|
 |
|
General Information
|
Add To My Personal Library |
December 4, 2009
• Vol.31 Issue 29
Page(s) 35 in print issue
|
Data Center Access Policies
Policies & Best Practices Can Vary By Enterprise But Have Many Common Elements
|
Jump to first occurrence of: [STAHL]
| Key Points
• More stringent laws, regulatory requirements, and industry standards necessitate formal strategies and policies for data center physical security and access controls.
• Policies must identify who has access and where they are allowed, as well as restrictions on movements and activities within the facility. Access policies and physical security practices need to be verifiable (by logs and surveillance) and auditable.
• For greater security and accountability, computer rooms should be partitioned by either equipment function (server racks, network control, facilities) or system sensitivity or criticality (high security/high availability vs. minimum security/non-critical). | Humans are the weakest link in any security scheme. Security professionals can do their best to protect systems with layers of anti-malware, personal and network firewalls, biometric login authentication, and even data encryption, but give a good hacker (or computer forensics expert) enough time with physical access to the hardware, and there’s a good chance they’ll break in. Thus, robust physical access controls and policies are critical elements of any comprehensive IT security strategy.
According to a report by the SANS Institute, “IT security and physical security are no longer security silos in the IT environment; they are and must be considered one and the same or, as it should be called, overall security.”
It is the innermost layer—physical entry to computer rooms—over which IT managers typically have responsibility, and the means to effective control over human access focuses on a set of policies, procedures, and enforcement mechanisms.
 Policy Basics
Given their importance and ramifications on employees, access policies must come from the top leadership. According to Kevin Beaver, independent consultant at Principle Logic, “The essence of a good policy is to make it clear ‘this is how we do things here.’”
After setting expectations and behavioral ground rules, actual data center access policies have several common elements. The most essential are definitions of various access levels and procedures for authenticating individuals in each group and their associated privileges and responsibilities when in the data center.
A policy template developed by Info-Tech Research Lead Analyst Darin Stahl calls for a simple distinction between employees, contractors, and visitors. A more granular refinement, which Stahl prefers and sees becoming increasingly common, is a categorization between employees with unfettered, unescorted access to the entire data center; those who have uncontrolled access to certain portions (such as a server room or cage of racks within the room vs. the network control center); and those requiring escorts.
Although older data centers typically just consisted of a large, unpartitioned raised-floor area, Stahl says newer enterprise facilities have taken a page from ISP designs by dividing the space into various zones—for example, a cage for high-availability servers, another area for Tier 2 or 3 systems, a dedicated network control room, and even separate areas for facilities infrastructure such as PDUs and chillers. Such partitioned data centers provide control points for denying access to personnel with no responsibility for equipment that’s in them.
Identification Procedures
The next step in a physical security policy is to set up controls and identification procedures for authenticating data center users and granting them physical access. Although biometric scanners look flashy in the movies and certainly provide an added measure of security, Stahl says a magnetic stripe badge reader is still the most common entry technology, as it’s simple, cheap, and effective and allows automated logging, which is a necessary audit trail.
One problem with mag readers, according to Stahl, is their susceptibility to tailgating, or allowing unauthorized personnel to trail a colleague through an entryway. That’s why Stahl advises supplementing doors and locks with recorded video surveillance.
Peter Sacco, president of PTS Data Center Solutions (www.ptsdcs.com), also likes to add a form of two-factor authentication to entry points by coupling a card reader (“something you have”) with a PIN pad (“something you know”), which reduces the risks of lost cards. Like Stahl, Sacco recommends using time-stamped video surveillance in conjunction with electronic access logs, but he also suggests adding a sign-in sheet to provide a paper trail.
Access levels and controls, with identification, monitoring, and logging, form the foundation of an access policy. But two other major policy elements are standards of conduct and behavior inside the data center (such as prohibitions on food and beverages or tampering with unauthorized equipment) and limitations and controls on the admission of personal electronics such as USB thumb drives, laptops, smartphones, or cameras.
Policies should also incorporate processes for granting access or elevating restriction levels, an exception process for unusual situations, sanctions for policy violations, and standards for reviewing and auditing policy compliance. Stahl cautions that penalties for noncompliance will vary from company to company because they must reflect each enterprise’s specific risk tolerance, corporate culture, local employment laws, and union contracts.
Relevant Regulations & Standards
An overriding issue for IT managers designing access controls, Stahl says, is “understanding just what regulations or compliance requirements you face.” Yet these have become so prevalent that IT managers need not start with a blank slate when designing a set of policies. For example, section 9 of ISO/IEC 27002:2005 includes guidelines on security perimeters, entry controls, and work rules. “The ISO/IEC 27002:2005 standard is the one that I recommend,” says Beaver.
The PCI DSS (Payment Card Industry Data Security Standard) also includes a lengthy section (also section 9) on physical security, which, Stahl says, is a “very practical, tactical, and actionable” starting point that meets at least 80% of most enterprise needs. One nice feature of the PCI DSS is that, in addition to outlining specific requirements, it adds corresponding testing and auditing procedures. Stahl says that any enterprise could use PCI as a baseline, augmenting it as needed to meet business-specific requirements.
The ability to test and validate access policy compliance is important, and Stahl recommends integrating physical security audits with existing IT audit processes. “Auditors can be your friend,” he says, noting that independent third parties are the best way to establish policy compliance.
Although PCI, SAS, ISO, and various templates such as Info-Tech’s can provide general guidelines, Beaver feels that, ultimately, access policy must reflect situations unique to each business. “The best advice I can give is to find out where you’re weak first,” he says. “Putting policies and procedures in place without first understanding what you’re up against is simply going through the motions and is not sustainable long term.” 
by Kurt Marko
Suggested Elements Of A Data Center Access Policy
IT security is as much about physical security as it is about network and application security. Controlling physical access to the enterprise data center is critical in protecting the data and information contained inside.
Info-Tech has developed a set of requirements and procedures based on industry-standard best practices that can be customized to better suit specific company needs.
Levels Of Access
Authorized access. The data center is physically secured by a card-reader door lock and monitored 24/7 by building security. Additionally, recorded video surveillance is conducted through the security cameras placed within the server room. Card-reader access is available to the server room on a 24/7 basis for authorized employees. A listing of currently authorized staff is kept in a Data Center Access List.
Vendor access. A listing of currently approved vendors is kept in the Approved Vendor Access List. All included vendors have been authorized for access based on job-related need. The need for continued authorization will be reviewed no less than quarterly. While onsite, vendors must wear their identification badges at all times. Vendors with approved access to the data center are required to identify themselves and sign in/out of the data center using the Site Access Log.
Visitor/guest access. In general, casual visits and/or tours of the data center are not allowed. However, approval of a tour or casual visit may be granted. Requests for a visit or tour of the data center must be preapproved by the VP Finance. ID and sign-in requirements as for vendors; also, visitors must be escorted at all times.
Conduct In The Data Center
In order to maintain a secure, safe environment, it is mandatory for all persons working within (and visiting) the data center to adhere to a set of rules covering use of camera, mobile phones, other electronic equipment, food and drink, and general behavior.
Monitoring & Audit
Data center access is controlled and monitored by various subsystems (reader door lock system, video surveillance cameras, etc.) that produce access records. All data center access records are subject to retention requirements and auditing.
Source: “Info-Tech Research Document Template”; July 2009.
|
|
|
