Securing the data centre
Introduction
When devising a proper risk management for security, it is essential to identify the different threats which are being addressed. In the case of physical security threats, these can be either environmental or human in nature. Environmental threats cause extensive damage to the IT resources in case of fire, unstable electric power, humidity and excessive heat. On the other, hand human related threats include theft, vandalism, accidental or intentional errors causing faults to the hardware and/or disruptions to the services. Non-physical threats are defined as logical threats as they are not physically tangible, yet their damage is equally if not worse than physical threats. Logical threats include corruption of systems, disruptive activity affecting information systems, unauthorized access or activity within the information systems and information loss.
The importance of dynamic systems
The utilization of dynamic systems as opposed to static ones allow greater flexibility and adoption to the ever changing security threats, especially the ones comprising asymmetric threats. In order to effectively contribute to the organization’s risk management, physical and IT security need to converge together (Pathak, 2005). Hence the convergence between physical and IT security controls is highly relevant in today’s risk and security management, especially for server rooms which are the backbone of the information system setup. The biggest challenge to converge the physical and IT security is related to the different backgrounds of each team. However, creating a governing body to implement “security policies, procedures, and deployments” (Carney, 2001) is necessary for actual value in risk management.
Physical access control guidelines
After identifying the different threats from the physical and logical domains, a generic guideline to be adopted in order to secure a server room is presented in the below 2 tables. The first table provides physical access control guidelines based on the existing literature and professional experience. For both physical and logical control, the utilization of a role based mechanism should be in place (Osborn, Sandhu & Munawer, 2000) to ensure access at the necessary clearance level.
| Physical control policy #1 | Facility monitoring – Through the implementation of CCTV in the external perimeter of the facility as well as on the outside and inside of each network room, all physical access is recorded. Such CCTV footage needs to be stored in multiple locations at the same time and controlled via password and role based management. Moreover, the recorded footage needs to be checked to ensure continuous optimal operations. |
| Physical control policy #2 | Physical access control – The facility and especially the network rooms need to be safeguarded with biometric access which normally involves a fingerprint scan and PIN code. Similar to CCTV footage, the data for access control needs to be safeguarded by proper password and role based management. |
| Physical control policy #3 | Alarm system – The network rooms need to have the necessary sensors to detect and alarm in case of any environmental threats originating from fire, humidity, temperature, or electric outage. Such sensors need to be connected to centralized monitoring and accessed using password and role-based management. |
| Physical control policy #4 | Backup and disaster recovery plan – The networks and servers need to be backed up daily and stored in an off-site location. Moreover the backups need to be validated via a Backup/Restore procedure. Additionally a Disaster recovery plan should be in place in case of catastrophic events that can compromise the network room. |
| Physical control policy #5 | To avoid that sensitive information or access is leaked after decommissioning hardware, an electronic disposal procedure for hardware and documents. |
Logical access control guidelines
The logical access control guidelines presented in table 2 address the risk originating from tampering with the logical IT infrastructure, including the support systems utilized to address the physical access.
| Logical control policy #1 | System authentication using password management and preferably with a multi-factor mechanism should be implemented on all IT equipment. |
| Logical control policy #2 | A centralized log management solution with SIEM (security incident and event management) capabilities need to be in place to ensure that all events are recorded and accessible (Dave, Mahadevia & Trivedi, 2011). |
| Logical control policy #3 | In order to prevent internal and external cyber attacks such as trojans, viruses, malware or ransomware, all IT equipment needs to be equipped with anti-virus and anti-malwares software to mitigate such threats. |
| Logical control policy #4 | The network room needs physical and application-level firewall implementations for intrusion prevention and in-transit encryption |
| Logical control policy #5 | Implement a company-wide procedure for joiners/leavers, specifically for authorized employees who have access to server rooms whereby all IT passwords need to be refreshed and prompt disabling of user profile is imperative |
| Logical control policy #6 | Implement a company-wide procedure for Internet access authorized IT equipment, including approved computers and external devices/service (personal devices and cloud storage services). |
Final comments
Existing research in the access and logical control domains is not solely focused on improving the security mechanisms (Al-Hamdani, 2010; Gomaa, Badawy & Saad, 2010) but also on patterns that are considered irregular (Leong, Fong and Yan, 2007) thus creating alerting mechanisms also on abnormal behavior. The proposed SECUAREA solution by Lopez, Redondo, Martinez, Ramiro, Hernandez, Bonilla and Breton (2007), utilizes RFID and wireless sensor network to authenticate users both at physical and logical access thus providing a convergence in physical and logical access control.
The above guidelines provide a holistic governing and supporting body of policies, procedures and deployments, to properly manage the risks associated with access control in the physical and logical domains.
References
Al-Hamdani, W. A. (2010). Cryptography based access control in healthcare web systems. 2010 Information Security Curriculum Development Conference on – InfoSecCD ’10. https://doi.org/10.1145/1940941.1940960
Carney, J. (2001). Why Integrate Physical and Logical Security? Retrieved September 5, 2021 from https://www.cisco.com/c/dam/en_us/solutions/industries/docs/gov/pl-security.pdf
Dave, S., Mahadevia, J., & Trivedi, B. (2011). Security policy implementation using connection and event log to achieve network access control. Proceedings of the International Conference on Advances in Computing and Artificial Intelligence – ACAI ’11, 29-33. https://doi.org/10.1145/2007052.2007059
Gomaa, I. A., Badawy, H. M., & Saad, E. S. (2010). Adoption of delayed feedback rekeying algorithm for secure multicast services during handover in mobile WiMAX networks. 2010 IEEE International Conference on Information Theory and Information Security. https://doi.org/10.1109/icitis.2010.5689558
Leong, A., Fong, S., & Yan, Z. (2007). A logical model for detecting irregular actions in physical access environment. 18th International Conference on Database and Expert Systems Applications (DEXA 2007). https://doi.org/10.1109/dexa.2007.134
Lopez, L., Redondo, L., Martinez, J., Ramiro, M., Hernandez, V., Bonilla, F., & Breton, F. (2007). SECUAREA: Security in physical and logical areas. The International Conference On Emerging Security Information, Systems, And Technologies (SECUREWARE 2007). https://doi.org/10.1109/secureware.2007.4385317
Osborn, S., Sandhu, R., & Munawer, Q. (2000). Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Transactions on Information and System Security (TISSEC), 3(2), 85-106. https://doi.org/10.1145/354876.354878
Pathak, J. (2005). Risk Management, Internal Controls & Organizational Vulnerabilities. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.759124
Stallings, W., & Brown, L. (2017). Computer security: Principles and practice (4th ed.). Upper Saddle River, NJ: Pearson.
Saputra, D. A., Handika, D., & Ruldeviyani, Y. (2018). Data Governance Maturity Model (DGM2) Assessment in Organization Transformation of Digital Telecommunication Company: Case Study of PT Telekomunikasi Indonesia. 2018 International Conference on Advanced Computer Science and Information Systems (ICACSIS). https://doi.org/10.1109/icacsis.2018.8618255
Wende, K. (2007). A model for data governance-Organising accountabilities for data quality management. ACIS 2007 Proceedings, 80.