defending your data against physical threats...shortened to sox) was designed to protect...

1

Defending your data against physical threats Facts and guidelines for Datacentre Security Management

Defending your data against physical threats 2

Physical security A vital link in data centre defence

The exponential rise in data centres is matched only by the tandem rise in threats of malicious or accidental breaches. As business, consumer and user data is migrated to the cloud, the risks associated with a loss, theft or damage of data have the potential to cripple organisations. Most organisations recognise the need to defend their data against cyberattacks, but data centres and server racks are typically less well guarded against physical breaches – whether accidental or malicious.

So while valuable data may have several lines of digital defence, physical access to the cabinets and racks may be unmonitored and unprotected. In this white paper we will consider the rise of the data centre, the risks that businesses face from data loss, best practices in securing data against attack and business continuity, and how to ensure compliance with regulatory requirements.

2

New security challenges

Data compliance requirements

Three layers of physical security

12 data centre security tips

Cost effective access control

p. 5

p. 6

p. 8

p. 10


New data centres are being built at a remarkable rate. The value of data centre construction contracts is estimated to reach $22 billion by 20191. More data centres, and therefore more data, means higher s ecurity risks.

And when security is breached, the costs to business can be astronomical. IBM estimates the average total cost of each data breach to be $3.79 million. Total cost of data breaches has increased by 23% since 20132. In addition to customer dissatisfaction, the cost of unprotected data includes business disruption, loss of brand equity and fines and penalties levied for non- compliance with personal and commercial data protection legislation. Alongside the growth of data centres, the global colocation market is predicted to grow from $23 billion in 2014 to $37 billion in 20173. The EMEA market represents over 26% of global market, in terms of operational square feet.4 As described in the following pages, colocation brings unique security and compliance challenges.

Colocation: shared space brings new security challengesColocation gives businesses the freedom to manage their own software and hardware in a controlled environment. But this growing trend also brings security challenges and has data pro-tection implications for organisations that choose to co-locate. As more organisations (including potential competitors) share access to server rooms, there is an urgent need to prevent physical attacks and accidental damage by controlling access. A typical server room may receive visitors to carry out upgrades, make repairs, install new servers and conduct routine maintenance. Organisations can’t afford to ignore the risks of unauthorised person-nel accessing their equipment and their data. And as the power and cost of servers increases, the liability associated with failure or loss grows. In addition, data centre facilities are often secured with mechanical locking systems, especially at server cabinet level, which can’t be monitored and controlled, making access management and physi-cal protection of the data even more difficult.

1 Research and Markets, October 20142 Benchmark research sponsored by IBM, independently conducted by Ponemon Institute LLC May 20153 451 Research KnowledgeBase Q1 20154 Ibid.

New security challenges for data centresThe data boom increases the need for higher security

As more organisations share access to server rooms, there is an urgent need to prevent physical attacks and accidental damage by controlling access.

3


4 Who is accessing your company’s most sensitive data? Where? When? And if someone without authorisation did, how would you know?


5Data compliance requirementsVirtual protection

The pressure to safeguard data continues to grow. Legislation and security standards aim to protect businesses and the public from the significant risks associated with data breaches. One common theme uniting these standards and legislation is the requirement to control access to data.

European Data Protection Directive 95/46/ECAll organisations across Europe need

to comply with this directive. There are plans in 2015 to unify data protection under a new single law, the General Data Protection Regulation (GDPR), which incorporates new guidelines for data protection and privacy. As a regulation and not a directive, it will have immediate effect on all 28 EU member states and may include fines of up to 1 million euros for non-compliance or 2% gross global turnover, whichever is greater..

ISOThe ISO 27000 family of standards helps organisations manage the security of assets such as financial information,

intellectual property, employee details and third-party information. ISO/IEC 27001 details require-ments for information security management systems (ISMS).

