Control physical access to rack level

Control physical Access to Rack Level 

In our networked and internet-dependent world, securing personal and business data from theft, hacking and other forms of cybercrime has become an issue of paramount importance – and the world’s data centers, where data has its physical presence, are key points where multiple layers of security need to be established and sustained. Electronic locks offer audit trail reporting capabilities and can also be set up to provide local alerts, including indicator lights, beacons or alarms.

Securing information within the data centre presents heightened physical security and access control challenges. Heavy-duty perimeter security and room level access control prevents access to the building and server rooms, but once inside, data storage equipment may not include that same level of security. In some co-location centres for instance, cabinets containing particularly sensitive data are protected by a chain link fence enclosure; however, these cabinets are still at risk should an unauthorised individual gain access to that enclosure.

For complete physical security, the actual server cabinets should be secured to the same degree as the data centre itself. Verification of credentials for access control and, where required, auditing rack-level access can prevent costly data breaches and stiff penalties for non compliance. Data centre managers can avoid these risks by incorporating intelligent, reliable electronic locking systems at the racklevel to protect access to sensitive information.

Extending physical security to the rack level

Effective rack-level access control systems are specifically designed for server cabinets with a flexible, open architecture that allows them to be easily integrated with any existing security system. An effective physical security system is typically comprised of three key elements: user interface, intelligent lock, and remote control and monitoring. Many data centers focus security efforts on access control to the grounds, the buildings and the secure areas within:

·       Access to the building is often gated, with exterior physical protection elements to secure the entire site and requires a guard to verify and document entry through the gate.

·       Once an individual enters the facility, they typically sign in with a live guard and receive a credential for access to specific areas.

·       In some facilities, access to a specific floor or enclosure area is further controlled by a “man trap” with two sets of doors accessed via an electronic credential, either RFID or biometric.

Electronic access solutions, like electronic locks and latches, offer a modular security solution designed for simple integration into Data Center Infrastructure Management (DCIM) systems and existing server rack enclosure designs.

Electronic Access Solutions (EAS) typically consist of four main components:

·       Electromechanical Lock or Latch– The most critical component of any electronic access system,  this mechanism performs the electromechanical locking or unlocking function upon receipt of a valid electronic signal and provides an output of its status to external monitoring systems.

·       Access Control Device – The access controller acts as the human interface, allowing the electronic lock  to be remotely operated through a variety of options, such as digital keypads, biometrics, RFID readers, and other wireless communication devices such as  BLUETOOTH enabled smartphones and tablets.

·       Remote Monitoring – Electronic access solutions have the unique ability to capture an electronic "signature" for each access attempt. This info, together with additional security and environmental data, can be output to a variety of devices, from simple indicator lights to networked, software-based remote monitoring systems.

·       Manual Override – In some cases, an override system is required to provide access in the event of a system power failure. This override system can be mechanical, providing direct mechanical actuation of the lock, or electrical, providing external power in the event of a system power failure.

The key element of effective rack level electronic access systems is the use of intelligent electronic locks that restrict access through the validation of user credentials. Electronic locks can be integrated with a variety of rack level access control devices, such as digital keypads, RFID card readers, biometric readers and electronic key systems.

Suprema Mobile Access allows you to use your own smartphone as a key to access doors, facilities, and more. By using your smartphone as a credential, managing and using an access card becomes easier, faster, and safer. The smartphone can then send audit trail data wirelessly to the cloud via a cellular or Wi-Fi connection for audit trail reporting. This unique solution provides remote access control without the need for a physical network connection. Mobile Access supports both NFC and BLE for full compatibility with various types of smartphones.

Additionally, maintaining automatic digital documentation is more convenient than manually tracking and recording access. Rather than keeping track of mechanical keys – particularly in a co-location setting – electronic access allows administrators to upload (or delete) electronic credentials from their user database. With networked systems, these updates to the approved list can be made remotely, from anywhere in the world. With cloud-based solutions, this can be accomplished wirelessly, using Bluetooth enabled mobile devices.

Integrating rack level EAS into existing data centers

The entire IT and data center industry must continue to apply every tool available to secure personal and corporate data and applications from identity theft, malware, hijacking and other hacking attacks. Using electronic access solutions to secure the server racks is the final component in creating a fully secure data center. Rack level electronic access provides a controlled physical security solution that, when integrated into existing security and monitoring systems, provides a complete end-to-end data center security solution.

Cost-effective rack level security solutions are available, depending on the specific application. For example

·       Self-contained solutions that are generally battery-operated and offer simple, drop-in installation and programming to provide integrated access control and electronic locking in a single self-contained device.

