Scribd
Upload
30 views24 pages

Session 3

Physical security addresses countermeasures to protect physical resources through design, implementation, and maintenance. This includes threats from natural disasters, human threats like theft, and environmental exposures. Key aspects of physical security for data centers include access control through barriers, compartmentalization, authentication methods, environmental controls like temperature and power redundancy, alarm systems, and handling of storage media. Regular audits help ensure all physical security controls are implemented and working as intended.

Uploaded by

Mohit Rathour
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
30 views24 pages

Session 3

Physical security addresses countermeasures to protect physical resources through design, implementation, and maintenance. This includes threats from natural disasters, human threats like theft, and environmental exposures. Key aspects of physical security for data centers include access control through barriers, compartmentalization, authentication methods, environmental controls like temperature and power redundancy, alarm systems, and handling of storage media. Regular audits help ensure all physical security controls are implemented and working as intended.

Uploaded by

Mohit Rathour
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 24

Physical Security

• Physical security addresses design,


implementation, and maintenance of
countermeasures that protect physical
resources of an organization.
• Physical security is as important as logical
security
Physical Threat Scenario
Man-made Ambivalent Acts of God

Shoulder surfing Fire Earthquake

Dumpster diving Smoke/Fumes Volcano

Bombs and band Explosions Tsunami

Pilferage Theft Water logging Flood

Espionage Flight crash Strom


Physical Security Aims

Deter Demonstrate ostensible strength


Delay Buy in some time for further actions
Detect Find out precisely what is the threat
Assess Analyze nature and impact of threat
Respond Activate the well-planned countermeasure
Data Centers
• Is a facility to house an organization’s critical
systems. These systems are made up of
computer hardware, an operating system and
applications.
Defense in Depth
• Outside - Fence, walls doors…
• Barriers
– Natural – Hills, ponds, hedge, spiny shrubs….
– Artificial -Walls, doors, grills, top guard, bollards,
turnstile or baffle gate
• Compound –
– 1 meter- deter the casual trespasser
– 2.5 meter- delay the determined intruder
• Compartmentalized access
– Highest security for the most sensitive data.
Neighborhood and Environment
• Review data center building orientation,
signage, neighborhood characteristics and
exterior lighting to identify facility related risks
• Building Orientation
– How far from the boundary
– Are there barriers
– Floor
• Signage : Should be anonymous, Security
through obscurity
• Neighborhood –
– Who are the neighbors,
– Are they in close proximity
– What sort of business they do
• Research the data center location for natural
and environmental hazards and to determine
the distance to emergency services
– Floods, severe weather and transportation related
accidents can destroy or severely damage a data
center.
• Flood Elevations – Single storey data center
that is 5ft or so above ground
• Weather and Earth Movement Threats
• Transportation related Hazards – Planes (do
crash), trains (derail), automobiles
• Local Crime Rate – High crime area there is
higher risk of theft and other crimes
• Proximity to Emergency Services – Police
stations, hospitals and fire-stations
Physical Access Control
• Review exterior doors and walls to determine
if they protect data centers facilities
adequately
– Walls, doors, windows
– Raised floors and drop ceilings (ventilation ducts
and power and network cables)
– Man Traps (Two locking doors with a corridor)
Walls & Doors
• Strong wall, resting on real floor, reaching the real
ceiling
• Access Points – Passage, AC conduits, Cabling ducts…
• Doors / Gates
– Lesser in number, better the control
– Walls of core areas not exposed from outside
– Opening inward/outward
– Lights on doorways
– Fire exits with push-bars
– Locks and Mantrap
Windows
• Grill Size
• Acrylic /polycarbonate Glass
• Wired glass
• Sun-film/tinted film
• Breakage Sensors
• Breakage Alarms
Man-traps
• Small enclosure that has entry point and
different exit point

