Protecting data centres with process
Wed 27 Aug 2014
Christian Nugent, principle data centre consultant at the Government Digital Service, advises on the best procedures to ensure a safe and secure data centre.
The criteria for specifying physical security within our data centre seem to be set. A checklist of security do’s and don’ts is easy to come across on Google and everyone can be a ‘security expert’ in just a few clicks, or so it seems. The traditional belts and braces approach of building modern day fortress’s with CCTV and access control systems is tried and tested but how can you cater for unforeseen and surreptitious threats?
Successful protection of a data centre relies on understanding the complex relationship between people, process and the physical environment they operate in.
People – The engineers, managers and facilities teams are all there to make the data centre work or not. This depends on a complex mixture of morale, motivation, training, experience, management and strong leadership.
An unauthorised data leak from internal staff is one of the most devastating security breaches a company could face therefore risk mitigation should be factored in.
Security Processes – Supporting the data centre staff should be an array of processes, which have senior stakeholder support to ensure they are effectively actioned. These processes underpin the security, operation and management of the facility and ensure security is maintained and avoidable incidents reduced.
There is little point spending thousands on electronic security and access control if the systems are not supported by correct process and procedures. Visitor access approval should only be given once justification and a unique service request ID is provided to the data centre authority. Assurance that the justification and service request ID are valid is the responsibility of the data centre authority and not local security teams or remote technical teams. Do not be afraid to question why an individual needs access. This process should be supported by a regular review of the user access list and removing any persons who do not require essential access rights.
Faulty components and decommissioning go hand in hand with our data centres, but are you managing those redundant assets correctly?
Ensure you have a tried and tested destruction policy, which is mandated by the business and added as a deliverable stage in a service request.
Having a stack of redundant servers and disks in the corridor may not seem like a risk but the residual data these contain could be temptation for an internal opportunist and it would be difficult to know if something was taken. It is the responsibility of all data centre IT staff to manage the assets correctly from start to finish.
Protection planning – The Centre of the Protection of National Infrastructure advises that data centres require a Protection Plan in order to assess the facility for weaknesses, raise the profile of security, provide security in depth, and to ensure that security procedures and controls are subject to continual testing.
The protection plan will contain the Threat, Risk and Vulnerability Assessment combining the results of the Operational Requirement analysis. Development of the mitigation plan will identify key risks and manage, mitigate or present a plan to accept residual risk to the business.
Finally, asset management and how this benefits the security layer. Without intentionally wanting to talk about DCIM it does form part of a large section of the jigsaw of data centre security.
Whether your data centre utilises a DCIM tool or you are managing your estate using in house DCIM methods, providing you are managing the correct factors is what counts towards benefitting security.
Knowing what your estate looks like and what comes in and goes out is paramount to having control and satisfying a security audit. Layers of process to support Asset management must be used to ensure the asset data is correct. This would include stock inventory, delivery procedures, and decommissioning to name just a few.
Correct rack access control procedures should be in place. If your data centre cabinets are not locked or you are using the manufacturers universal key then your assets may be at greater risk due to their availability.
To compliment the Asset management you need to know what your estates physical layout looks like. What U space do you have and where is it located? What patch panel ports are being utilised and where is your capacity? This will help to identify unknown RU space or infrastructure ports you didn’t know you had which when used with the other process will create an audit trail of why the space is there when perhaps it shouldn’t be.