·       Standalone solutions that offer basic plug-and-play access control without the need for software or network administration where remote control and monitoring is not needed.

·       Wireless remote controlled solutions that leverage NFC and BLE connectivity with cloud based web portal credential management and monitoring to provide the simplicity of a standalone system with the benefits of a networked control system

·       Integrated solutions that can be combined with building access control and monitoring systems to incorporate cabinet-level access control into existing security systems.

·       Independent networked solutions that can be used to monitor and manage rack access across networks from a host computer for remote system configuration, access control and the monitoring of multiple access points.

Streamlining migration between platforms

Rack-level electronic locks may incorporate an RFID reader with industry standard Wiegand outputs that can tie into any traditional building system. When integrating rack-level access control solutions, there may be a need to support both proximity and smart card RFID protocols. By integrating an industry standardised electronic locking and access control solution that reads multiple RFID formats, data centre managers can leverage their existing building security system for rack-level access control regardless of card technology used. This type of solution offers simplified installation, allowing personnel to use their existing credentials to access multiple areas within the data centre – from the server room to the rack level.

Physical access control across the facility

In today’s highly regulated data centre environment, access control and monitoring at the rack level are a must. While significant resources are dedicated to fighting online cyberattacks, physical protection of stored data is equally as important. The need for increased security and compliance with a myriad of regulations necessitate access control and monitoring capabilities for the actual cabinets where data is stored.

Data centre managers can achieve physical access control by implementing electronic access solutions, which offer solutions for audit trail maintenance and compatibility with existing facility-wide security systems. Protecting data within facilities requires the same level of access control for racks as the buildings that house them.

Organizations should monitor the safety and security of the data center rack room with authenticated access through the following systems:

·        Closed-circuit television (CCTV) camera surveillance with video retention as per the organization policy

·        Vigilance by means of 24×7 on-site security guards and manned operations of the network system with a technical team

·        Periodic hardware maintenance

·        Checking and monitoring the access control rights regularly and augmenting if necessary

·        Controlling and monitoring temperature and humidity through proper control of air conditioning and indirect cooling

·        Uninterruptible power supply (UPS)

·        Provision of both a fire alarm system and an aspirating smoke detection system (e.g., VESDA) in a data center. A VESDA, or aspiration, system detects and alerts personnel before a fire breaks out and should be considered for sensitive areas.

·        Water leakage detector panel to monitor for any water leakage in the server room

·        Rodent repellent system in the data center. It works as an electronic pest control to prevent rats from destroying servers and wires.

·        Fire protection systems with double interlock. On actuation of both the detector and sprinkler, water is released into the pipe. To protect the data and information technology (IT) equipment, fire suppression shall be with a zoned dry-pipe sprinkler.

·        Cable network through a raised floor, which avoids overhead cabling, reduces the heat load in the room, and is aesthetically appealing.

 

Planning a Security Intrusion System Installation Location

Planning a Security Intrusion System Installation Location 

The first step when installing any alarm system is to determine what you will install and where. Below is a typical floor plan from a home builder that has been marked up to indicate where alarm components will be installed. These simple plans are the type that builders normally provide to people looking to build a new home and can sometimes be found on the builder's web site. Marking up a copy of these plans is a good place to start to determine how many window & door sensors and motion detectors you will need to protect the entire home.

Sample Alarm Wiring Plan:

Legend

P:     Main Alarm Panel

K:     Keypad

        Input Devices

M:     Motion Detector

D:     Door Sensor

W:     Window Sensor

G:     Glass Break Sensor

L:     Liquid/Water Sensor

        24 Hour Input Devices

F:     Fire/Smoke/Heat Sensor

        Output Devices

H:     Horn/Siren

S:     Strobe Light

The first major decision is to determine if you want to have sensors for every window in the home or are motion detectors good enough to provide coverage. A quick look at these floor plans shows that wiring sensors for every window more than doubles the amount of wires that you will need to run.

A typical entry level panel is limited to 8 zones. Even higher end panels need expander cards to support more than 8 zones. Even if you have more than 8 sensors you can still use an 8 zone panel. You will just need to wire multiple sensors to a single zone. When a zone with multiple sensors is tripped, you will not be able to determine which sensor is the cause. Also, if there is a fault/error with a multiple-sensor zone it will be more difficult to diagnose.

Here are some examples of 8, 16, & 32 zone setups.

