Meeting the Increasingly Complex Challenge of Data Center SecurityPaul Vaccaro / Intel IT Data Center Technologist and Strategy
Forrest Gist, P.E. / IDC ArchitectsGlobal Technology Lead Integrated Security and Emergency Preparedness
Copyright © 2013, Intel Corporation. All rights reserved.2
Legal Notices
This presentation is for informational purposes only. INTEL MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors. Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products.
For more complete information about performance and benchmark results, visit www.intel.com/benchmarks
Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries. Copyright © 2013, Intel Corporation. All rights reserved.
Copyright © 2013, Intel Corporation. All rights reserved.3
Introduction
Paul Vaccaro
IT Data Center Strategy and Technology
Forrest Gist, P.E.
Global Technology LeadIntegrated Security and Emergency Preparedness
Copyright © 2013, Intel Corporation. All rights reserved.
Copyright © 2013, Intel Corporation. All rights reserved.4
Intel Global Strategy
Grow PC and Datacenter business with new users and uses
Extend Intel Solutions to win in adjacent market segments
Create a continuum of secure, personal computing experiences
Care for our people, the planet, and inspire the next generation
Use our unmatched employee talents, manufacturing, technology, and brand strength
to:
Copyright © 2013, Intel Corporation. All rights reserved.
Copyright © 2013, Intel Corporation. All rights reserved.5
Intel Security Structure
Legal & Corporate Affairs – Reports to CEO
Corporate Services – Technology and Manufacturing Group
Information Technology – Reports to CFO
Chief Security and Privacy Officer CSPO
Groups with responsibility for Corporate Security Policy and Enforcement
Copyright © 2013, Intel Corporation. All rights reserved.7
Copyright 2013 CH2M HILL
Our World is Changing
Copyright © 2013, Intel Corporation. All rights reserved.8
Data Center Security
Past Focus: Protect data center facility and
structure
Outsider threats
Present and Future Focus: Layered security
‘Agile’ security system
Respond to both known and unknown threat vectors
Copyright © 2013, Intel Corporation. All rights reserved.9
Security: A Balancing Act
(Source: Intel Corporation, 2012)
reasonably protected
OPEN ACCESS
LOCKEDDOWN
Balancing Interests
Assets should be fully protected
Controls increase cost and constrain use of
data and systems
û û
Copyright © 2013, Intel Corporation. All rights reserved.10
SECURITY
PROGRAM
ELEMENTS
Threats
Policies and
Procedures
Layers of Security
Value of Assets
Security Culture
Setting the Stage: Security Considerations
These apply for both physical and cyber security.
Copyright © 2013, Intel Corporation. All rights reserved.11
Threats
Different security systems required for various threats
The more dangerous the threat, the more critical the required security system
Helps set direction for security program
Copyright © 2013, Intel Corporation. All rights reserved.12
Threat Activity and Probability
Is the adversary present?
Does the adversary
have resources to achieve undesired
event?
Does adversary
have intention
or history?
Has the adversary selected
the facility?
Existence Capability
Intention or
History
Selection
Copyright © 2013, Intel Corporation. All rights reserved.13
Regulation Drives Security
Copyright © 2013, Intel Corporation. All rights reserved.
All aspects of security have considerations based on regulatory requirements.
Healthcare Utilities
FinanceCritical
Infrastructure
Copyright © 2013, Intel Corporation. All rights reserved.14
Components of a Successful Security Program
Security Program Elements
Operational
Policies and Procedures
Communication
Layered Security
Security Staffing
Copyright © 2013, Intel Corporation. All rights reserved.15
Security Culture: Executive Sponsorship is Critical!
EXECUTIVE(sponsor)
MANAGEMENT(implement)
STAFF(buy-in)
– Executive commitment
– Organizational commitment
– Personal responsibility
Copyright © 2013, Intel Corporation. All rights reserved.16
How Much Security is Enough?
Begin with a comprehensive Risk Assessment
Assess security resources
Evaluate threats, consequences
Develop short list of security priorities (top 5)
Suggested frequency - every 18-36 months
Copyright © 2013, Intel Corporation. All rights reserved.17
Delay
Physical Security System
Copyright © 2013, Intel Corporation. All rights reserved.
