Upload
freddy-vergara
View
219
Download
0
Embed Size (px)
Citation preview
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
1/51
Migrating to IP-Based PhysicalSecurity
Barney Tomasich
RCDD/NTS/OSP/WD/ESS/DCDCBDM Anixter Australia
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
2/51
BICSI Material
Industry drivers
Developing the physicalsecurity plan for data centres
Agenda
ys ca pro ec onguidelines and strategies
Crime PreventionThrough EnvironmentalDesign (CPTED)
Security technologiesfor data centres Perimeter-layer controls Facility-layer controls
Computer room controls Cabinet-level controls
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
3/51
Electronic Safety and Security (ESS)
Layered physical security
CPTED IP Video surveillance
Data Centre Design Consultant (DCDC)
BICSI Material
BICSI-002 Includes 5 chapters from NDRM & 2 chapters from ESSDRM
2 hours, 100 questions (for both DCDC & ESS)
Critical infrastructure
Delay, Deter, Detect, Decide and ActElectronic, Operational and Architectural security measures
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
4/51
Sensitive data
Medical records
Social Security numbers Financial transactions and cardholder data
Intellectual property and confidential information
Critical infrastructure and key resources
Industry Drivers for DC Security
As defined by the Department of Homeland Security:The assets, systems, and networks, whether physical or virtual, so
vital to the United States that their incapacitation or destructionwould have a debilitating effect on security, national economicsecurity, public health or safety, or any combination thereof.
These industries have data centres vital to national andeconomic security:
Banking, chemical, manufacturing, communications, energy,healthcare, transportation, water
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
5/51
Data Up For Grabs
Source: InformationWeek, Workers All Too Ready to Steal Company Data and Data Up for Grabs, Nov. 30, 2009.
Cyber-Ark survey of 600 financial industry workers in New York and London via InformationWeek and Actimize surveys
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
6/51
Data Security Breaches
Source: http://www.privacyrights.org/ar/ChronDataBreaches.htm#2010
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
7/51
Logical Security OnlyPhysical Security
Cyber Security Measures Not Sufficient
Physical Security
Tracks people
Limits access to areas, spaces
Provides audit trail of who accessed whatarea
Integrates with video to providevisual record of person
Logical Security
Tracks logins
Limits access to servers, foldersand applications
Provides audit trail of what loginaccessed what data
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
8/51
Lack of security awarenessand cooperation betweensecurity and IT staff
Co-location and stand-alonedata centre facilities need andmay be required by law to
DCs Present Unique Challenges
comply with internal, externaland disparate securitymeasures
PCI DSS, HIPAA, Sarbanes-Oxley, et al. require physicalareas, materials, data andhardware to be secured
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
9/51
Moving from reactive towardpredictive response
Integrating with other systems
Providing additionaloperator control
Business Trends in Security Systems
Reducing costs oftraditional systems
Preserving existingcapital investment
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
10/51
Standardized structured approachModular, flexible implementation
Easy moves, adds and changes (MAC)Mainstream methods and practices
Analo -to-di ital mi ration
Technology Trends in Security
Digital allows better image management Record, store, search, retrieve, share and send
Takes advantage of innovationsof computer industry
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
11/51
Physical Protection
Developing Physical Security Plan
Technologies for Data Centre
Security
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
12/51
Crime Prevention Through Environmental Design (CPTED)
Perimeter-layer controls Facility-layer controls
Computer room controls
Cabinet-level controls
Physical Protection Guidelines/Strategies
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
13/51
Crime Prevention Through Environmental Design
Awareness of how people use space
All space has a designated purpose
Social, cultural, legal and physical dimensions affect behavior
Physical Protection Guidelines/Strategies
on ro p ys ca se ng o c ange e av or
Understand and change behavior in relation to physicalsurroundings
Redesign space to encourage legitimate behaviors anddiscourage illegitimate use
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
14/51
Defense in depth
Use cyber security
Implement layersof protection
AssetsBeing
Protected
Physical Protection Guidelines/ Strategies
Ensure failure of one elementin the systemwill not create a critical
vulnerability in the
whole system
Source: ASIS Facilities Physical Security Guideline
Inner protectivelayer (e.g., doorswithin building)
Middle protective layer(e.g., exterior building)
Outer protective layer
(e.g., natural or man-made barrierat property line)
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
15/51
Site location considerations
Security measures
PerimeterPerimeter
Facility
Computer Room
Cabinets
Security Technologies for DCs
Perimeter- ayer contro s
Facility-layer controls
Computer room controls
Cabinet-level controls
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
16/51
Perimeter Layer Controls
Goals Deter, detect and delay
Integrate systems
Provide layers of protection
Security measures
Perimeter
Facility
Computer Room
Cabinets
Physical barriers
Site hardening
Lighting
Intrusion detection
Video surveillance Physical entry andaccess control
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
17/51
Parking away from building
Clear zones
Security walls and gates No signage indicating
data centre purpose
Site Hardening
Steel doors andheavy-duty locks
No windows or skylights
Six-wall border for
data centre assets
Secure air-handling systems
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
18/51
Monitor Perimeter
Parking lots
Entry and exit points Garbage bins
External storage, power or cooling facilities
Perimeter Video Surveillance
Detect Motion detection
Trigger alarm or recording on motion in FOV
Intelligent video analytics
Object left behind
People counting
Trip line
Wrong way
Edge-based vs. server-based analytics
Image courtesy of Bosch Security Systems
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
19/51
Integrated systems
Features
Data and events from multiplesystems integrated
See video or accesscontrol events from either GUI
Perimeter Video Surveillance
Data exchanged across IPnetwork via open interfaces
Benefits
Saves time correlating eventsand timelines
Resolves faster
Offers automated alerts:
e-mail, pager, etc.
