Locking Down the Data Center of Tomorrow By Kevin Beaver, CISSP Founder and principal consultant - Principle Logic, LLC 4430 Wade Green Rd., Suite 180 Kennesaw, GA Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

Kevin Beaver Information security consultant, author and trainer 15+ years of IT/security experience Specialize in security incident response, security assessments, network security, and security policy and strategy development Author of the upcoming book Ethical Hacking for Dummies by John Wiley and Sons Co-author of the new book The Practical Guide to HIPAA Privacy and Security Compliance by Auerbach Publications Author of the new book The Definitive Guide to Management and Security by Realtimepublishers.com Regular columnist and information security/HIPAA advisor for SearchSecurity.com, SearchMobileComputing.com, ITSecurity.com, and HCPro’s Briefings on HIPAA newsletter Hold CISSP, MCSE, MCNE and IT Project+ certifications Bachelor’s in Computer Engineering Technology from Southern Polytechnic State University and Master’s in Management of Technology from Georgia Tech Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

Current state of data center security The convergence of information and physical security Security technologies and practices required for the successful convergence of physical and information security Skills required of security professionals What to expect in the coming years Resources Copyright © 2003, Principle Logic, LLC, All Rights Reserved. What We’ll Cover

Where everything security related comes together –Network, applications, physical Enable consolidation of information systems management and security within a controlled environment Heightened sense of criticality since 9/11 There’s a lot of good security, but there’s also a lot of bad –Not necessarily as secure as they claim to be Copyright © 2003, Principle Logic, LLC, All Rights Reserved. Current State of Data Center Security

Protection of people and physical property Traditional physical security involved guards, locks, keys, etc. – this is changing Physical security in buildings, including data centers, is becoming increasingly dependent on technical systems for control and monitoring Copyright © 2003, Principle Logic, LLC, All Rights Reserved. What is Physical Security?

Increase of insider threats Someone walking off with a laptop, server, software installation disks, etc. Malicious outsider gaining access to the data center –To obtain passwords –To install a network analyzer Malicious insider gaining access to CDs, tapes, hard copies of network diagrams or password lists Copyright © 2003, Principle Logic, LLC, All Rights Reserved. Physical and Information Security Risks

Security to protect corporate assets is technology based –Firewalls –Intrusion detection Security systems typically found in discrete areas – Not across the organization Different security departments doing different things –Has resulted in various inconsistencies in meeting security policy requirements Copyright © 2003, Principle Logic, LLC, All Rights Reserved. Past Paradigm

Security has been seen as a roadblock to overall organization effectiveness in the past –Both physical and information security can be combined and now seen as a business enabler supporting the organization’s mission and goals Copyright © 2003, Principle Logic, LLC, All Rights Reserved. …Past Paradigm

Data center security is more than just protecting IT assets –We’re now moving towards protecting enterprise assets The most valuable corporate assets are virtual –Electronically and in the minds of employees Many corporate assets are housed in critical data centers Physical security is established and mature for the most part –Information security is still in its infancy Copyright © 2003, Principle Logic, LLC, All Rights Reserved. Physical Security, meet Information Security

There are emerging governmental requirements forcing the collaboration of physical and information security Security management of the data center continues to be fragmented After many years of separation and strife, the two practices are coming together – especially in the data center environment Copyright © 2003, Principle Logic, LLC, All Rights Reserved. …Physical Security, meet Information Security

The goal of both is to keep the bad guys out and the “good” guys honest Each one uniquely contributes to the organization’s bottom line Both require: –Identification of assets –Classification of assets –Assessment of risks –Implementation of countermeasures –Incident response expertise Copyright © 2003, Principle Logic, LLC, All Rights Reserved. Similarities

An ever increasing skill set required for security leaders, managers and doers –Keeping up with the latest technologies –Understanding how to effectively respond to incidents Money Technology and computers Effective policies and procedures Layered protection – defense-in-depth Copyright © 2003, Principle Logic, LLC, All Rights Reserved. Demands of Physical and Information Security

Authorization – need to know basis Authentication Accountability Audit Destruction policies and procedures Ongoing awareness A good balance of security vs. convenience Both (especially infosec) are requiring stronger ties with law enforcement than ever before Copyright © 2003, Principle Logic, LLC, All Rights Reserved. …Demands of Physical and Information Security