8 zone: - Assumes Fire detectors are handled separately

·        Living Room Motion Detector

·        Family Room Motion Detector

·        Dining Room Motion Detector

·        Basement Motion Detector

·        Front Door

·        Back + Garage Door

·        Dinette Glass Break Sensor

·        Water Sensor

16 zone: - The above 8 zone layout plus window sensors (multiple windows per zone)

·        Dining Room Windows

·        Living Room Windows

·        Family Room Windows

·        Kitchen/Laundry Windows

·        Owner's Bedroom/Bathroom Windows

·        Bedroom 2 Windows

·        Bedroom 3+4 Windows

·        Basement Windows

32 zone: - With 32 zones, every sensor indicated in the floor plan above will have its own sensor. 

There are other considerations when combining sensors into a single zone. Alarm systems can be activated with some zones disabled. For example, if you activate the alarm at night when you sleep you want the doors and windows protected, but you do not the motion sensors active. You probably want the motion sensors disabled so that you can walk around the house without setting off the alarm. Therefore, you should not combine the window & motion sensors from the same room into a single zone. During a hot summer night you may want to leave the windows in your room open, but not any of the downstairs windows. Again, these windows would need to be in separate zones so that you could leave upstairs windows open but have the downstairs windows protected.

If you feel any support required, then mail us with your details ssaintegrtae@gmail.com

Security Assessment Vs Security Audit

Security Assessment Versus Security Audit 

It is not often that security organizations purchase professional security services.  Perhaps once every five to ten years.  As such, consumers may not know exactly what service to request to best align to their physical security needs.  This article is intended to clarify the difference between a security audit and a security assessment for organizations trying to validate the effectiveness of their security program to enable the appropriate choice to be made when the time comes.

Let’s start with two questions managers should ask themselves about their security program:

1.   Are we doing the right things to protect our people, assets and information?

2. For the things we are doing in our security program, are we meeting the commitments we have made to security and are we doing things in a way that achieves desirable outcomes?

The security audit answers the second question, and the security risk assessment answers the first.  Let’s start with a view of the many things that should be looked at to determine security adequacy. The following formula illustrates the three areas of security risk that are typically analyzed.

Risk = Threat + Consequence + Vulnerability

A security audit is only going to be focused on one of these elements of the security risk formula as shown below.  An audit is not necessarily designed to diagnose criminal and terrorist risk, but certainly mitigates non-compliance risk.

Risk = Threat + Consequence + Vulnerability (or effectiveness of security)

Security Audit Focus

Security Audit –By comparison, a security audit is probably the easiest methodology to execute for the consultant as it is simply a verification that all security measures which are supposed to be in place are in fact in place, functioning and documented correctly.  The security audit will focus on the effectiveness of security or confirm whether vulnerability is being properly mitigated.  This as opposed to a security risk assessment which is intended to be much more diagnostic and predictive into the future, typically five years or more.  The security audit is a point in time check only.  If the basis of design for the security program is incorrect, the audit may not shed light on this.  However, the security audit is an important tool in the toolbox as an agent of positive change to protect people, assets and information.  Refer also to Physical Security Audit for a video discussion by a Certified Security Professional and Certified Security Consultant.

The challenge when organizations ask for an audit and have no established security standard, what is the security professional using as the benchmark against which the security audit results will be measured?  Some considerations if you face this common scenario:

·        If your organization does not have a set of security standards, you must ask your prospective security professional what methodology will be used to audit your organization. Ask to see the methodology so that you can review it and ensure you will be satisfied with the outcome.  Will it cover all the necessary elements of your physical security program?  For instance, at a minimum, a proper physical security audit should include within its scope thee following (note this list is by no means all inclusive):

o   Governance

o   Access control – site perimeter, building perimeter, restricted internal areas

o   Security systems installation, operation and maintenance

o   Security related policies and procedures

o   Security awareness training and education

o   Information protection

o   Asset protection

o   Security officer utilization (if applicable)

o   Competency of non-security persons in key security roles

o   Crisis and emergency management protocols

o   Security change management

·        If you are going to request an audit from an outside security professional without having organizational security standards, you will want to ensure that the security professional has some experience in the following areas:

o   Prior similar work within your industry (for example, if you are a chemical plant, the consultant should have some level of experience in the oil, gas or chemical arena).

o   Setting up corporate or global security programs for organizations.

o   Reporting out on audits with a methodology that supports a stratification of the findings. Some findings are going to be more important than others.  There should be a means to classify gaps.  For instance, the following definitions for high and lower priority observations and findings is shown below.

