Defending your data against physical threats

Transcription

1 Defending your data against physical threats Facts and guidelines for Datacentre Security Management 1

2 2 Physical security A vital link in data centre defence The exponential rise in data centres is matched only by the tandem rise in threats of malicious or accidental breaches. As business, consumer and user data is migrated to the cloud, the risks associated with a loss, theft or damage of data have the potential to cripple organisations. Most organisations recognise the need to defend their data against cyberattacks, but data centres and server racks are typically less well guarded against physical breaches whether accidental or malicious. So while valuable data may have several lines of digital defence, physical access to the cabinets and racks may be unmonitored and unprotected. In this white paper we will consider the rise of the data centre, the risks that businesses face from data loss, best practices in securing data against attack and business continuity, and how to ensure compliance with regulatory requirements. New security challenges Data compliance requirements p. 5 Three layers of physical security p data centre security tips p. 8 Cost effective access control p Defending your data against physical threats

3 New security challenges for data centres The data boom increases the need for higher security 3 New data centres are being built at a remarkable rate. The value of data centre construction contracts is estimated to reach $22 billion by More data centres, and therefore more data, means higher s ecurity risks. As more organisations share access to server rooms, there is an urgent need to prevent physical attacks and accidental damage by controlling access. And when security is breached, the costs to business can be astronomical. IBM estimates the average total cost of each data breach to be $3.79 million. Total cost of data breaches has increased by 23% since In addition to customer dissatisfaction, the cost of unprotected data includes business disruption, loss of brand equity and fines and penalties levied for non- compliance with personal and commercial data protection legislation. Alongside the growth of data centres, the global colocation market is predicted to grow from $23 billion in 2014 to $37 billion in The EMEA market represents over 26% of global market, in terms of operational square feet. 4 As described in the following pages, colocation brings unique security and compliance challenges. Colocation: shared space brings new security challenges Colocation gives businesses the freedom to manage their own software and hardware in a controlled environment. But this growing trend also brings security challenges and has data protection implications for organisations that choose to co-locate. As more organisations (including potential competitors) share access to server rooms, there is an urgent need to prevent physical attacks and accidental damage by controlling access. A typical server room may receive visitors to carry out upgrades, make repairs, install new servers and conduct routine maintenance. Organisations can t afford to ignore the risks of unauthorised personnel accessing their equipment and their data. And as the power and cost of servers increases, the liability associated with failure or loss grows. In addition, data centre facilities are often secured with mechanical locking systems, especially at server cabinet level, which can t be monitored and controlled, making access management and physical protection of the data even more difficult. 1 Research and Markets, October Benchmark research sponsored by IBM, independently conducted by Ponemon Institute LLC May Research KnowledgeBase Q Ibid. Defending your data against physical threats 3

4 4 Who is accessing your company s most sensitive data? Where? When? And if someone without authorisation did, how would you know? 4 Defending your data against physical threats

5 Data compliance requirements Virtual protection 5 The pressure to safeguard data continues to grow. Legislation and security standards aim to protect businesses and the public from the significant risks associated with data breaches. One common theme uniting these standards and legislation is the requirement to control access to data. European Data Protection Directive 95/46/EC All organisations across Europe need to comply with this directive. There are plans in 2015 to unify data protection under a new single law, the General Data Protection Regulation (GDPR), which incorporates new guidelines for data protection and privacy. As a regulation and not a directive, it will have immediate effect on all 28 EU member states and may include fines of up to 1 million euros for non-compliance or 2% gross global turnover, whichever is greater.. ISO The ISO family of standards helps organisations manage the security of assets such as financial information, intellectual property, employee details and thirdparty information. ISO/IEC details requirements for information security management systems (ISMS). OHSAS The Occupational Health & Safety Management System Standard ensures that data centres are safe and healthy environments. OHSAS requires that: Any risks to staff, visitors and contractors have been assessed Where necessary controls are put in place to reduce the risk of harm to a minimum All national/local legal and regulatory health and safety requirements are met Sarbanes-Oxley Act The Sarbanes-Oxley Act of 2002 (often shortened to SOX) was designed to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise, and improve the accuracy of corporate disclosures. Complying with SOX requires security controls to ensure the integrity of financial data. PCI-DSS Payment Card Industry Data Security Standard The PCI Data Security Standard (PCI DSS) helps organisations proactively protect customer financial information. The standard requires that access to system information and operations is restricted and controlled both electronically and physically. These are just some of the most important regulations guiding data centre security. The message is clear: organisations can t afford to leave data security to chance. Defending your data against physical threats 5

6 6 The three layers of physical security Physical protection Data centres face unique challenges to ensure the security of physical and digital assets. Whether a data centre supports a handful of clients or several thousands, they have a legal and commercial responsibility to safeguard data against loss and theft. A robust security system can be considered as three layers moving inward from the facility s perimeter to server rack level. Perimeter defence Perimeter security features control access to the building, ensuring that only authorised personnel can reach servers. Perimeter security may entail CCTV, high fencing and lighting, as well as high security integrated access control systems. Server room access Commercial-grade doors, frames and hardware defend against unauthorised access to server rooms. Security features should also be designed to withstand the elements in case of fire or flood. Doors may need to be rated for a number of hazards: Climate control and airflow Natural forces Blast and ballistic Fire Radio frequency (RF) shield Sound transmission class (STC) Cabinet security The repercussions of accidental or malicious access to server cabinets can be disastrous. A loss of sensitive data could be crippling, destroying hard-earned customer trust, damaging brand equity and generating substantial non-compliance penalties. Given the high stakes, it s unsurprising that data managers are pushing for access control at the server rack level. In the event of a security breach, most organisations would want to know who had access to the server and when. With an access control system at the door and server rack level, organisations have granular control over who can access data, as well as a complete audit trail of access. 6 Defending your data against physical threats