(Source: CH2M HILL Security Protection Course)
ResponseDetection
Physical Protection SystemLevel of Protection (Pe)
• Intrusion sensing•Alarm communication
•Alarm assessment
•Entry control
•Barriers•Dispensable barriers
• Interruption• Communication to response force
• Deployment of response force
•Mitigation
Copyright © 2013, Intel Corporation. All rights reserved.18
Detection
Performance measures Probability of sensor alarm (Ps) Time for communication and assessment (Tc) Frequency of nuisance alarms (NAR) Alarm without assessment is not detection (PA)
Probability of detection (PD) = F (Ps, Tc, NAR, PA)
Copyright © 2013, Intel Corporation. All rights reserved.
Sensor Activated
Alarm Signal
Initiated
Alarm Reported
Alarm Assessed
Copyright © 2013, Intel Corporation. All rights reserved.19
Delay
Performance measure Time to defeat obstacles
Protective Force (Guards)Physical Barriers
Provide Obstacles to IncreaseAdversary Task Time
Delay
Copyright © 2013, Intel Corporation. All rights reserved.20
Response
Performance measures Probability of communication to response process Time to communicate Probability of deployment to adversary location Time to deploy Response process effectiveness
Copyright © 2013, Intel Corporation. All rights reserved.
Communicateto Response
Process
DeployResponseProcess
MitigateAttempt
Copyright © 2013, Intel Corporation. All rights reserved.21
Adversary Task Time vs. PPS Time Requirements
Adversary Task Time
CT
Begin Action Task Complete
Time
Respond
Ad
ve
rsa
ry I
nte
rru
pte
d
PPS Time Required
TI
Detect
Ala
rm A
ss
es
se
d
AT
First Alarm
0T
Delay
PPS Time required
Respond
Ad
vers
ary
Su
ccess
xDelay
(Source: CH2M HILL Security Protection Course)
Copyright © 2013, Intel Corporation. All rights reserved.22
Characteristics of an Effective Physical Protection System
Minimum consequence of component failure
Balanced protection
Protection-in-depth
Copyright © 2013, Intel Corporation. All rights reserved.23
Mitigate Adversary
Success For Threats:
Protection in Depth
Level 1 = Property Line
Level 2 = Lobby & Service Yard
Level 3 = Facility Inner Spaces From inside
From Perimeter to Building
Originating at Perimeter
SecurityProtection
Layers:
Copyright © 2013, Intel Corporation. All rights reserved.24
Layers of Security
Value of
Assets
Trusted zones
Selective zones
Untrusted zones
Depth and Range of Controls
Allowed Devices, Applications and Locations
Value of assets drives security protection.Policy Enforcement Point (PEP) (Source: Intel Corporation, 2012)
Copyright © 2013, Intel Corporation. All rights reserved.25
Security Recommendations
LAYER 1 – PROPERTY LINE
Proper Site
Standoff Distance
Gates
Perimeter Protection
Appropriate Landscaping
Security Patrol Security Officer Presence at Gates
Copyright © 2013, Intel Corporation. All rights reserved.26
Security Recommendations (continued)
LAYER 2 – LOBBY & SERVICE YARD
Windows – few or none
Cameras
Badge Check -Turnstiles/Portals
Protect Critical Equipment
Limit Entry Points
Copyright © 2013, Intel Corporation. All rights reserved.
Security Recommendations (continued)
LAYER 3 – FACILITY INNER SPACES
Protect HVAC and Critical Equipment
Secure Portals; 2-factor authentication
Secure Cages and Carts
Visitor Escorting
Copyright © 2013, Intel Corporation. All rights reserved.28
Intel – IT Security Master Design Standards
Security Access Control Systems
CCTV Schedule and Camera Matrix
Facility Entry Control Systems
Security Command Center and Standard
Panic Alarm System
Guard Shack and CCTV System
Exterior Security & CCTV System
Security Command Center Building Security Equipment Room
Security Risk Based Mitigations
Security Mitigation Matrix
Security Network System
Physical Security
Copyright © 2013, Intel Corporation. All rights reserved.