Image courtesy of Bosch Security Systems
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
20/51
5.0 MP2560x1920
3.1 MP2048x1535
2.0 MP1600x1200
1.3 MP
Resolutions Compared
PAL 720x576
VGA640x480
CIF352x288
Image courtesy of IQinVision
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
21/51
Up to 5 times higher resolution than analog TV Standardized color fidelity 16:9 format
Discards non relevant parts Makes it easier for the operator
4:3 ratio
HDTV Camera Resolution
aves an w
Saves storage
HDTV 720 (1280x720) SMPTE 296M, 16:9 Progressive Scan
HDTV 1080 (1920x1080) SMPTE 274M Both 50 fps at 50 Hz, 16:9 Interlaced or Progressive Scan
16:9 ratio Image courtesy of Axis Communications
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
22/51
Video Surveillance: Network Video
Megapixel Resolution
Image courtesy of IQinVision
VGA (640x480)
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
23/51
Video Surveillance: Network Video
Megapixel Resolution
Image courtesy of IQinVision
HDTV 720 (1280x720)
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
24/51
Video Surveillance: Network Video
Megapixel Resolution
HDTV 1080 (1920x1080)
Image courtesy of IQinVision
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
25/51
Video Surveillance: Network Video
Megapixel Resolution
3.1 MP (2048x1535)
Image courtesy of IQinVision
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
26/51
5.0 MP (2560x1920)
Image courtesy of IQinVision
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
27/51
Hybrid DVR Familiar interface
Analog and IP cameras
Proprietary and limited scalability
Hardware NVR Designed for IP surveillance cameras
Video Management Platforms
Proprietary
VMS on PC/server platform Nonproprietary
Off-the-shelf hardware
Simplicity in system maintenance Widespread knowledge, simple
to understand
Upgrade single components: memory, CPU
Best-of-breed hardware components
Preconfigured options available
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
28/51
Physical barriers
Video surveillance
Perimeter
Facility
Computer Room
Cabinets
Perimeter-Layer Controls Summary
neighboring propertyand building entrances and exit
Access control
Keep access points to aminimum
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
29/51
Goals Secondary layer of protection
Further restrict access
Redundant powerand communications
Facility-Layer Controls
PerimeterFacility
Computer Room
Cabinets
Security measures Access control
Man-traps
Turnstiles
Visitor management Video surveillance
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
30/51
Man-traps
Two interlocking doors open onlyone at a time after presenting
authorized credential
Access Control: No Tailgating
Physically allow only one person topass through at a time
Video analytics
Count the number of people goingthrough a doorway
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
31/51
Analyzes pixels in a frame of video
Detects behaviors in the pixels
Makes decisions based on set characteristics
From simple Motion detection
Camera tampering
Video Analytics
Object recognition and tracking
People counting
To complex
License plate readers
Facial recognition
Fire and smoke detection
Is edge-based or server-based Server-based allows more complexity
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
32/51
Monitor exits as wellas entrances
Integrate with access controlto monitor internal access Use high-resolution cameras for
identification purposes
Indoor Video Surveillance
Configure systems to record on motionor event to save storage requirements
Consider video compression technology Open standards recommended (ONVIF)
Axis, Sony, Bosch Anixter a member
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
33/51
High-Resolution Images
Image courtesy of Scientific Working Group on Imaging Technology and APTA Draft Guidelinesfor Cameras and Digital Video Recording Systems
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
34/51
General
surveillance
Traffic, Shop
Forensic
Resolution: Identification Guidelines
Source: Univision
HighDetail
Eg Casino,
Cash Counting
Eg Bank,Airport
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
35/51
IP VideoMinimally Compliant Category 5e
IP Video
Category 6A
Impact of the Cabling Infrastructure
A Category 5e cabling infrastructures absence of headroomminimizes the infrastructures ability to compensate formarginal electronics
A Category 6A cabling infrastructure provides headroom toovercome issues related to the electronics,temperature, humidity, poor installation
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
36/51
Motion JPEG
All pictures in the video are complete (just like a digital stillcamera)
Video Compression Technologies
MPEG-4
Only the differences are coded in some pictures
Image Courtesy of Axis Communications
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
37/51
Video Compression Technologies H.264 or MPEG-4 Part 10/Advanced Video Coding (AVC)
Search windowMatching block
Image courtesy of Axis Communications
Earlier referenceframe
Target block
P-frame
Motion vector
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
38/51
H.264 compression (example savings)
Motion JPEG MPEG-4 Part 2 H.264
Lower TCO: BW and Storage H.264: the ultimate video compression
Bandwidthand storageconsumption
Bandwidthand storageconsumption
Bandwidthand storageconsumption
Bandwidthand storageconsumption Bandwidth
and storageconsumption
Bandwidth
and storageconsumption
80%
Image courtesy of Axis Communications
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
39/51
Provide multiple layers of protection
Install integrated systems to providegreater awareness
Implement multiple identity verificationmethods
Install indoor surveillance for
PerimeterFacility
Computer Room
Cabinets
Facility Controls Summary
en ca on an mon or ng
Keep all visitor areas separate(including restrooms)
Maintain six-wall borders
Supply power back-up
Ensure redundant communications outof NOC (separate providers, cell tower
networks, etc.)