7 7 {nomanpu Unauthorised access and use have nearly doubled within one year BREACHES BY TYPE OF METHOD Q Q Unauthorized Access/Use 26 % 16% Theft 21 % 26 % Public Access/ Distribution 25 % 20 % Loss 3 % 7 % Hacking 25 % 26 % 75 % P H Y S I C A L BREACHES Figure 1: Breaches by type of method, Source: Information Security & Data Breach Report, October 2014 Update, page 6 {monitor Physical security is about more than simply restricting access to unauthorised users, it s also about controlling and recording who has access and when. Defending your data against physical threats 7

8 8 12 data centre security tips Is your data secure against all forms of attack? This is what you can do to increase protection Aim for complete enterprise access control Choose a complete access control solution that will meet your organisation s long-term needs. Utilise the latest technology New technologies such as Power over Ethernet (PoE) and wireless can reduce costs and improve ROI. Rack-level security can save floor space and reduce the need for additional cabling. Seek senior buy-in Without the support of senior management it can be difficult to adequately implement the policies and procedures to safeguard data Ensure secure locations Choose a location with minimal risk of environmental, social or political threats. If you maintain a separate recovery site, it should be located at least three hours from your primary site. Analyse every component of your security Meet with key stakeholders from IT, security and facilities to discuss each department s challenges and concerns. Provide reliable power Design redundancy into everything related to the data centre, from transfer stations to uninterruptible power supplies, to ensure sufficient power is always available

9 9 Identify all assets that require protection Do you need to control access to a data centre, a server room or individual cabinets? Define users and access levels Identify which employees require access to sensitive data. While it s important that only valid users are given access, it s also vital that employees are able to continue their work without interruption. Educate the entire team The greatest threat to your data comes from within. By taking the time to educate your team you can ensure that everyone works together to protect data Design for success as well as compliance While complying with regulations is essential, it s also vital that security and safety measures support your business operations and provide access to IT when it is required. Identify your facility manager early Identify your facility manager and define how they fit within your organisation. Include them in security discussions and plans both long-term as well as the day-to-day operations. Create a policy for exceptions Decide how you will deal with exceptions and the need to grant temporary access so you have a defined procedure in place

10 10 Cost effective access control for data centres A mechanical master key system is expensive to run, due to secure key management costs and lack of flexibility in changing user rights. Losing a master key means replacing mechanical cylinders and keys right across your facility. There s no shortcut. So what s the solution? Aperio technology from ASSA ABLOY complements new and existing electronic access control systems. Aperio provides a simple, intelligent way to upgrade the controllability and security level of your premises. With Aperio, you can secure the perimeter, the server room and your server cabinets fully integrated with your access control system, adding access management and audit trail capabilities to almost any door opening. Racks are the last line of defence against physical access to IT equipment and data, but are often left unmonitored. The Aperio KS100 Server Cabinet lock helps address the security needs of data centre and colocation facilities by providing real-time access control to individual cabinet doors in a single card system. KS100 allows you to deploy real time notifications that report, manage and notify rack-level security breaches. Compliance Complies with Data Protection obligations Improved monitoring Access to authorised users, provides audit trails, real-time monitoring Locking status Unlock, Lock, Temporary Unlock Aperio KS100 system integration Power supply Power over Ethernet or external power supply Credentials Can be used with existing high frequency RFID credentials* 10 Defending your data against physical threats

11 11 COSTS CAUSED BY BREACHES {money} Costs caused by physical breaches about 50% higher than virtual breaches $ 3,782,169 $ 4,543,901 $ 7,687,617 $ 11,475,730 $ 2,408,070 $ 741,590 Hacking Physical breaches Unauthorized Access/Use Theft Public Access/ Distribution Loss 59,9% COSTS ARE CAUSED BY PHYSICAL BREACHES Figure 2: Costs caused by breaches by type of method, Source: Information Security & Data Breach Report, October 2014 Update, page 7 LEVEL 1: PERIMETER DEFENCE LEVEL 2: SERVER ROOM ACCESS LEVEL 3: CABINET SECURITY Access control system Communication hub Connects up to 8 devices to EAC system Range: 15 25m Wired security entrance door Online door Wireless and without modification to doors: Add doors to your EAC system with battery powered Aperio locks, escutcheons or cylinders Server rack Powered over ethernet: Add cabinets, racks and drawers to your EAC system with Aperio KS100 Defending your data against physical threats 11

12 ASSA ABLOY is the global leader in door opening solutions, dedicated to satisfying end-user needs for security, safety and convenience Wireless locking evolution for online and offline door control. Aperio is a new technology developed to complement new and existing electronic access control systems. Providing end users with a simple, intelligent way to upgrade the controllability and security level of their premises. As the world s leading lock group, ASSA ABLOY offers a more complete range of door opening solutions than any other company on the market. In the fast-growing electromechanical security segment, the Group has a leading position in areas such as access control, identification technology, entrance automation and hotel security. Since its formation in 1994, ASSA ABLOY has grown from a regional company into an international group with around 47,000 employees and sales of more than SEK 53 billion. ASSA ABLOY Access Control Willenhall West Midlands WV13 3PW United Kingdom We reserve the right to make technical modifications. Version: WP APERIO KS ENG UK