Locking Down the Data Center of Tomorrow
By Kevin Beaver, CISSPFounder and principal consultant - Principle Logic, LLC
4430 Wade Green Rd., Suite 180Kennesaw, GA 30144
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
Kevin Beaver• Information security consultant, author and trainer• 15+ years of IT/security experience• Specialize in security incident response, security assessments,
network security, and security policy and strategy development• Author of the upcoming book Ethical Hacking for Dummies by John
Wiley and Sons• Co-author of the new book The Practical Guide to HIPAA Privacy
and Security Compliance by Auerbach Publications• Author of the new book The Definitive Guide to E-mail Management
and Security by Realtimepublishers.com• Regular columnist and information security/HIPAA advisor for
SearchSecurity.com, SearchMobileComputing.com, ITSecurity.com, and HCPro’s Briefings on HIPAA newsletter
• Hold CISSP, MCSE, MCNE and IT Project+ certifications• Bachelor’s in Computer Engineering Technology from Southern
Polytechnic State University and Master’s in Management of Technology from Georgia Tech
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
• Current state of data center security• The convergence of information and
physical security• Security technologies and practices
required for the successful convergence of physical and information security
• Skills required of security professionals• What to expect in the coming years• Resources
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
What We’ll Cover
• Where everything security related comes together– Network, applications, physical
• Enable consolidation of information systems management and security within a controlled environment
• Heightened sense of criticality since 9/11• There’s a lot of good security, but there’s also a lot
of bad– Not necessarily as secure as they claim to be
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
Current State of Data Center Security
• Protection of people and physical property • Traditional physical security involved guards,
locks, keys, etc. – this is changing• Physical security in buildings, including data
centers, is becoming increasingly dependent on technical systems for control and monitoring
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
What is Physical Security?
• Increase of insider threats• Someone walking off with a laptop, server,
software installation disks, etc.• Malicious outsider gaining access to the data
center– To obtain passwords– To install a network analyzer
• Malicious insider gaining access to CDs, tapes, hard copies of network diagrams or password lists
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
Physical and InformationSecurity Risks
• Security to protect corporate assets is technology based– Firewalls– Intrusion detection
• Security systems typically found in discrete areas – Not across the organization
• Different security departments doing different things– Has resulted in various inconsistencies in meeting
security policy requirements
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
Past Paradigm
• Security has been seen as a roadblock to overall organization effectiveness in the past– Both physical and information security can be combined
and now seen as a business enabler supporting the organization’s mission and goals
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
…Past Paradigm
• Data center security is more than just protecting IT assets– We’re now moving towards protecting enterprise assets
• The most valuable corporate assets are virtual– Electronically and in the minds of employees
• Many corporate assets are housed in critical data centers
• Physical security is established and mature for the most part– Information security is still in its infancy
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
Physical Security, meet Information Security
• There are emerging governmental requirements forcing the collaboration of physical and information security
• Security management of the data center continues to be fragmented
• After many years of separation and strife, the two practices are coming together – especially in the data center environment
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
…Physical Security, meet Information Security
• The goal of both is to keep the bad guys out and the “good” guys honest
• Each one uniquely contributes to the organization’s bottom line
• Both require:– Identification of assets– Classification of assets– Assessment of risks– Implementation of countermeasures– Incident response expertise
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
Similarities
• An ever increasing skill set required for security leaders, managers and doers– Keeping up with the latest technologies– Understanding how to effectively respond to incidents
• Money• Technology and computers• Effective policies and procedures• Layered protection – defense-in-depth
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
Demands of Physical and Information Security
• Authorization – need to know basis• Authentication• Accountability• Audit• Destruction policies and procedures• Ongoing awareness• A good balance of security vs. convenience• Both (especially infosec) are requiring stronger
ties with law enforcement than ever before
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
…Demands of Physical and Information Security
You Must Find a Balance
• If you have a network that’s secure but a data center building that’s not
OR• If you have a data center building that’s secure
and a network that’s not– They will defeat the purpose of each other
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
The Simple Truth• Need more than just a guard and locked doors• Need more than just firewalls and IDSs• Security must be tightly integrated with every
organizational function• You can’t force the two different departments to
work well together – must give business reasons and incentives
• Must balance the requirements of both physical and information security
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
