Scribd
Upload
43 views55 pages

DC Security and Controls

This document discusses data center security and control. It introduces the importance of ICT security in the public sector and discusses ICT policies and standards in data centers. The learning outcomes are to understand the importance of ICT security, the role of civil servants in ICT security, and how to identify security techniques and maintain a secure data center. The agenda covers topics like ICT security, data centers, data center security procedures and standards, security layers and controls, basic principles for data center security, and physical security in data centers.

Uploaded by

amirzie
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
43 views55 pages

DC Security and Controls

This document discusses data center security and control. It introduces the importance of ICT security in the public sector and discusses ICT policies and standards in data centers. The learning outcomes are to understand the importance of ICT security, the role of civil servants in ICT security, and how to identify security techniques and maintain a secure data center. The agenda covers topics like ICT security, data centers, data center security procedures and standards, security layers and controls, basic principles for data center security, and physical security in data centers.

Uploaded by

amirzie
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 55

Institut Tadbiran Awam Negara (INTAN)

Jabatan Perkhidmatan Awam (JPA)

National Institute of Public Administration


Public Service Department of Malaysia

Data Centre Security


& Control

Ashara Banu Mohamed


Perunding Latihan Kanan
Seksyen Perkhidmatan Operasi ICT
Kluster Inovasi Teknologi Pengurusan (i-IMATEC)
Objective

Introducing ICT security importance in


the Public Sector

ICT policies and standard in Data


Centre

Understand and implement different


types of control

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 2


Learning Outcome

Understanding the importance of ICT security in the


public sector

Understanding the role and responsibilities of civil


servants in aspects of ICT security

Identify the type of ICT security techniques and


methods of maintaining a secure data centre

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 3


Agenda

1 ICT Security

2 Data Centre

3 Data Centre Security : Procedures and Standards

4 Data Centre Security : Security Layer and Controls

5 Data Centre Security : Basic Principle For Data Centre

6 Data Centre Security : Physical Security in Data Centre

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 4


Security?

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 5


Definition: Security

• a state of being free from danger, threats


and risks
• a continuous process
• a periodical activity which has to be
schedule

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 6


ICT SECURITY CRITERIA

Confidentiality

Integrity

Availability

Authenticity

Accountability

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 7


YOUR ROLE

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 8


LAYERED SECURITY APPROACH

Hak Milik INTAN 9


Security is like an onions – it makes you cry

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 10


WHAT IS DATA CENTRE ?

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 11


DATA CENTRE IS

• A data centre (or datacentre) is a facility composed of


networked computers and storage that businesses or other
organizations use to organize, process, store and
disseminate large amounts of data.

• A business typically relies heavily upon the applications,


services and data contained within a data centre, making it a
focal point and critical asset for everyday operations.

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 12


WHAT IS DATA CENTRE SECURITY ?

• Data centre security is the set of policies,


precautions and practices adopted

• It is to avoid unauthorized access and manipulation


of a data centre's resources.

• The data centre houses the enterprise applications


and data, hence why providing a proper security
system is critical.

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 13


Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 14
DATA CENTRE SECURITY

A. Procedures and Standards


 Information Security Risk Assessment Guide
 Security Standards, Policies & Systems
 Common Data Centre Security Risk Signs
 Security Audit Checklist
B. Security Layer and Controls
 Physical (perimeter, building, data centre etc.)
 Logical (network, servers etc.)
 Administrative (people, process etc.)

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 15


A. Procedures and Standards

 Information Security Risk Assessment Guide

Malaysian Public Sector Information Security


Risk-Assessment Guidelines

1. The Malaysian Public Sector Information Security High Level


Risk Assessment (HiLRA Guide)

2. The Malaysian Public Sector Information Security Risk


Assessment Methodology (MyRAM). Fully automated

http://www.mampu.gov.my/mampu/spa

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 16


Impact of the breach vs likelihood of the breach actually happening
Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 17
A. Procedures and Standards

 Security Standards, Policies & Systems

Requirements
 Adopt ISO-27001 (replaces BS 7799 – Part 2)
 Information Security Management System (ISMS)

 Adopt ISO/IEC-27002 (replaces ISO-17799) Controls: Risk


 Controls for Security Management Management and
BCM

BCC, Inc. Report GB-185R

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 18


A. Procedures and Standards

 Security Standards, Policies & Systems


Policy : a course or principle of action adopted or proposed by a government, party, business or individual.
Security Policy
 Aligns with business needs
 security goals; and
 defines how to implement them through processes and technologies.