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
40/51
Computer Room Controls
Goals Third layer of protection
Further restrict access
Multiple forms of verification
Monitor all authorized access
Redundant power andcommunications
Perimeter
Facility
Computer Room
Cabinets
Integrated systems forenhanced awareness
Security measures Man-traps and turnstiles
Video analytics
Biometrics
RFID
Environmental monitoring
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
41/51
Methods
Carried
Token or other item carried by the individual:metal keys, proxy cards, mag cards, photo ID,
smart cards
Known
Identity Verification
Private information: PIN, passwords, code words
Inherent
Biometric features: finger andthumb prints, hand geometry, iris scan,
speech pattern, vascular
Image courtesy of HID Global and Ingersoll Rand Security Technologies
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
42/51
High-level security applications Inherent and unique to user Much more difficult to replicate than
passwords or PINs Cannot be lost or stolen
Variations
Identity Verification: Biometrics
,background lighting required
Fingerprint since 1858 Hand geometry easier , may not be
unique
Iris non-intrusive, high accuracy,difficult to authenticate
Vascular
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
43/51
Eliminate manual spreadsheetsfor tracking
Inventory
Asset locations
Life-cycle data
RFID for the DC Environment
instant awareness of data centreassets
Rack-mounted equipment
Mobile equipment such as laptops
Employees (e.g., credential tags) Some systems also offer environmental
monitoring sensors
l
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
44/51
Restrict access
Eliminate tailgating
Monitor exit and entry points
Require multiple identityverification methods
Perimeter
Facility
Computer Room
Cabinets
Computer Room Controls Summary
Maintain six-wall border Address proper
thermal management
Implement RFID system for
asset tracking
bi l l
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
45/51
Cabinet-Level Controls
Goals Fourth layer of protection
Further restrict access Integrated systems for enhanced
awareness
Perimeter
Facility
Computer Room
Cabinets
Cabinet-level locking Audit trails
Intelligent infrastructure
A C l h C bi L l
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
46/51
Increase security at thecabinet level
Work with existing enterpriseaccess control systems
Efficiently bring electronic
Access Control at the Cabinet Level
security and audit trailcapability to the cabinet or
enclosure level
Th P f I d S
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
47/51
Fibre Panel
Core Switch/Router
Network Video Recorder (NVR)
Response Resolves issues faster Saves time correlating
events and timelines
Moves from reactivetoward predictive
The Power of Integrated Systems
UPS
Access Control Server
Provides real-time
anywhere alerts formonitoring and recording
Operation Provides additional
operator control
Reduces deployment,training and support costs
Preserves and protectscapital investments
C d th IP Mi ti
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
48/51
Migration from analog todigital and IP
Building systems converge
Standardizedstructured approach
Utility-gradeconnectivity
Open-architecture
Interoperability
Convergence and the IP Migration
Legacy ApproachImportant role for single
function systems
C d th IP Mi ti
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
49/51
Migration from analog todigital and IP
Building systems converge
Standardized structuredapproach
Utility-gradeconnectivity
Open-architecture
Interoperability
Convergence and the IP Migration
Migration toNetwork Approach
Isolated systems join IPConnected Enterprise
C d th IP Mi ti
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
50/51
Migration from analog todigital and IP
Building systems converge
Standardized structuredapproach
Utility-gradeconnectivity
Open-architecture
Interoperability
Convergence and the IP Migration
IP Connected EnterpriseIP Connected Enterprise
replaces isolated systems
Summary
7/27/2019 Bicsi Sp 2013 Ip Based Security for Data Centres Barney Tomasich - Monday 18 March 2013 (1)
51/51
BICSI materials available
Perimeter, facility andcomputer room physical
security may not be sufficientto prevent breaches
IP-enabled physical security
Perimeter
Facility
Computer Room
Cabinets
Summary
systems increase reaction
time
Technology maturing
Moving towardpredictive response
Leverage existing physicalsecurity best practices and
industry standards to develop
security plan