barriers

Video surveillance

Perimeter

Facility

Computer Room

Cabinets

Perimeter-Layer Controls Summary

neighboring propertyand building entrances and exit

Access control

Keep access points to aminimum


29/51

Goals Secondary layer of protection

Further restrict access

Redundant powerand communications

Facility-Layer Controls

PerimeterFacility

Computer Room

Cabinets

Security measures Access control

Man-traps

Turnstiles

Visitor management Video surveillance


30/51

Man-traps

Two interlocking doors open onlyone at a time after presenting

authorized credential

Access Control: No Tailgating

Physically allow only one person topass through at a time

Video analytics

Count the number of people goingthrough a doorway


31/51

Analyzes pixels in a frame of video

Detects behaviors in the pixels

Makes decisions based on set characteristics

From simple Motion detection

Camera tampering

Video Analytics

Object recognition and tracking

People counting

To complex

License plate readers

Facial recognition

Fire and smoke detection

Is edge-based or server-based Server-based allows more complexity


32/51

Monitor exits as wellas entrances

Integrate with access controlto monitor internal access Use high-resolution cameras for

identification purposes

Indoor Video Surveillance

Configure systems to record on motionor event to save storage requirements

Consider video compression technology Open standards recommended (ONVIF)

Axis, Sony, Bosch Anixter a member


33/51

High-Resolution Images

Image courtesy of Scientific Working Group on Imaging Technology and APTA Draft Guidelinesfor Cameras and Digital Video Recording Systems


34/51

General

surveillance

Traffic, Shop

Forensic

Resolution: Identification Guidelines

Source: Univision

HighDetail

Eg Casino,

Cash Counting

Eg Bank,Airport


35/51

IP VideoMinimally Compliant Category 5e

IP Video

Category 6A

Impact of the Cabling Infrastructure

A Category 5e cabling infrastructures absence of headroomminimizes the infrastructures ability to compensate formarginal electronics

A Category 6A cabling infrastructure provides headroom toovercome issues related to the electronics,temperature, humidity, poor installation


36/51

Motion JPEG

All pictures in the video are complete (just like a digital stillcamera)

Video Compression Technologies

MPEG-4

Only the differences are coded in some pictures

Image Courtesy of Axis Communications


37/51

Video Compression Technologies H.264 or MPEG-4 Part 10/Advanced Video Coding (AVC)

Search windowMatching block

Image courtesy of Axis Communications

Earlier referenceframe

Target block

P-frame

Motion vector


38/51

H.264 compression (example savings)

Motion JPEG MPEG-4 Part 2 H.264

Lower TCO: BW and Storage H.264: the ultimate video compression

Bandwidthand storageconsumption



Bandwidthand storageconsumption Bandwidth

and storageconsumption

Bandwidth

and storageconsumption

80%

Image courtesy of Axis Communications


39/51

Provide multiple layers of protection

Install integrated systems to providegreater awareness

Implement multiple identity verificationmethods

Install indoor surveillance for

PerimeterFacility

Computer Room

Cabinets

Facility Controls Summary

en ca on an mon or ng

Keep all visitor areas separate(including restrooms)

Maintain six-wall borders

Supply power back-up

Ensure redundant communications outof NOC (separate providers, cell tower

networks, etc.)


40/51

Computer Room Controls

Goals Third layer of protection

Further restrict access

Multiple forms of verification

Monitor all authorized access

Redundant power andcommunications

Perimeter

Facility

Computer Room

Cabinets

Integrated systems forenhanced awareness

Security measures Man-traps and turnstiles

Video analytics

Biometrics

RFID

Environmental monitoring


41/51

Methods

Carried

Token or other item carried by the individual:metal keys, proxy cards, mag cards, photo ID,

smart cards

Known

Identity Verification

Private information: PIN, passwords, code words

Inherent

Biometric features: finger andthumb prints, hand geometry, iris scan,

speech pattern, vascular

Image courtesy of HID Global and Ingersoll Rand Security Technologies


42/51

High-level security applications Inherent and unique to user Much more difficult to replicate than

passwords or PINs Cannot be lost or stolen

Variations

Identity Verification: Biometrics

,background lighting required

Fingerprint since 1858 Hand geometry easier , may not be

unique

Iris non-intrusive, high accuracy,difficult to authenticate

Vascular


43/51

Eliminate manual spreadsheetsfor tracking

Inventory

Asset locations

Life-cycle data

RFID for the DC Environment

instant awareness of data centreassets

Rack-mounted equipment

Mobile equipment such as laptops

Employees (e.g., credential tags) Some systems also offer environmental

monitoring sensors

l


44/51

Restrict access

Eliminate tailgating

Monitor exit and entry points

Require multiple identityverification methods

Perimeter

Facility

Computer Room

Cabinets

Computer Room Controls Summary

Maintain six-wall border Address proper

thermal management

Implement RFID system for

asset tracking

bi l l


45/51

Cabinet-Level Controls

Goals Fourth layer of protection

Further restrict access Integrated systems for enhanced

awareness

Perimeter

Facility

Computer Room

Cabinets

Cabinet-level locking Audit trails

Intelligent infrastructure

A C l h C bi L l


46/51

Increase security at thecabinet level

Work with existing enterpriseaccess control systems

Efficiently bring electronic

Access Control at the Cabinet Level

security and audit trailcapability to the cabinet or

enclosure level

Th P f I d S


47/51

Fibre Panel

Core Switch/Router

Network Video Recorder (NVR)

Response Resolves issues faster Saves time correlating

events and timelines

Moves from reactivetoward predictive

The Power of Integrated Systems

UPS

Access Control Server

Provides real-time

anywhere alerts formonitoring and recording

Operation Provides additional

operator control

Reduces deployment,training and support costs

Preserves and protectscapital investments

C d th IP Mi ti


48/51

Migration from analog todigital and IP

Building systems converge

Standardizedstructured approach

Utility-gradeconnectivity

Open-architecture

Interoperability

Convergence and the IP Migration

Legacy ApproachImportant role for single

function systems

C d th IP Mi ti


49/51



Standardized structuredapproach


Open-architecture

Interoperability


Migration toNetwork Approach

Isolated systems join IPConnected Enterprise

C d th IP Mi ti


50/51



Standardized structuredapproach


Open-architecture

Interoperability


IP Connected EnterpriseIP Connected Enterprise

replaces isolated systems

Summary


51/51

BICSI materials available

Perimeter, facility andcomputer room physical

security may not be sufficientto prevent breaches

IP-enabled physical security

Perimeter

Facility

Computer Room

Cabinets

Summary

systems increase reaction

time

Technology maturing

Moving towardpredictive response

Leverage existing physicalsecurity best practices and

industry standards to develop

security plan

Documents

Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)