An effective security policy results from collaboration among


 all stakeholders in the Data centre,
 various management teams,
 executive board, and
 user groups

The policy determines


 security design,
 management processes
 technologies that enable policy to be implementation and
 enforcement.
A security policy is not static; it should be refined and adjusted regularly
Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 19
A. Procedures and Standards

 Common Data Centre Security Risk Signs


 Out-of-date physical wiring diagrams
 Out-of-date logical equipment configuration diagrams and schematics
 Infrequent testing of UPS
 Failure to recharge UPS batteries
 Failure to test generator and fuel levels
 Lack of preventive maintenance on air conditioning equipment
 Fire suppression system not recharged
 Emergency power-off system not tested
 Emergency power-off system not documented
 Infrequent testing of backup generator system
 Equipment not properly anchored
 Evacuation procedures not clearly documented
 Circumvention of physical security procedures
 Lack of effective training for appropriate personnel
Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 20
A. Procedures and Standards

 Security Audit Checklist

• Facilities Security Audit Checklist

• Sample Internal Control Questionnaire

• Data Centre Review Program

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 21


Lesson Contents

A. Procedures and Standards


 Information Security Risk Assessment Guide
 Security Standards, Policies & Systems
 Common Data centre Security Risk Signs
 Security Audit Checklist
B. Security Layer and Controls
 Physical (perimeter, building, data centre etc.)
 Logical (network, servers etc.)
 Administrative (people, process etc.)

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 22


B. Security Layer and Controls

 Physical (perimeter, building, data centre etc.)

building security layers Data centre security layers

* Environment * Perimeter Security


Design

*Access Control * Facility Controls

* Intrusion * White Space


Detection Access

* Personnel * Cabinet
Identification

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 23


B. Security Layer and Controls

 Physical (perimeter, building, data centre etc.)

Threats to physical security include:


 Interruption of services
 Theft
 Physical damage
 Unauthorized disclosure
 Loss of system integrity

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 24


B. Security Layer and Controls

 Physical (perimeter, building, data centre etc.)

Potential for damage or loss can be categorized into 7


categories of threats to objects, persons and intellectual
property:-

Temperature sunlight, freezing, fire & excessive heat

commercial vapors, humidity, dry air,


Gases suspended particles, smoke, cleaning fluid

Liquids water & chemicals

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 25


B. Security Layer and Controls

 Physical (perimeter, building, data centre etc.)

7 categories of threats to objects, persons and intellectual


property:-
contamination from virus, bacteria,
Organisms people, animals

Projectiles falling objects, wind, explosions

Movement collapse, shearing, shaking, vibration,

Energy electric surges/failure, magnetism, static


anomalies electricity, radiation, sound, light
Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 26
B. Security Layer and Controls

 Physical (perimeter, building, data centre etc.)

(i) Prevention
To prevent unauthorized personnel from entering
computing facilities.
(i.e., locations housing computing resources,
supporting utilities, computer hard copy, and
input data media)

To help protect against natural disasters.

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 27


B. Security Layer and Controls

 Physical (perimeter, building, data centre etc.)

(i) Prevention

Examples:
• Backup files and documentation.
• Fences.
• Security guards.
• Badge systems.
• Double door systems.
• Locks and keys.
• Backup power.
• Biometric access controls.
• Site selection.
• Fire extinguishers.
Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 28
B. Security Layer and Controls

 Physical (perimeter, building, data centre etc.)

(ii) Detection
 Warn protective services personnel that physical security
measures are being violated.

Examples: Motion detectors

• Motion detectors.
• Smoke and fire detectors. VESDA

• Closed-circuit television monitors.


• Sensors and alarms.

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 29


CAMERA NVR
DIGITAL DISK RECORDER

SECURITY MONITORING SCREEN

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 30


DDR/NVR

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 31


Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 32
B. Security Layer and Controls

 Physical (perimeter, building, Data Centre etc.)

Data Centre PHYSICAL SECURITY CHECKLIST

1. Data centre Physical Security Checklist


(SANS Institute)

2. SAS 70 Compliance Data centre Physical


Security Checklist – Best Practice

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 33


B. Security Layer and Controls

 Physical (perimeter, building, Data Centre etc.)

What other things that we need to identify before setting


up a DC (

1. Site Location 2. Site Perimeter


a) Natural Disaster Risk a) Perimeter
b) Man made Disaster b) Surveillance
Risk c) Outside Windows &
c) Infrastructure Computer Room Placement
d) Sole purpose d) Access Points

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 34


B. Security Layer and Controls

 Physical (perimeter, building, Data Centre etc.)


What other things that we need to identify before setting
up a DC (
3. Computer Rooms 4. Facilities
a) Access a) Cooling Towers
b) Infrastructure b) Power
c) Environment c) Trash
d) Fire Prevention d) Network Operation Centre
e) Shared Space (NOC)
5. Disaster Recovery 6. Ousiders
a) Disaster Recovery Plan a) Guards
b) Offsite Backup b) Cleaning Staff
c) Redundant Site c) Service Engineers
Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 35
B. Security Layer and Controls

 Physical (perimeter, building, Data Centre etc.)

