Managed Rack Solution 0
A digitized world needs high IT Security Our networked world Enabling Services Big Data User centric Mobility Cloud Underlying Infrastructures Where is the security? 1
End-to-end Attack Points Analysis: Endpoint Transfer - Data Center Webcam and microphone (internal/external) can be activated and controlled (room surveillance possible) Screen contents can be read External HDDs, USBs can install viruses and backdoors unnoticed Remote access Transfer and control of the systems by remote access Access to critical data Administrators can access sensible data unnoticed Communication (Internet/LAN/WAN) Backdoors in active / passive network components Data is intercepted Outgoing data can be intercepted, read and manipulated Main memory saves unencrypted data BIOS, OS, driver, application can contain backdoors Mouse and keyboard input can be read Internal data media (HDD, SSD, DVD) are readable despite encryption Intranet Internet Extranet Cloud Physical access to systems through insufficiently secured access processes Hacker attacks hacker attacks are facilitated by monitoring that is not end-toend; logs can be falsified 2
End-to-end Attack Points Analysis: Endpoint Transfer - Data Center Why is protection against physical access so important? If an attacker is able to access the hardware (HDD, RAM, etc.) directly then it is hardly possible to protect the system appropriately. FUJITSU SURIENT MRS protects the components in the rack against unauthorized access by: Controlling access rights Monitoring the doors Logging all actions Physical access to systems through insufficiently secured access processes 3
Overview New rack solution with physically secured access to servers and components Authorization concept Only authorized persons have physical access to servers and components inside the racks (cages) Auditability All accesses and actions will be recorded in an auditable fashion User guidance User guidance with easy and intuitive menus Investment protection This Managed Rack Solution can be easily integrated in existing data center infrastructures 4
Authentication concept Only authorized persons have physical access to servers and components inside the racks (cages) Biometric Authentication User will be uniquely authenticated with biometric methods (FUJITSU PalmSecure ID Match) Granular Authentication concept Access rights can be assigned to single rack/cage doors (front/back) Logging Unauthorized access attempts will be identified with sensors and logged Central User Management Integrated central user management allows access rights can be altered at any time. This way users can be deleted very quickly 5
Solution components Easy to use rack solution consisting of: Standard 19 racks (1, 2 or 3 cages) with electromechanical locks, sensors and a Rack Management System (RMS) for monitoring of the rack Biometric authentication via PalmSecure ID Match for access control and lock activation Integrated monitoring and logging of all actions Rack Control Server to control and monitor several racks Installation and setup service Training 6
Functionality and process 1 All users / administrators have to register through an enrolment with PalmSecure ID Match. The user data and the templates of the palm vein patterns are stored on the SmartCard. This is done with a web application on a client computer at any location. 2 On the rack control servers the access rights to racks/cages are configured for authorised users / administrators. 3 The users / administrators can select with the application in PalmSecure ID Match which rack/cage they want to lock or unlock. After successful authentication and rights validation the suitable action will be performed. 4 All actions will be recorded and forwarded to a monitoring system 7
Process lock/unlock of a rack *1 1 2 PalmSecure ID Match 3 4 Rack Control Server Check Access Rights OK Check Authenticity Not OK OK *2 *1 During enrolment PalmSecure ID Match automatically enters the enrolment dialog. Thereafter it can be changed back to (1). *2 It is possible administer several racks simultaneously, by entering several cage Ids lock unlock 8
Advantages and benefits Managed Rack Solution: Biometric authentication Impossible to duplicate the keys or ID cards No security risk by loosing keys or ID cards After an employee leaves the company, access can be blocked by erasing the access rights (no need to collect keys, ID cards) Possible to lock and unlock racks remotely from any location (Configurable) All actions will be stored in a monitoring system The solution can easily be extended or adjusted to current requirements 9
Use Cases Internal data center with higher security requirements for single areas Infrastructure for areas with higher security requirements can be secured with specially secured racks By using racks of up to 3 cages (13 U) small units can be secured as well Hoster (Examples: Universities, Housing Provider) Single Institutions or departments (e.g. University) or single customers (Housing Provider) can be provided with secured environments in very small rooms which only specified persons are able to enter. Hoster or internal IT with data centers spread over a campus Central management and monitoring of all racks in several distributed data centers Branches (N locations with fewer racks) Higher security through Colocation Racks with special security characteristics Local and central control Local enrolment possible from a central administration system 10
Concept and architecture Enrolment and Monitoring PalmSecure ID Match Enrolment Customer LAN A Managed Rack Solution consists of 1-n blocks In each block a Rack Control Server controls and monitors the connected racks/cages (1 16) Rack Control Server Block 1 PalmSecure ID Match Block 1 Rack/Cage 1 Rack Mgmt. System Rack Control Server Block n PalmSecure ID Match Block n Rack/Cage 1 Rack Mgmt. System It is possible to configure which PalmSecureID Match controls the access to which block The enrolment of SmartCards can be done on an admin client with a web interface anywhere Block 1 Rack/Cage 2 Rack Mgmt. System Block n Rack/Cage 2 Rack Mgmt. System Optionally a dedicated PalmSecure ID Match can be used for enrolment The Rack Control Server provides an interface for the integration of a monitoring system Rack/Cage n Rack Mgmt. System Rack/Cage n Rack Mgmt. System 11
Caging in the data center without fences Racks are physically secured by fences Racks are secured by Managed Rack Solution Benefits : Saves space and money Reduces security risks 12
Solution structure Base package With extensions The base package contains all components that are necessary for a block of a Managed Rack Solution: The base package is optionally expandable: 1 Rack FUJITSU M2 or Emerson-Knürr DCM Colocation with 1, 2 or 3 cages Electromechanical locks (MLR1000) RMSII compact Door contact sensors Optional: Penetration sensors 1 Rack Control Server PRIMERGY RX1330 1 PalmSecure ID Match FUJITSU Managed Rack Solution Software Installation, Configuration and Handover service complete the base package Installation and configuration of the infrastructure Initial startup in the customer s environment Handover and briefing of the customer The solution will be delivered completely installed and preconfigured Additional racks of different types PalmSecure ID Match systems for local or central control / enrolment Additional base packages for additional blocks Services Additional service packages for extension, consulting and training round off the solution 13
Xxx Managed Sealed Xxx Rack Solution SRS EFT Early Field Trial only SRS 1.0 Initial version Sealed Rack Solution (SRS) Protection against physical access with strengthened hardware cages Protection against electronic attacks with closed ports and end2end encryption MRS EFT Early Field Trial only Q3 Q4 MRS 1.0 Initial version MRS 1.1 Monitoring with Nagios / Incinga Q1 Q2 Q3 Q4 Q1 Q2 2015 2016 2017 Managed Rack Solution (MRS) Only authorized persons have physical access to servers and components inside the racks and cages respectively Accesses and actions will be recorded in an auditable fashion User guidance occurs with easy and intuitive menus Not decided Roadmap product New vs last month 14
Summary In a nutshell + Use of standard 19 racks with electromechanical locks and sensors + Only authorized persons have physical access to servers and components inside the racks and cages + User have to authenticate themselves with biometric methods. Therefore access rights can not be transferred to others + All accesses and access attempts will be logged in an auditable fashion + Setup, installation and training done on customer site within one day + Money saving due to much higher flexibility and less space compared to data center with fences! Effective physical protection of the racks from unauthorized access Logging of every access with biometric authentication Investment protection and money saving 15
Information & Contact Contact Thomas Schkoda (Produkt Manager) thomas.schkoda@ts.fujitsu.com 16
17