IP-Based Infrastructure Solutions for Critical Spaces Presented by: Andrew Flint, RCDD/NTS Regional Technical Manager
Agenda Industry drivers Developing the physical security plan for data centers Physical protection guidelines and strategies Crime Prevention Through Environmental Design (CPTED) TIA-942 standard Security technologies for data centers Perimeter layer controls Facility layer controls Computer room layer controls Cabinet-level controls
Industry Drivers for Data Center Security Sensitive data Medical records Social Security numbers Financial transactions and cardholder data Intellectual property and confidential information Critical infrastructure and key resources As defined by the Department of Homeland Security: The assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction wouldhave a debilitating effect on security, national economic security, public health or safety, or any combination thereof. These industries have data centers vital to national and economic security: Agriculture, banking, chemical, critical manufacturing, communications, energy, healthcare, nuclear facilities, transportation, water
Data Up For Grabs Source: InformationWeek, Workers All Too Ready to Steal Company Data and Data Up for Grabs, Nov. 30, 2009. Cyber-Ark survey of 600 financial industry workers in New York and London via InformationWeek and Actimize surveys
Data Security Breaches Source: http://www.privacyrights.org/ar/chrondatabreaches.htm#2010
Cyber Security Measures Are Not Sufficient Physical Security Logical Security Only Physical Security Tracks people Limits access to areas, spaces Provides audit trail of who accessed what area Integrates with video to provide visual record of person Logical Security Tracks logins Limits access to servers, folders and applications Provides audit trail of what login accessed what data
Data Centers Present Unique Challenges Lack of security awareness and cooperation between security and IT staff Co-location and stand-alone data center facilities need and may be required by law to comply with internal, external and disparate security measures PCI DSS, HIPAA, Sarbanes-Oxley, et al. require physical areas, materials, data and hardware to be secured Source: TZ
Business Trends in Security Systems Moving from reactive toward predictive response Integrating with other systems Providing additional operator control Reducing costs of traditional systems Preserving existing capital investment
Technology Trends in Security Systems Standardized structured approach Modular, flexible implementation Easy moves, adds and changes (MAC) Mainstream methods and practices Analog-to-digital migration Digital allows better image management Record, store, search, retrieve, share, send Takes advantage of innovations of computer industry
Developing the Physical Security Plan Physical Protection Guidelines & Strategies Technologies for Data Center Security
Physical Protection Guidelines & Strategies Crime Prevention Through Environmental Design (CPTED) Perimeter layer controls Facility layer controls Computer room layer controls Cabinet-level controls ANSI/TIA-942
Physical Protection Guidelines and Strategies Crime Prevention Through Environmental Design Awareness of how people use space All space has a designated purpose Social, cultural, legal and physical dimensions affect behavior Control physical setting to change behavior Understand and change behavior in relation to physical surroundings Redesign space to encourage legitimate behaviors and discourage illegitimate use
Physical Protection Guidelines and Strategies Defense in depth Use cyber security Implement layers of protection Ensure failure of one element in the system will not create a critical vulnerability in the whole system Assets Being Protected Inner protective layer (e.g., doors within building) Middle protective layer (e.g., exterior building) Outer protective layer (e.g., natural or man-made barrier at property line) Source: ASIS Facilities Physical Security Guideline
Security Technologies for Data Centers Perimeter Facility Computer Rooms Cabinets Site location considerations Security measures Perimeter layer controls Facility layer controls Computer room layer controls Cabinet-level controls
Perimeter Layer Controls Perimeter Facility Computer Rooms Cabinets Goals Deter, detect and delay Integrate systems Provide layers of protection Security measures Physical barriers Site hardening Lighting Intrusion detection Video surveillance Physical entry and access control
Site Hardening Parking away from building Clear zones Security walls and gates No signage indicating data center purpose Intimidating doors and hardware Steel doors and heavy-duty locks No windows or skylights Six-wall border for data center assets Secure air-handling systems
TIA-942 Data Center Site Selection Criteria Secure all cooling equipment, generators, fuel tanks or access provider equipment situated outside the customer space Common areas should be monitored by cameras The computer room should not be located in close proximity to a parking garage The building should not be located: In a 100-year flood plain, near an earthquake fault, on a hill subject to slide risk, or downstream from a dam or water tower Within 0.4 km (¼mile) of an airport, research lab, chemical plant, landfill, river, coastline or dam Within 0.8 km (½mile) of a military base Within 1.6 km (1 mile) of a nuclear, munitions or defense plant Adjacent to a foreign embassy In high-crime areas
TIA-942 Data Center Infrastructure Tiers Annex includes detailed architectural, security, electrical, mechanical and telecommunications recommendations for each tier Higher tiers correspond to higher availability, but also higher construction costs Recommended specifications by tier are a uniform way to rate aspects of a data center design and are a starting point for initiating design requirements with qualified architects and engineers
