My InfoTech Journal:
Physical Security for Information Protection
Physical Security
What comes to your mind when we talk about Physical Security?
In most cases people think about padlocks, steel doors, cabinet safe, Security Guards, CCTV cameras, turnstiles, biometrics, and other cool stuff. These are all correct answers and can keep our valuable assets safe from thieves.
Physical Security for Information Protection
When we shift our focus to Physical Security for Information Protection, the definition shifts to securing information (personal, sensitive, confidential, critical), hardware assets, systems, network and data from physical events and actions with malicious intent. This also includes protection from natural disasters like tornadoes, typhoons, earthquakes, flooding, fire; protection from thieves; protection from hackers and other threats.
So where do we start?
Physical Security for Information Protection covers a wide scope, from perimeter security, access control system, surveillance monitoring, environmental management system, events monitoring, and incident response.
The following areas should be considered when planning for a Data Center location. Focus of this section will be on the Physical Security considerations based on the risks mentioned.
Environmental Threats
Let us start with Environmental Threats in choosing a location for your Data Center. Your Data Center will be hosting your critical data or information. Therefore, it is important that Environmental Threat Risk Assessment must be put high on the list for considering a location for your Data Center. I will be giving out a few scenarios which I hope will give you are better understanding of what to consider and will give you an idea on what else to look out for in your risk assessment for a suitable location of your Data Center.
The Data Center site should not be prone to Flooding
The are several challenges if your Data Center site is prone to flooding.
- Challenges in getting into the Data Center. Your Support Team will have difficulty in coming to the office.
- You will have a risk of having no Technical Support on-site if the area is not passable to transportation due to flooding.
- Do take note that flooding is caused be heavy rains, which in most cases affects transportation and the mains power supply as well.
- The building backup generator location must be considered. This should not be in the basement or ground floor level where flooding could affect your building backup power supply capability. You have to ensure that the building backup power supply is located in the higher level of the building and away from flooding risks.
One good example of the impact of this scenario was when flooding affected parts of Thailand back in 2011. This flooding issue caused a global shortage of hard disk drives (HDDs) that threatened the PC sales. This HDD shortage affected millions of sales income of around 60% of total revenue lost for those companies that are dependent on HDDs supply coming from Thailand. Some of these big HDD companies affected were Western Digital (WD), Seagate, and Hitachi.
Another example is from my personal experience. Back in the days, I was with EDS (Electronic Data Systems). Yes EDS, the company founded by Ross Perot. I was in an outsourcing project for one of the first Business Process Outsourcing (BPO) that put up a regional office in the Philippines. Part of the building risk assessment was to verify the building infrastructure including flooding risk, power redundancy, and other risk considerations. The building passed all the risk assessment checklist and we picked this building out of several building options for our requirement. Some risks were accepted and controls were put in place to have a concrete Business Continuity Plan (BCP) to support identified disaster scenarios.
We were leasing several office floors including our Data Center in this building since 1998, with no flooding issues. Then in 2002 there was a typhoon which caused massive flooding and power interruption for a prolonged period all over Metro Manila. The building was equipped with generator sets to provide continuous power supply and pumps to pump out water from the basement levels which should have covered the risks for this particular disaster scenario. To cut the story short, the basement level got flooded, and the pumps were not able to cope with the high volume of water. This affected the building power supply as well as the telecommunication cables.
The Data Center we have on this building was isolated for a while and we can’t do much from an IT infrastructure perspective. The combination of disaster scenarios, though remote from the probability and impact assessment phase, has became a reality. The good thing about this disaster scenario, is that prior to deciding to lease our office space from this building, there was already a well-thought accepted risk with a concrete Business Continuity Plan (BCP) to support such disaster scenario.
The BCP was activated and identified business critical functions were then sent to Singapore as part of the BCP strategy while the site is being recovered back online.
This experience triggered implementation of new solutions or mitigating controls to ensure the IT Disaster Recovery Plan (DRP) improved on infrastructure redundancy and resiliency.
The Business Continuity Plan (BCP) has also implemented measures to keep the employees safe during a disaster and improve in the services of deploying resources to a BCP site on short notice.
For every unfortunate experience there must be valuable lessons to take away.
The Data Center should be able to support prolonged Power Outages
To support prolonged power outages, your backup power supply like generator sets should have redundancy and have a backup unit (n+1).
For example, if the full building load requirement needs one generator set, ideally for this scenario you need two generator sets installed. This will allow you the flexibility of alternating these two units, and allowing one unit to rest when the other is operational.
You should also consider ensuring you have enough fuel supply and able to easily get refills when needed.
The Data Center should NOT be an area of a known Fault Line
Fault Line areas will be at a higher risk of being impacted by earthquake.
You have to verify with the local authority and ensure that your Data Center is NOT within known fault lines.
Physical Security
Physical Security for Information Protection will have to start from the outside perimeter considerations. This should cover the building location and everything else within the area must go through stringent Risk Assessment.
Security Controls must be implemented based on the Risk Assessment results. You have to refer to the Risk Assessment matrix which defines the probability or likelihood of the risks identified versus the severity of the consequences that may result out of this risk.
Here are some Security Control ideas that may be applicable for a given scenario. These are just for sharing knowledge purposes and hoping a few of these scenarios can provide you with a starting point on how to design or implement your Physical Security strategy.