OHSAS 18001The Occupational Health & Safety Management System Standard ensures

that data centres are safe and healthy environ-ments. OHSAS 18001 requires that: ∙ Any risks to staff, visitors and contractors have been assessed

∙ Where necessary controls are put in place to reduce the risk of harm to a minimum

∙ All national/local legal and regulatory health and safety requirements are met

Sarbanes-Oxley ActThe Sarbanes-Oxley Act of 2002 (often shortened to SOX) was designed to

protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise, and improve the accuracy of corporate disclosures. Complying with SOX requires security controls to ensure the integrity of financial data.

PCI-DSS Payment Card Industry Data Security StandardThe PCI Data Security Standard (PCI DSS)

helps organisations proactively protect customer financial information. The standard requires that access to system information and operations is restricted and controlled – both electronically and physically.

These are just some of the most important regulations guiding data centre security. The message is clear: organisations can’t afford to leave data security to chance.


6

Data centres face unique challenges to ensure the security of physical and digital assets. Whether a data centre supports a handful of clients or several thousands, they have a legal and commercial responsibility to safeguard data against loss and theft.

The three layers of physical securityPhysical protection

A robust security system can be considered as three layers moving inward from the facility’s perimeter to server rack level.

Perimeter defencePerimeter security features control access to the building, ensuring that only authorised personnel can reach servers. Perimeter security may entail CCTV, high fencing and lighting, as well as high security integrated access control systems.

Server room access Commercial-grade doors, frames and hardware defend against unauthorised access to server rooms. Security features should also be designed to withstand the elements in case of fire or flood. Doors may need to be rated for a number of hazards: ∙ Climate control and airflow ∙ Natural forces ∙ Blast and ballistic ∙ Fire ∙ Radio frequency (RF) shield ∙ Sound transmission class (STC)

Cabinet securityThe repercussions of accidental or malicious ac-cess to server cabinets can be disastrous. A loss of sensitive data could be crippling, destroying hard-earned customer trust, damaging brand equity and generating substantial non-compliance penalties. Given the high stakes, it’s unsurprising that data managers are pushing for access control at the server rack level. In the event of a security breach, most organisations would want to know who had access to the server and when.

With an access control system at the door and server rack level, organisations have granular control over who can access data, as well as a complete audit trail of access.


7

{monitoring}Physical security is about more than simply restricting access to unauthorised users, it’s also about controlling and recording who has access and when.

Unauthorized Access/Use 26 % 16%

Theft 21 % 26 %

Public Access/ Distribution 25 % 20 %

Loss 3 % 7 %

Hacking 25 % 26 %

75 % P H Y S I C A L B R E A C H E S

BREACHES BY TYPE OF METHOD

Q2 2014 Q2 2013{nomanpulation}Unauthorised access and use have nearly doubled within one year

Figure 1: Breaches by type of method, Source: Information Security & Data Breach Report, October 2014 Update, page 6

8

Seek senior buy-inWithout the support of senior management it can be difficult to adequately implement the policies and procedures to safeguard data.

Provide reliable powerDesign redundancy into everything related to the data centre, from transfer stations to uninterruptible power supplies, to ensure sufficient power is always available.

12 data centre security tipsIs your data secure against all forms of attack? This is what you can do to increase protection

Aim for complete enterprise access control Choose a complete access control solution that will meet your organisation’s long-term needs.

Ensure secure locations Choose a location with min-imal risk of environmental, social or political threats. If you maintain a separate recovery site, it should be located at least three hours from your primary site.

Utilise the latest technologyNew technologies such as Power over Ethernet (PoE) and wireless can reduce costs and improve ROI. Rack-level security can save floor space and reduce the need for additional cabling.

Analyse every component of your securityMeet with key stakehold-ers from IT, security and facilities to discuss each department’s challenges and concerns.

1

7

2

8

3

9

9

Educate the entire teamThe greatest threat to your data comes from within. By taking the time to educate your team you can ensure that everyone works to-gether to protect data.

Create a policy for exceptionsDecide how you will deal with exceptions and the need to grant temporary access so you have a defined procedure in place.