What other things that we need to identify before setting


up a DC (

7. Users 8. Disaster Recovery (people)


a) Education a) Organizational Chart
b) Policy b) Job Function Documentation
c) Cross Training
d) Contact Information
e) Telecommuting
f) Disparate Locations

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 36


B. Security Layer and Controls

 Logical (network, servers etc.)

 Use software and data to monitor and control access to


information and computing systems.

(E.g. passwords, network and host based firewalls, network intrusion


detection systems, access control lists, and data encryption)

 Level of access granted is limited to certain task that need


to be perform by an individual, program and systems.

 Logical Security Best Practices

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 37


B. Security Layer and Controls

 Logical (network, servers etc.)

(i) Prevention
to prevent unauthorized personnel or programs from
gaining remote access to computing resources.

Examples:
• Access control software.
• Antivirus software.
• Passwords.
• Smart cards.
• Encryption.
• Dial-up access control and callback systems.
• Authentication

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 38


B. Security Layer and Controls

 Logical (network, servers etc.)

(ii) Detection
To warn personnel of attempted violations.

Examples:
• Audit trails
• Intrusion Detection Systems (IDS)

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 39


B. Security Layer and Controls

 Administrative (people, process etc.)


 Also called procedural controls

 Consist of approved written policies, procedures,


standards and guidelines.

 Form the framework for running the business and


managing people.

 Inform people on how the business is to be run


and how day to day operations are to be conducted.

 Laws and regulations created by government bodies


is also a type of administrative control

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 40


B. Security Layer and Controls

 Administrative (people, process etc.)

 Form the basis for the selection and implementation


of logical and physical controls.

 Used to control individual behavior towards access


of facility, equipment, resources and information.

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 41


B. Security Layer and Controls

 Administrative (people, process etc.)

 Insider
 Poor Passwords.
 Physical Security.
 Insufficient Backup and Recovery.
 Improper Destruction.
 Social Media.
 Social Engineering.

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 42


B. Security Layer and Controls

 Administrative (people, process etc.)

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 43


B. Security Layer and Controls

 Administrative (people, process etc.)

(i) Prevention

Personnel-oriented techniques for controlling


people’s behavior to ensure the confidentiality,
integrity, and availability of computing data and
programs.

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 44


B. Security Layer and Controls

 Administrative (people, process etc.)

(i) Prevention

Examples:
• Security awareness and technical training.
• Separation of duties.
• Procedures for recruiting and terminating employees.
• Security policies and procedures.
• Supervision.
• Disaster recovery, contingency, and emergency plans.
• User registration for computer access.

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 45


B. Security Layer and Controls

 Administrative (people, process etc.)

(i) Detection
To determine how well security policies and
procedures are complied with, to detect fraud, and
to avoid employing persons that represent an
unacceptable security risk.

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 46


B. Security Layer and Controls

 Administrative (people, process etc.)

(i) Detection

Examples:
• Security reviews and audits.
• Performance evaluations.
• Required vacations.
• Background investigations.
• Rotation of duties.

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 47


BASIC PRINCIPLE FOR DATA CENTRE

• Low-key appearance
• Avoid windows
• Limit entry points
• Anti-passback and man-traps
• Hinges on the inside
• Plenty of cameras
• Make fire door exit only
• Permanent security staff
• Test. Test and test again
• Don’t forget the layers
Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 48
Ways to Build Physical Security into a Data Centre

 Build on the right spot.


 Have redundant utilities
 Pay attention to walls
 Avoid windows
 Use landscaping for protection
 Keep a 100-foot buffer zone around the site
 Use retractable crash barriers at vehicle entry
points
 Plan for bomb detection

Site layout

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 49


Ways to Build Physical Security into a Data Centre (cont’d)

 Limit entry points


 Make fire doors exit only
 Use plenty of cameras
 Protect the building's machinery
 Plan for secure air handling
 Ensure nothing can hide in the walls and ceilings
 Use two-factor authentication
 Harden the core with security layers
 Watch the exits too
 Prohibit food in the computer rooms
 Install visitor rest rooms

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 50


NETWORK SECURITY WORST PRACTICE

Source: Gartner, Avoid these


“Dirty Dozen” Network Security
Worst Practices, by Andrew
Lerner, Jeremy D’Hoinne,
January 8, 2015.

Hak Milik INTAN 51


THANK YOU
Hak Milik INTAN 53
Hak Milik INTAN 54
Hak Milik INTAN 55

You might also like