Archive for July, 2010

Data Center Physical Security

19 Ways to Build Physical Security into a Data Center

Mantraps, access control systems, bollards and surveillance. Your guide to securing the data center against physical threats and intrusions.

There are plenty of complicated documents that can guide companies through the process of designing a secure data center—from the gold-standard specs used by the federal government to build sensitive facilities like embassies, to infrastructure standards published by industry groups like the Telecommunications Industry Association, to safety requirements from the likes of the National Fire Protection Association. But what should be the RAPS’ high-level goals for making sure that security for the new data center is built into the designs, instead of being an expensive or ineffectual afterthought?

Read below to find out how a fictional data center is designed to withstand everything from corporate espionage artists to terrorists to natural disasters.

Sure, the extra precautions can be expensive. But they’re simply part of the cost of building a secure facility that also can keep humming through disasters.

1. Build on the right spot. Be sure the building is some distance from headquarters (20 miles is typical) and at least 100 feet from the main road. Bad neighbors: airports, chemical facilities, power plants. Bad news: earthquake fault lines and (as we’ve seen all too clearly this year) areas prone to hurricanes and floods. And scrap the “data center” sign.

2. Have redundant utilities. Data centers need two sources for utilities, such as electricity, water, voice and data. Trace electricity sources back to two separate substations and water back to two different main lines. Lines should be underground and should come into different areas of the building, with water separate from other utilities. Use the data center’s anticipated power usage as leverage for getting the electric company to accommodate the building’s special needs.

3. Pay attention to walls. Foot-thick concrete is a cheap and effective barrier against the elements and explosive devices. For extra security, use walls lined with Kevlar.

4. Avoid windows. Think warehouse, not office building. If you must have windows, limit them to the break room or administrative area, and use bomb-resistant laminated glass.

5. Use landscaping for protection. Trees, boulders and gulleys can hide the building from passing cars, obscure security devices (like fences), and also help keep vehicles from getting too close. Oh, and they look nice too.

6. Keep a 100-foot buffer zone around the site. Where landscaping does not protect the building from vehicles, use crash-proof barriers instead. Bollard planters are less conspicuous and more attractive than other devices.

7. Use retractable crash barriers at vehicle entry points. Control access to the parking lot and loading dock with a staffed guard station that operates the retractable bollards. Use a raised gate and a green light as visual cues that the bollards are down and the driver can go forward. In situations when extra security is needed, have the barriers left up by default, and lowered only when someone has permission to pass through.

8. Plan for bomb detection. For data centers that are especially sensitive or likely targets, have guards use mirrors to check underneath vehicles for explosives, or provide portable bomb-sniffing devices. You can respond to a raised threat by increasing the number of vehicles you check, perhaps by checking employee vehicles as well as visitors and delivery trucks.

9. Limit entry points. Control access to the building by establishing one main entrance, plus a back one for the loading dock. This keeps costs down too.

10. Make fire doors exit only. For exits required by fire codes, install doors that don’t have handles on the outside. When any of these doors is opened, a loud alarm should sound and trigger a response from the security command center.

11. Use plenty of cameras. Surveillance cameras should be installed around the perimeter of the building, at all entrances and exits, and at every access point throughout the building. A combination of motion-detection devices, low-light cameras, pan-tilt-zoom cameras and standard fixed cameras is ideal. Footage should be digitally recorded and stored offsite.

12. Protect the building’s machinery. Keep the mechanical area of the building, which houses environmental systems and uninterruptible power supplies, strictly off limits. If generators are outside, use concrete walls to secure the area. For both areas, make sure all contractors and repair crews are accompanied by an employee at all times.

13. Plan for secure air handling. Make sure the heating, ventilating and air-conditioning systems can be set to recirculate air rather than drawing in air from the outside. This could help protect people and equipment if there were some kind of biological or chemical attack or heavy smoke spreading from a nearby fire. For added security, put devices in place to monitor the air for chemical, biological or radiological contaminant.

14. Ensure nothing can hide in the walls and ceilings. In secure areas of the data center, make sure internal walls run from the slab ceiling all the way to subflooring where wiring is typically housed. Also make sure drop-down ceilings don’t provide hidden access points.

15. Use two-factor authentication. Biometric identification is becoming standard for access to sensitive areas of data centers, with hand geometry or fingerprint scanners usually considered less invasive than retinal scanning. In other areas, you may be able to get away with less-expensive access cards.