Source: Uptime Institute Data Center Reliability Tiers
TIA-942 Data Center Security Tiers Source: ANSI/TIA-942
TIA-942 Data Center Security Tiers (Cont.) Source: ANSI/TIA-942
TIA-942 Data Center Security Tiers (Cont.) Source: ANSI/TIA-942
Perimeter Video Surveillance Monitor Perimeter Parking lots Entry and exit points Garbage bins External storage areas, power or cooling facilities Building facade and rooftop Detect Motion detection Trigger alarm or recording on motion in field of view Intelligent video analytics Object left behind People counting Trip line Wrong way Edge-based vs. server-based analytics Image courtesy of Bosch Security Systems
Perimeter Video Surveillance Integrated systems Features Data and events from multiple systems integrated See video or access control events from either GUI Data exchanged across IP network via open interfaces Benefits Saves time correlating events and timelines Resolves faster Offers automated alerts: e-mail, pager, etc. Image courtesy of Bosch Security Systems
5.0 MP 2560x1920 Resolutions Compared 3.1 MP 2048x1535 2.0 MP 1600x1200 1.3 MP 1280x1024 PAL 720x576 VGA 640x480 CIF 352x288 Image courtesy of IQinVision
HDTV Camera Resolution Up to 5 times higher resolution than analog TV Standardized color fidelity 16:9 format Discards nonrelevant parts Makes it easier for the operator Saves bandwidth Saves storage HDTV 720 (1280x720) HDTV 1080 (1920x1080) 4:3 ratio 16:9 ratio Image courtesy of Axis Communications
Video Surveillance: Network Video Megapixel Resolution Image courtesy of IQinVision VGA (640x480)
Video Surveillance: Network Video Megapixel Resolution Image courtesy of IQinVision HDTV 720 (1280x720)
Video Surveillance: Network Video Megapixel Resolution Image courtesy of IQinVision HDTV 1080 (1920x1080)
Video Surveillance: Network Video Megapixel Resolution Image courtesy of IQinVision 3.1 MP (2048x1535)
5.0 MP (2560x1920)
Video Management Platforms Hybrid DVR Familiar interface Analog and IP cameras Proprietary and limited scalability Hardware NVR Specifically designed for IP surveillance cameras Proprietary VMS on PC/server platform Nonproprietary Off-the-shelf hardware Simplicity in system maintenance Widespread knowledge, simple to understand Upgrade single components: memory, CPU, etc. Best-of-breed hardware components Preconfigured options available
Summary: Perimeter Layer Controls Perimeter Facility Computer Rooms Cabinets Physical barriers Video surveillance Monitor parking lots, neighboring property and building entrances and exits Access control Keep access points to a minimum
Facility Layer Controls Perimeter Facility Computer Rooms Cabinets Goals Secondary layer of protection Further restrict access Redundant power and communications Integrated systems Security measures Access control Man-traps Turnstiles Visitor management Video surveillance
Access Control: Prevent Tailgating Man-traps Two interlocking doors open only one at a time after presenting authorized credential Turnstiles Physically allow only one person to pass through at a time Video analytics Count the number of people going through a doorway
Video Analytics Analyzes pixels in a frame of video Detects behaviors in the pixels Makes decisions based on set characteristics From simple Motion detection Camera tampering Object recognition and tracking People counting To complex License plate readers Facial recognition Fire and smoke detection Is edge-based or server-based Server-based allows more complexity
Visitor Management Paper sign-in sheets not secure Incomplete, illegible and any visitor can view the log Use a driver s license, passport or business card Scanned, recorded in a secure database Customizable High-quality badges printed automatically or by guard Integrate with existing access control systems Badges can automatically expire VOID may appear across the badge Change in color Prox rendered inactive after a certain time or date
Indoor Video Surveillance Monitor exits as well as entrances Integrate with access control to monitor internal access Use high-resolution cameras for identification purposes Configure systems to record on motion or event to save storage requirements Consider video compression technology
Image courtesy of Scientific Working Group on Imaging Technology & APTA Draft Guidelines for Cameras and Digital Video Recording Systems High-Resolution Images
Camera Resolution: Identification Guidelines General surveillance Forensic detail High detail Source: Univision
The Potential Impact of the Cabling Infrastructure IP Video Minimally Compliant Category 5e IP Video Category 6A A Category 5e cabling infrastructure s absence of headroom minimizes the infrastructure s ability to compensate for marginal electronics A Category 6A cabling infrastructure provides headroom to overcome issues related to the electronics
Video Compression Technologies Motion JPEG All pictures in the video are complete (just like a digital still camera) MPEG-4 Only the differences are coded in some pictures Image Courtesy of Axis Communications
Video Compression Technologies H.264 Search window Matching block Motion vector Target block Earlier reference frame P-frame Image courtesy of Axis Communications
H.264 Bandwidth Test
Lower TCO: Bandwidth and Storage H.264: the ultimate video compression H.264 compression (example savings) Motion JPEG MPEG-4 Part 2 H.264 50% 80% Bandwidth and storage consumption Bandwidth and storage consumption Bandwidth and storage consumption Image courtesy of Axis Communications
Facility Controls: Summary Perimeter Facility Computer Rooms Cabinets Provide multiple layers of protection Install integrated systems to provide greater awareness Implement multiple identity verification methods Install indoor surveillance for identification and monitoring Keep all visitor areas separate (including restrooms) Maintain six-wall borders Supply power back-up Ensure redundant communications out of NOC (separate providers, cell tower networks, etc.)