Key Learnings – Intel
After 9/11 Adopted 100 yards Outer Ring setback policy on all Data Centers
Generator Fuel Storage: 215 gallon separate and secured Day Tank
Mandate Keep all combustibles out of the Data Center (Cardboard), use water as fire control, and VESDA as detection.
Let the room content protect itself on Thermal Protection No Thermal Rise EPO and shunt trip disabled
Amount of Camera coverage is tied to impact to revenue assessments
For highly secure areas we mandate double entry requirements
Innovation as a result of being flexible for cultural norms
Copyright © 2013, Intel Corporation. All rights reserved.30
Data Center Security
Past Focus: Protect data center facility and
structure
Outsider threats
Present and Future Focus: Layered security
‘Agile’ security system
Respond to both known and unknown threat vectors
Copyright © 2013, Intel Corporation. All rights reserved.31
Security Technology InnovationsSecurity Monitoring Software
Rack Access Control
Video AnalyticsSecure Portals
Megapixel Cameras
Copyright © 2013, Intel Corporation. All rights reserved.32
Physical Security Information Management (PSIM) Integrates fire, security, CCTV, building
management, etc.
Benefits; Actionable
Intelligence Staff Efficiencies Improved response
Copyright © 2013, Intel Corporation. All rights reserved.33
Megapixel Cameras
Higher resolution
Increased frame rates
Johnson criteriaFORMAT PIXELS (H) PIXELS (V) ASPECT SIZE
CIF 352 pixels x 240 pixels ~4:3
VGA 640 pixels x 480 pixels 4:3
4CIF 704 pixels x 480 pixels ~4:3
D1 720 pixels x 480 pixels 3:2 0.4M pixel
SVGA 800 pixels x 600 pixels 4:3 0.5M pixel
HDTV(720) 1280 pixels x 720 pixels 16:9 0.9M pixel
HDTV(1080p) 1920 pixels x 1080 pixels 16:9 2.1M pixel
4K 4096 pixels x 2304 pixels 16:9 9.4M pixel
Beyond! 8192 pixels x 1536 pixels (4) X 4:3 12M pixel
More Pixels
More Storage,
Higher CPU Requirement
s
Increased Cost
Copyright © 2013, Intel Corporation. All rights reserved.34
Video Analytics
Video analytics are more powerful
Cost is dropping
Self-learning modes
Appropriate use areas; perimeter, data center entries
Copyright © 2013, Intel Corporation. All rights reserved.
Copyright © 2013, Intel Corporation. All rights reserved.35
Secure Portals
Access control within security portal
Copyright © 2013, Intel Corporation. All rights reserved.
Copyright © 2013, Intel Corporation. All rights reserved.36
Rack-Level Access Control
Access control at individual rack units
Copyright © 2013, Intel Corporation. All rights reserved.
Copyright © 2013, Intel Corporation. All rights reserved.37
Summary
• Security is critically important.
• Security Threats are multi-faceted and evolving.
• Conduct a comprehensive risk assessment.
• Incorporate layered security.
• Add new technology as appropriate.
Copyright © 2013, Intel Corporation. All rights reserved.38
Links to Additional Information• IT@Intel Best Practices:
http://www.intel.com/content/www/us/en/it-management/intel-it/intel-it-best-practices.html
• IT@Intel : Enterprise Security http://www.intel.com/content/www/us/en/it-management/intel-it/intel-it-managing-it.html
• Managing Risk and Information Security: Protect to Enable, by Malcom Harkins, Apress 2012 Link for reference
• 2012-2013 Intel IT Performance Report intel-it-annual-performance-report-2012-13
• Cyber War: The Next Threat to National Security and What to Do About It – Richard A. Clarke
• Security and Emergency Preparedness Site: http://www.ch2m.com/corporate/services/security-emergency-management/default.asp (Link)
• DHS Executive Order 13636 – Improving Critical Infrastructure Cybersecurity: http://www.dhs.gov/sites/default/files/publications/dhs-eo13636-summary-report-cybersecurity-incentives-study_0.pdf
Forrest Gist, PEGlobal Technology LeadSecurity & Emergency PreparednessIDC Architects / CH2M HILL503.872.4524
Paul VaccaroIT Data Center Technologist and StrategyIntel