Perimeter Security
If your Data Center is in a building built on a property or lot, the entire property must be secured with perimeter fence or walls. In some scenario, you may need security barriers or gate entrance security barriers to help stop different types of intrusions.
You should also have monitoring cameras or CCTVs aimed at strategic positions. Your CCTV system vendor will know how and provide you guidance on where to position these CCTVs as part of their security design. There should also be alarms to trigger when there is a breach in the perimeter fence or area.
The main objective is to prevent unauthorized access to the facility.
Access Security Controls for Authorized Personnel
The entrance for employee vehicles must have security controls like visible stickers and/or Authorized Access Cards, PINs, with another layer of visual verification from the guards on duty at the gates.
The entrance for employees must have security controls like access badge, biometric access, PIN, turnstile that prevents piggyback access, and again can be combination of these security controls with another layer of Security Guards ensuring visual verification and confirmation.
Access Security Controls for Visitors
All Visitors must be treated as unauthorized persons. Stringent security controls must be put in place to ensure that visitors are vetted prior to allowing access to the facility. Visitors like 3rd Party Partners or Vendors with valid justification for the visit can be allowed, but with proper verification and approval from the Data Center Service Owner or Delegate. These 3rd Party Partners or Vendors can be your Telecoms Provider, Server Support, Software Support, Uninterrupted Power Supply (UPS) Support, Fire Detection and Prevention support, just to name a few. These 3rd Party Partners or Vendors should present valid identification cards, must register in the Visitors Log sheet, and should be visually verified against the ID presented. Access must only be granted within the scope of work and area authorized for these 3rd Party Partners or Vendors. It is also a best practice that all visitors are escorted by authorized personnel during the entire activity.
Surveillance Systems
Surveillance System provide another layer of security control. The CCTV recordings provide you with live visual projection of what is going on with the areas being monitored. The stored recording is also a very good reference when doing incident reviews. The CCTV System must comply with all regulatory and law requirements. For example, in some countries you are not allowed to take videos or photos of individuals. Some controls being implemented and acceptable in some countries are visual notices about the areas where videos are being recorded. This notice should at least mention that the area is being monitored with video recording device and the person has an option not to proceed if not comfortable with this. This is a sensitive law and you must consult your corporate lawyers for any security controls that need to comply with local regulations and laws. Your video recording should also comply with data privacy regulations, data retention requirements and other global or local compliance requirements.
Access Security Controls
Access Security controls can be a combination of different layers of physical security controls depending on your environment, circumstances and risk appetite. Your Security Personal must have protocols and standard operating procedures (SOPs) in handling different security breach scenarios. There should be regular review of these procedures to capture areas for improvement.
Environment Management Systems (EMS)
The Environment Management System (EMS) covers the management of the systems that protect your Data Center environment. This include your Uninterrupted Power Supply (UPS), Fire Detection and Suppression System, Water Leak Detection, Air Conditioning Unit, Temperature and Humidity Control, EMS Alert Notification, and other EMS controls.
Uninterrupted Power Supply (UPS)
You must have an Uninterrupted Power Supply (UPS) to ensure that all critical equipment inside your Data Center remains operational during power outages. These critical equipments are your Servers, Network Devices, Telecoms Lines, and other critical devices. Your UPS should be redundant and should consider load balancing capabilities. There are different ways of configuring your UPS, which will depend on how critical are the load (devices) and how long you can tolerate a power outage. Cost will depend on your risk assessment.
Fire Detection and Suppression System
The Fire Detection and Suppression System must be installed to ensure that your Data Center cover the risk of Fire damage. Controls will also include ensuring your Data Center Walls and other components are Fire-rated based on your risk assessment results. It is also a best practice to keep portable Fire Extinguishers within designated areas. Your Fire Detection and Suppression System must be tested at least annually or frequency based on local regulatory and local laws requirements. While your Fire Extinguishers must be tested semi-annual or quarterly. In some countries, checking of Fire Extinguishers are done and certified by the Local Fire Department. You need to ensure you comply with all local laws requirements.
Water Leak Detection System
Water Leak Detection System ensures that any water leak is detected before it becomes a hazard to your critical devices. This is usually installed near areas with risk of water leaking, like that from your Air Conditioning unit.
Air Conditioning Unit / Temperature & Humidity Control Systems
The Air Conditioner Units (ACU) ensures that your Data Center temperature is kept within the range of allowable operating temperature of the devices installed in your Data Center. This allows your devices to function within the specified working temperature requirement.
The Temperature Control System keeps the temperature within the parameters set within the system.
While the Humidity Control System checks the humidity level within the Data Center.
Environment Management System (EMS)
The Environment Management System (EMS) is at the heart of your Data Center Physical Security Control System. The EMS handles the processing of alerts from each of the components and sends notifications via interfaces like links to your ServiceDesk system, SMS, Calls, eMails and other compatible interfaces.
You need to ensure that proper procedures are in place to handle actions or workflows for each identified events. This should include recording of events, sending of alerts, and escalation to the application support group or groups.
This is indeed a nice topic to cover. I believe I have more than enough shared some valuable information, practical tips, useful scenarios, and best practices for each of the areas covered in this article.
Please provide your thoughts, comments, or any other suggestions to improve this topic. I would appreciate this very much!
Disclaimer
This article is a result of my personal research and is not a substitute for legal advise.
Please consult your Legal Team, Ethics & Compliance, or Regulatory Team for the interpretation of specific CyberSecurity requirements.
Support My InfoTech Journal
Comments
Post a Comment