You Must Find a Balance If you have a network that’s secure but a data center building that’s not OR If you have a data center building that’s secure and a network that’s not –They will defeat the purpose of each other Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

The Simple Truth Need more than just a guard and locked doors Need more than just firewalls and IDSs Security must be tightly integrated with every organizational function You can’t force the two different departments to work well together – must give business reasons and incentives Must balance the requirements of both physical and information security Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

Where We’re Headed Decentralization of data centers and corporate assets Tighter integration between physical and information security equipment The design goals of newer technologies will help support convergence of physical and information security Systems will be easier to use, making data center technology implementation, collaboration and change management simpler Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

…Where We’re Headed The convergence of the two types of security will help further the information security cause –Management has always bought into physical security –It’s now becoming more apparent that information security is a critical element as well Smaller computing devices such as PDAs, 1U servers, cell phones and laptops are just getting smaller leading to more physical security issues –Nanotechnology devices both inside and associated with data centers are increasing the demand for physical and information security convergence Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

…Where We’re Headed Prevention vs. protection Increased responsibilities on everyone’s part Reduced costs, but possible increase in risks Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

Emerging Trends Enhanced biometric systems Increase in the number of uses of biometrics to facilitate both physical and information security in the data center Increased usage of identity management solutions Perimeter control has been – and will be even more so – the job of both physical and information security professionals Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

…Emerging Trends Need for greater physical and information security of wireless components within data centers Storage and management issues associated with RFID data Defense-in-depth will be even more important Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

…Emerging Trends Enhanced monitoring –Power, air and server conditions –Access controls Will require more human involvement –In the form of awareness, policies and procedures Increased use in temp/contract workers –Need to include these people in security policies and procedures Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

…Emerging Trends Open Security Exchange (OSE) OSE-compliant products from vendors More data center involvement from large vendors Development of data center education initiatives by the Association for Computer Operations Managers (AFCOM) and Marist College Overall the merger of the two will have a huge impact on organizations, employees, users and the industry as a whole Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

CSOs of the Future CSOs manage data centers among other things Role is still being defined Need a strong leader in this role Business and technical expertise Must build relationships with business managers Has authority within the organization to create and enforce security policies Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

…CSOs of the Future Ability to influence security-aware culture in and around the data center See CSO Magazine’s State of the CSO report for more insight – Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

A Few More Tips A security-aware culture will buy your data center more protection than all other efforts combined Policies and procedures should be integrated between physical and information security systems for the data center whenever possible –With management support of course Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

…A Few More Tips CISO and IT-only types may only be interested in information security –If so, s/he might not be the best fit for a CSO or director of data center security position A wise security officer (physical or information) will stay abreast of both If you’re not sure about the physical security, contact some experts on it Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

Resources Open Security Exchange – –Physical Security Bridge to IT Security (PHYSBITS) Framework AFCOM – ISC 2 Certified Information Systems Security Professional (CISSP) and ISSAP concentration – ASIS Certified Protection Professional (CPP) – CSO job description – Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

Resources CSO job description – Physical security tips – Copyright © 2003, Principle Logic, LLC, All Rights Reserved.

The physical security market is very strong now and it will take time for the two areas of security to successfully merge It will be impossible to ensure solid information security of the data center without the proper physical security controls – and vice versa It’s essential to ensure that data is available after a disaster –This can only be possible when information and physical security systems and personnel work together Copyright © 2003, Principle Logic, LLC, All Rights Reserved. Closing Thoughts

Security initiatives driven from the bottom up usually aren’t effective Haphazard combination of physical and information security can cause more problems than it solves A more secure data center can increase customer comfort level helping to maintain customers and even drive more business = Copyright © 2003, Principle Logic, LLC, All Rights Reserved. …Closing Thoughts

Questions? Copyright © 2003, Principle Logic, LLC, All Rights Reserved. You can submit your questions to Kevin by clicking on the Ask a Question link on the lower left corner of your screen.

Thank you Copyright © 2003, Principle Logic, LLC, All Rights Reserved. Thank you for participating in this SearchSecurity.com webcast. If you have comments or suggestions for future webcasts, please the moderator at