• Individual enters mantrap, requests access, and


if verified, is allowed to exit mantrap into
facility

• Individual denied entry is not allowed to exit


until security official overrides automatic locks
of the enclosure
Environmental Exposures
• Heat, Ventilation, AC, (HVAC) Power, Gas, Water ……
• Fire suppression systems – Dry /Wet pipes
– Until recently, two types of systems: carbon dioxide and Halon
– Carbon dioxide robs a fire of oxygen supply
– Halon is clean but has been classified as ozone-depleting substance; new installations are
prohibited
– Alternative clean agents include FM-200, Inergen, carbon dioxide, FE-13 (trifluromethane)
• Regular inspection by fire department
• Fireproof walls, floors and ceilings
• Electric surge protectors – Spikes
• UPS and DG sets or modular capacities with diesel stock
• Prohibiting eating, drinking and smoking in server room
• Documented and tested emergency evacuation plans.
Environmental Control
• Verify that heating, ventilations and air conditioning systems
maintain constant temperatures within the data center
• Exterior Lighting – Proper lighting deters crime and loitering
around the facility.
– Continuous : Normal lighting
– Trip : Light trips ON, induced by sensor
– Standby : Extra lights as compensatory control
– Emergency : Battery supply ON, when main goes OFF
• Power Continuity
– Two or more power stations
– Ground to earth
– Battery backup system (UPS)
– Generators
Alarm Systems
– Physical intrusion
– Risk of fire
– Water Alarm
– Humidity alarm

• Surveillance Systems
Handling storage media
• Encrypt the backup files
• Planned verification and duplication
• Disposal of media
• Equipment sent for maintenance
• Storage records
– Identifier for each storage medium
– Location identity of the storage medium
– Name of the operator who has the ultimate responsibility for a particular
storage medium
– File stored on the medium
– Authorized persons to access the storage medium
– Date of purchase of the medium
– Access history of the medium
– History of the read and write errors.
Access to systems
• Identification, Authentication, Authorization,
Accountability.
• Evaluate physical authentication devices.
– Card-key readers
– Biometric devices
– Traditional key locks
Biometric types Response time Accuracy

Iris Scan 1-2 High

Hand geometry 3-5 High

Retina Scan 4-7 High

Finger Print 5-7 High

Voice Recognition 10-14 Low

Face Recognition 5-7 Mid

• Access to Data
– MAC, DAC, RBAC ….
• Should check device logs for information like
– user identification
– time and place of the access attempt
– Success or failure of the access attempt
Summary
• Threats to information security that are unique to
physical security
• Key physical security considerations in a facility site
• Physical security monitoring components
• Essential elements of access control
• Fire safety, fire detection, and response
• Importance of supporting utilities, especially use of
uninterruptible power supplies
• Countermeasures to physical theft of computing devices
CHECKLIST
Contr
Compli Recomm
Control Control Control Type of ol Comme
Requirement Controls Evidence Findings ant ended
Category No. Owner Control Effici nts
Status Control
ency

Whether User
IDs are granted
Naming
in a unique
CO8 IT Team Preventive convention
format?
Document

Does anyone
have admin
CO9 rights to the IT Team Preventive Evidence
Enforcing the security
mission critical
and adequacy of user
systems?
access across systems
and applications is a Logical
key activity to assess access
and lower those risks. How are admin
control rights granted
Hence it is great need
of verification of all CO10 to the users to IT Team Preventive Evidence
logical access controls mission critical
systems?

Are appropriate
approvals taken
before providing
admin access to
CO11 IT Team Preventive Approvals
the users to
mission critical
systems?
Audit Objectives
• Test of Physical construction
• Test of Fire-Detection System
• Test of Access Control
• Test of backup Power supply
• Test if procedures for storage media handling
are followed, logs are maintained, if storage
media found lying around, unattended find out
the contents, verify process for media disposal
Data Center - Security and Risk Management
• https://www.youtube.com/watch?v=8g0NrHE
xD3g
Checklists (Internal controls questionnaire)

• Fire Hazards ,Water and air conditioning


• Power supply, Communications networks
• Access control, secure media handling
• Visitor control, Terminal security

You might also like