16. Harden the core with security layers. Anyone entering the most secure part of the data center will have been authenticated at least three times, including:

a. At the outer door. Don’t forget you’ll need a way for visitors to buzz the front desk.
b. At the inner door. Separates visitor area from general employee area.
c. At the entrance to the “data” part of the data center. Typically, this is the layer that has the strictest “positive control,” meaning no piggybacking allowed. For implementation, you have two options:
1. A floor-to-ceiling turnstile. If someone tries to sneak in behind an authenticated user, the door gently revolves in the reverse direction. (In case of a fire, the walls of the turnstile flatten to allow quick egress.)
2. A “mantrap.” Provides alternate access for equipment and for persons with disabilities. This consists of two separate doors with an airlock in between. Only one door can be opened at a time, and authentication is needed for both doors.
d. At the door to an individual computer processing room. This is for the room where actual servers, mainframes or other critical IT equipment is located. Provide access only on an as-needed basis, and segment these rooms as much as possible in order to control and track access.
17. Watch the exits too. Monitor entrance and exit—not only for the main facility but for more sensitive areas of the facility as well. It’ll help you keep track of who was where when. It also helps with building evacuation if there’s a fire.

18. Prohibit food in the computer rooms. Provide a common area where people can eat without getting food on computer equipment.

19. Install visitor rest rooms. Make sure to include bathrooms for use by visitors and delivery people who don’t have access to the secure parts of the building.


How Do You Store & Manage Your Enterprise Data

Enterprise Data Storage: Your Data Is Your Entire Business!