Where We’re Headed
• Decentralization of data centers and corporate assets
• Tighter integration between physical and information security equipment
• The design goals of newer technologies will help support convergence of physical and information security
• Systems will be easier to use, making data center technology implementation, collaboration and change management simpler
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
…Where We’re Headed• The convergence of the two types of security will
help further the information security cause– Management has always bought into physical security– It’s now becoming more apparent that information
security is a critical element as well
• Smaller computing devices such as PDAs, 1U servers, cell phones and laptops are just getting smaller leading to more physical security issues– Nanotechnology devices both inside and associated
with data centers are increasing the demand for physical and information security convergence
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
…Where We’re Headed• Prevention vs. protection• Increased responsibilities on everyone’s part• Reduced costs, but possible increase in risks
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
Emerging Trends
• Enhanced biometric systems• Increase in the number of uses of biometrics to
facilitate both physical and information security in the data center
• Increased usage of identity management solutions
• Perimeter control has been – and will be even more so – the job of both physical and information security professionals
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
…Emerging Trends• Need for greater physical and information
security of wireless components within data centers
• Storage and management issues associated with RFID data
• Defense-in-depth will be even more important
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
…Emerging Trends• Enhanced monitoring
– Power, air and server conditions– Access controls
• Will require more human involvement– In the form of awareness, policies and procedures
• Increased use in temp/contract workers– Need to include these people in security policies
and procedures
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
…Emerging Trends• Open Security Exchange (OSE)• OSE-compliant products from vendors• More data center involvement from large vendors• Development of data center education initiatives
by the Association for Computer Operations Managers (AFCOM) and Marist College
• Overall the merger of the two will have a huge impact on organizations, employees, users and the industry as a whole
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
CSOs of the Future• CSOs manage data centers among other things• Role is still being defined• Need a strong leader in this role• Business and technical expertise• Must build relationships with business managers• Has authority within the organization to create and
enforce security policies
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
…CSOs of the Future• Ability to influence security-aware culture in and
around the data center• See CSO Magazine’s State of the CSO report for
more insight – www.csoonline.com/csoresearch/report56.html
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
A Few More Tips
• A security-aware culture will buy your data center more protection than all other efforts combined
• Policies and procedures should be integrated between physical and information security systems for the data center whenever possible– With management support of course
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
…A Few More Tips
• CISO and IT-only types may only be interested in information security– If so, s/he might not be the best fit for a CSO
or director of data center security position• A wise security officer (physical or information)
will stay abreast of both• If you’re not sure about the physical security,
contact some experts on it
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
Resources
• Open Security Exchange – www.opensecurityexchange.com/info/summary.htm– Physical Security Bridge to IT Security (PHYSBITS) Framework
• www.opensecurityexchange.com/downloads/white_paper.pdf
• AFCOM – www.afcom.com
• ISC2 Certified Information Systems Security Professional (CISSP) and ISSAP concentration– www.isc2.org
• ASIS Certified Protection Professional (CPP)– www.asisonline.org/certification/cpp/index.xml
• CSO job description– www.csoonline.com/research/executive/description.html
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
Resources
• CSO job description– www.csoonline.com/research/executive/description.html
• Physical security tips– www.techarch.state.ar.us/indexes/publications/physical.pdf
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
• The physical security market is very strong now and it will take time for the two areas of security to successfully merge
• It will be impossible to ensure solid information security of the data center without the proper physical security controls – and vice versa
• It’s essential to ensure that data is available after a disaster – This can only be possible when information and
physical security systems and personnel work together
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
Closing Thoughts
• Security initiatives driven from the bottom up usually aren’t effective
• Haphazard combination of physical and information security can cause more problems than it solves
• A more secure data center can increase customer comfort level helping to maintain customers and even drive more business
• =
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
…Closing Thoughts
Questions?
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
You can submit your questions to Kevin
by clicking on the Ask a Question link
on the lower left corner of your screen.
Thank you
Copyright © 2003, Principle Logic, LLC, All Rights Reserved.
Thank you for participating in this SearchSecurity.com webcast. If you have comments or suggestions for future webcasts, please e-mail the
moderator at [email protected]