Computer Room Layer Controls Perimeter Facility Computer Rooms Cabinets Goals Third layer of protection Further restrict access Multiple forms of verification Monitor all authorized access Redundant power and communications Integrated systems for enhanced awareness Security measures Man-traps and turnstiles Video analytics Biometrics RFID Environmental monitoring
Methods Carried Identity Verification Token or other item carried by the individual: metal keys, proxy cards, mag cards, photo ID, smart cards Known Private information: PIN, passwords, code words Inherent Biometric features: finger and thumb prints, hand geometry, iris scan, speech pattern, vascular Image courtesy of HID Global and Ingersoll Rand Security Technologies
Identity Verification: Biometrics High-level security applications Inherent and unique to user Much more difficult to replicate than passwords or PINs Cannot be lost or stolen Variations Facial scan Fingerprint Hand geometry Iris Vascular
RFID for the Data Center Environment Eliminate manual spreadsheets for tracking Inventory Asset locations Life-cycle data RFID technologies can provide instant awareness of data center assets Rack-mounted equipment Mobile equipment such as laptops Employees (e.g., credential tags) Some systems also offer environmental monitoring sensors
Computer Room Layer Controls: Summary Perimeter Facility Computer Rooms Cabinets Restrict access Eliminate tailgating Monitor exit and entry points Require multiple identity verification methods Maintain six-wall border Address proper thermal management Implement RFID system for asset tracking
Cabinet-Level Controls Perimeter Facility Computer Rooms Cabinets Goals Fourth layer of protection Further restrict access Integrated systems for enhanced awareness Security measures Cabinet-level locking Audit trails Intelligent infrastructure
Access Control at the Cabinet Level Increase security at the cabinet level Work with existing enterprise access control systems Efficiently bring electronic security and audit trail capability to the cabinet or enclosure level
The Power of Integrated Systems Fiber Panel Core Switch/Router Network Video Recorder (NVR) Access Control Server UPS IP Data Response Resolves issues faster Saves time correlating events and timelines Moves from reactive toward predictive Provides real-time anywhere alerts for monitoring and recording Operation Provides additional operator control Reduces deployment, training and support costs Preserves and protects capital investments
Convergence and the IP Migration Migration from analog to digital and IP Building systems converge Standardized structured approach Utility-grade connectivity Open-architecture Interoperability Legacy Approach Important role for single function systems
Convergence and the IP Migration Migration from analog to digital and IP Building systems converge Standardized structured approach Utility-grade connectivity Open-architecture Interoperability Migration to Network Approach Isolated systems join IP Connected Enterprise
Convergence and the IP Migration Migration from analog to digital and IP Building systems converge Standardized structured approach Utility-grade connectivity Open-architecture Interoperability IP Connected Enterprise IP Connected Enterprise replaces isolated systems
Intelligent Infrastructure Management Solutions What are the components? Hardware: high-end cable assemblies, intelligent patch panels, analyzers, probes* Software: collects real-time information and enables administrator to visualize data on a screen and make connections, check their integrity and develop accurate documentation *Each competitive solution has a little different mix of components
Summary Perimeter Facility Computer Rooms Cabinets Perimeter, facility and computer room physical security may not be sufficient to prevent breaches IP-enabled physical security systems increase reaction time Technology maturing Moving toward predictive response Leverage existing physical security best practices and industry standards to develop security plan
Thank you!