The most important asset of any organization is its data. Failure to manage it, protect it, retain it and be able to retrieve it when and how you need it is almost equal to closing down your entire business. Proper data storage and management assures you of business continuity even when you have had a total disaster involving data loss for the entire organization.
I once asked an IT Manager of a certain bank how he manages his data, putting into consideration time to back up, recover lost data and the day-to-day IT functions for bank. His response was… “I spend two to three hours backing up every end of working day… we once lost data because of a power failure and we could only recover about 60% of it. It was a disaster and some people lost their jobs. We had to think of some kind of insurance for such a disaster in case it had to happen again in future. Sometimes I am in office on weekends to ensure that everything is running smoothly….” Can you imagine that? Sincerely this guy has no time for his family or for himself! He gets too tired on a daily basis, and because of this, he is likely to make mistakes that can cost the bank money!
Oftentimes, storage isn’t given enough attention, but it can make or break the service level agreement (SLA) for your application response times. Understanding how to build a cost-effective, high-performance storage system can save you money not only in the storage subsystem, but in the rest of the system and as well as your entire organization.
Enterprise storage is a centralized storage system that businesses use for managing and protecting data. It enables data sharing through connectivity to various computers in a networked environment that includes UNIX, Windows and mainframe platforms.
Enterprise storage differs from consumer storage with respect to the size of the storage operations and also the technology used. When considering the implementation of an enterprise storage technology, enterprises should appraise the technology on four parameters. These include storage, backup, archiving, and disaster recovery. Together, these four constitute the major functions of an enterprise storage system and they impact both cost and performance.
There are a number of challenges faced by today’s enterprise as far as storage solutions are concerned, for instance, explosive data growth caused by concurrent requirement for historical, integrated, and granular data; requirement for alternative storage mechanisms so that infrequently used “dormant data” can be stored in a more cost-effective manner; enterprise business storage has to cater for an increasing number of users including data miners, explorers, departmental users, multi-dimensional users, power users, and executive users.
Enterprise business data storage plays a key role in ensuring that enterprise business intelligence is available to be leveraged at the most opportune moment and that discrete data silos are consolidated to provide an enterprise business intelligence infrastructure.
There are three basic storage system types. These are direct attached storage (DAS), storage area network (SAN) and network attached storage (NAS).
DAS is the basic building block on which SAN and NAS can be deployed. Thus, DAS which constitutes block-level storage dictates the performance of SAN and NAS and ultimately the entire enterprise storage environment. The host computer’s storage interface is connected to DAS. A data network is required so that computers other than the host computer can access DAS. The storage devices that are used to develop a DAS storage subsystem include SCSI (Small computer system interface), PATA (Parallel advanced technology attachment), SATA (Serial advanced technology attachment), SAS (Serial attached SCSI), FC (Fibre channel), Flash, and RAM (Random access memory). SANs offer greater functionality than DAS as they allow more than one host to connect to a single storage device at the block level. This enables server computers to systematically control the storage volume in a storage device. However, multiple clients cannot share a single volume. SAN offers a host of compatibility advantages with respect to applications. SAN technologies include iSCSI (Internet SCSI), FC, and AoE (ATA over Ethernet). NAS is essentially a file server that resides on top of SAN or DAS. NAS ensures Microsoft compatibility by using server message block (SMB) and network file system (NFS) for UNIX compatibility. Unlike SAN or DAS, NAS allows multiple clients to share a single volume. The drawback of NAS is that it does not offer compatibility with as many applications as SAN or DAS; this is because most applications run with a block-level storage device.
Looking at the different storage scenarios above, how then can an enterprise select the right storage alternative? Apart from the obvious need of storing data, an enterprise data storage solution has to fit the bill for many other requirements and these include protection against network security threats, backup plans, disaster recovery setup, and also compliance with legislations on the process of storing, managing, and archiving data. Data integrity and privacy are of special importance to especially healthcare and finance industry. This has however, overtime spread to other industries like the ICT, especially the telecoms and government agencies. When selecting an enterprise storage solution, you should focus on your organization’s long-term business goals and particular requirements. There are a number of factors you need to take into consideration and these may include: a) The amount and type of data and the performance as measured by Input/Output and throughput requirements b) Availability of reliable data for mission-critical applications c) Scalability requirements d) Budget availability e) Backup requirements and f) Recovery and business continuity requirements Enterprise storage usually consists of a mixed storage environment that includes DAS, NAS, and SAN.
In an enterprise with a small number of servers, DAS serves the purpose for localized file sharing. It also serves as the platform on which SAN and NAS are located; in this situation management and administration complexities are reduced because DAS can be managed through the network operating system of the attached server. A DAS calls for low initial investment. Additional storage capacity can be added as per requirement. The complexities of a networked storage are avoided. DAS also serves as a stop-gap arrangement for enterprises that wish to migrate to a NAS environment at a later date. After the transition to a networked storage, legacy DAS can still be used to store non-critical data.
NAS, which comprises both hard disks and management software, is used where a server-based infrastructure is insufficient to meet enterprise storage needs. NAS is used only for file-sharing; this means that the server can be used for application sharing. This separation of functionalities speeds up data access for multiple clients over the network. Enterprises being served with DAS can improve utilization of storage by incorporating NAS which enables
storage to be shared across multiple servers. In a NAS/SAN convergence, NAS offers reliability features such as RAID (Redundant Array of Independent Disks) and data protection features such as data replication and mirroring.
NAS is viewed as a value proposition that delivers high performance; it offers a strong case for business and ROI (return on investment) as a technology investment. Enterprises now focus on expanding NAS capabilities because it is scalable and offers high volumes of data storage in high density form, factors which conserves data center space. NAS systems can integrate into environments that may be running Windows, Mac and Linux workstations. This enables heterogeneous data sharing.
SANs are implemented for mission-critical applications. They constitute a dedicated and high performance network for data transfer between servers and storage devices. They operate in isolation from a LAN. Data in a SAN network is moved using Fiber Channel, which can transfer high volumes of data and facilitate instantaneous communication between workstations and mainframes. SAN is ideal where moving large chunks of data is the need; scenarios include database, image and transaction processing. Dynamic load balancing enables fast data transfer, and reduced latency. SANs ensure 24×7 data availability. This is the ideal data storage solution for such organizations like banks and telecom companies. In the East African region, these are implemented by Vodacom Tanzania, MTN Uganda, MTN Rwanda (implementing) Uganda Telecom, Zain, Standard Chartered Bank, CRDB Tanzania, K-Rep in Kenya, Uganda Revenue Authority, Umeme Ltd and many others. The only drawback to SAN is the price tag that comes with it.
You will note that there are a number of enterprise storage vendors today with state-of-the-art data storage solutions. These include NetApp, EMC, HP, Dell and so many others coming up. When you are deciding which vendor to choose, always consider a number of factors like; total cost of ownership, simplicity and ease of use, scalability, recovery time objectives and recovery point objectives. Considering today’s economic situation, most organizations are bent on lowering the operational costs to increase their profit margins, therefore the total cost of ownership is very crucial when selecting a type of storage solution you want to implement.
Also considering today’s data growth trends in organizations, storage requirements are becoming more every other day. No organization would wish to throw away a year’s investment in storage when upgrading. Therefore, organizations should consider implementing such solutions that ensure seamless scalability, avoiding a forklift kind of implementation that will eventually require retraining personnel to learn new processes and software commands that come with new operating systems, leading to more spending.
Having said all that, you should note that having the most efficient and effective storage system without proper security for your data exposes you to a greater risk of compromising it. In the next issues to come we shall talk about Data Security in a Data Center.