Identify all assets that require protectionDo you need to control access to a data centre, a server room or individual cabinets?

Design for success as well as compliance While complying with regulations is essential, it’s also vital that security and safety measures support your business operations and provide access to IT when it is required.

Define users and access levelsIdentify which employees require access to sensitive data. While it’s important that only valid users are given access, it’s also vital that employees are able to continue their work without interruption.

Identify your facility manager earlyIdentify your facility manager and define how they fit within your organisation. Include them in security discussions and plans both long-term as well as the day-to-day operations.

4

10

5

11

6

12


10 Cost effective access control for data centres

A mechanical master key system is expensive to run, due to secure key management costs and lack of flexibility in changing user rights. Losing a master key means replacing mechanical cylinders and keys right across your facility. There’s no shortcut.

So what’s the solution?Aperio® technology from ASSA ABLOY complements new and existing electronic ac-cess control systems. Aperio® provides a simple, intelligent way to upgrade the controllability and security level of your premises. With Aperio®, you can secure the perimeter, the server room and your server cabinets fully inte-grated with your access control system, adding access management and audit trail capabilities to almost any door opening.

Racks are the last line of defence against physical access to IT equipment and data, but are often left unmonitored. The Aperio® KS100 Server Cabinet lock helps ad-dress the security needs of data centre and coloca-tion facilities by providing real-time access control to individual cabinet doors in a single card system. KS100 allows you to deploy real time notifications that report, manage and notify rack-level security breaches.

Locking status Unlock, Lock, Temporary Unlock

Compliance Complies with Data Protection obligations

Credentials Can be used with existing

high frequency RFID credentials*

Improved monitoring Access to authorised users,

provides audit trails, real-time monitoring

Aperio®

KS100 system

integration

Power supply Power over Ethernet or external power supply


LEVEL 3: CABINET SECURITY

LEVEL 2: SERVER ROOM ACCESS

LEVEL 1: PERIMETER DEFENCE

11

Access control system

Online door Wireless and without modification to doors:

Add doors to your EAC system with battery powered Aperio® locks, escutcheons or cylinders

Communication hub Connects up to 8 devices to EAC system

Range: 15 – 25m

Server rack Powered over ethernet:

Add cabinets, racks and drawers to your EAC system with Aperio® KS100

Wired security entrance door

{money}Costs caused by physical breaches about 50% higher than virtual breaches

LossHacking

Public Access/ Distribution

Theft

Unauthorized Access/Use

Physical breaches$ 741,590

$ 7,687,617 $ 2,408,070

$ 4,543,901

$ 3,782,169

$ 11,475,730

COSTS CAUSED BY BREACHES

Figure 2: Costs caused by breaches by type of method, Source: Information Security & Data Breach Report, October 2014 Update, page 7

59,9% COSTS ARE CAUSED

BY PHYSICAL BREACHES

ASSA ABLOY is the global leader in door opening solutions, dedicated to satisfying end-user needs for security, safety and convenience

www.assaabloy.com/aperio

We

rese

rve

the

right

to m

ake

tech

nica

l mod

ifica

tions

. Ver

sion

: WP

APER

IO K

S100

10

2015

EN

G U

K

ASSA ABLOY Access ControlWillenhallWest MidlandsWV13 3PWUnited Kingdomwww.assaabloy.co.uk/aperio

As the world’s leading lock group, ASSA ABLOY offers a more complete range of door opening solutions than any other company on the market. In the fast-growing electromechanical security segment, the Group has a leading position in areas such as access control, identification technology, entrance automation and hotel security. Since its formation in 1994, ASSA ABLOY has grown from a regional company into an international group with around 47,000 employees and sales of more than SEK 53 billion.

“Wireless locking evolution for online and offline door control”.Aperio® is a new technology developed to com-plement new and existing electronic access control systems. Providing end users with a simple, intelligent way to upgrade the controllability and security level of their premises.

defending your data against physical threats...shortened to sox) was designed to protect...

Documents