Findings – represent clear departures from, or exceptions to, existing applicable federal or state laws or established audit security standards, where such departures or exceptions can be confirmed.  Exceptions may include any issues that were previously discovered in prior audits that are still open or were improperly or incompletely closed.

Suggestions – represent options for enhancing the plan and/or plant security to reduce the possibility of any exceptions or vulnerability to a security incident in the future.

Another caution is the type of audit that conducted as this will have a direct correlation to the validity of the outcome.  Two types of audits are discussed below.

First-Party Audits

First-party audits are often called self-audits. This is when someone from the organization itself will audit a process or set of processes to ensure it meets the expectations set forth in the audit protocol.  This person would typically be an employee of the organization.  In some cases, particularly under some counter-terrorism regulations such as the Marine Transportation Security Act (MTSA), first party audits are prohibited and persons with any affiliation with the security program may not audit the program.

A first party audit might be appropriate as a rehearsal for a more robust audit conducted by a third party.  Otherwise it could be argued that there could be a potential conflict of interest by auditing oneself.

I would consider an audit by an internal audit group to be a step up from the self-audit as the internal auditors are typically strict and objective.  The problem with internal auditors doing physical security audits is the lack of knowledge of the subject matter.  If internal auditor is going to be involved in physical security audits, it is important to carefully script what will be their scope so that they are looking at things they can fairly judge that are simple and high impact.

Third-Party Audits

A third-party audit occurs when a company hires an independent entity to perform an audit to verify that the company is executing a security program consistent with regulatory expectations, internal standards or the methodology agreed with the auditor up front.  Some would argue that this is the best and most stringent means of conducting an audit to ensure objectivity.  But it also comes with a cost.

To close out the audit discussion, this type of physical security review is intended to answer the question, “For the things we are doing in our security program, are we meeting the commitments we have made to security and are we doing things in a manner that achieves the desired outcomes?”  You state that you do A, B, C and D in your security program and you have or pay someone to come in and verify that you are doing A, B, C and D.

The Security Risk Assessment

Continuing with the A, B, C, and D discussion, the audit will not necessarily tell you if A, B, C, and D are the right things to be doing in your security program.  To get this type of diagnostic insight, organizations need to be asking their consultant for a security risk assessment versus a security audit.

Risk = Threat + Consequence + Vulnerability

The security risk assessment is going to analyze all elements of the risk formula shown above.  The predictive nature of the risk assessment is borne out of the threat assessment and pairing threats with critical assets to formulate future security scenarios that will be analyzed for consequences (how bad would it be if it occurred) and vulnerability (how susceptible is the organization to a criminal or terrorist attack or conversely, how well prepared is thee organization to prevent a security incident).  Risk assessments are forward looking, but of course will take into account historical security incidents which are one of the best predictors for future incidents.  Security risk assessments can nicely inform a security master plan versus the security audit which may generate some findings and corrective actions to remediate shortcomings in existing security measures.

There are many benefits of a security risk assessment:

·        Prevent incidents and criminal activity.

·        Compliance with the OSHA General Duty Clause.

·        Identify to all stakeholders what needs to be protected, why and from whom.

·        Learn where you can be victimized by criminals or terrorists.

·        Identify holistic mitigation strategies to reduce security risk to people, assets and information.

·        Stage implementation of recommendations at your own pace rather than hastily responding or overreacting after a security incident.

·        Secure funding for security improvements by making a compelling business case. (Management will sometimes react more rapidly to third party recommendations or those that are well supported with crime and other data analysis).

·        Implement many improvements without a capital investment. There are always easy, inexpensive and impactful recommendations that can be implemented at a low or even no cost.

·        Identify emergency scenarios and calibrate emergency response and business continuity plans accordingly.

·        Defend against frivolous litigation.

The illustration below shows how scenarios can be analyzed and scored to identify the highest concerns to an organization.

Security Audit

·        Point in time assessment

·        Verifies security commitments are being met

·        Leads to potential action items where gaps are identified

·        Less expensive typically that a risk assessment

·        Does not validate that the security program is aligned with risk

·        Does not provide a basis of design for an organizational security program

Security Risk Assessment

·        Forward looking methodology

·        Verifies security commitments are being met

·        Leads to a long-term security master plan and cost staging

·        More expensive than a security audit

·        Validate that the security program is aligned with risk

·        Provides a better defense of conformance to the OSHA General Duty Clause

·        Provides a better defense against frivolous premises liability claims

·        Provides a basis of design for an organizational security program

·        Enhances crisis management and resiliency