Data Centre Security


Single User
£1,695
Corporate User
£1,995

BroadGroup  

DATA CENTRE SECURITY

Current Practices and Customer Needs in Data Centre Security Specification and Operation
147pp
Published: January 2010

Report Synopsis

Data centre security remains a critical issue for both end-user organizations and data centre and managed service providers, achieving top ranking alongside availability/resilience of data centre based IT services in the survey conducted for this new report.

Based on primary research including an end user survey, a survey of service providers, interviews with end-users, vendors, service providers and industry experts, this extensive new report (147 pages) focused on data centre security reveals how organizations are responding to a changing threat landscape . It also incorporates information from a wide range of sources covering physical, logical and people-related security measures.

New controls are being deployed to meet these threats and compliance requirements in particular in the areas of web application security and data security. At the same time, it is the long-standing threats of human error and physical security of the data centre which continue to be ranked of key importance by respondents to the surveys conducted for this report.

Many current and forthcoming data centre standards address the availability aspects of data centre security, but are weaker on confidentiality and integrity. These are the three principal properties of information security used by the international standard for implementing an information security management system (ISO/IEC 27001). This standard alongside SAS 70 Type 2 has become the most important external certification for data centre providers to achieve to demonstrate their ability to support customer security efforts.

The report introduces ISO/IEC 27001 and explains its importance in bringing a systematic approach to data centre security investments. It also uniquely presents an extensive set of good practices in data centre security focusing on areas not typically addressed in existing standards. Most areas are accompanied by extensive further information references with more than 150 links to standards, literature and vendors of products and solutions.

An overriding objective of the report is to bring together knowledge across physical security, information security and IT/computer security in the context of the data centre and addresses all layers from the physical facility up to aspects of application security in a manner relevant to data centre organisations.

Research for this report suggests that compliance is a key driver for data centre security efforts. The main compliance regimes which organisations are working under are discussed. The relevance of data centre security to each of these is highlighted and the report advises readers how they can find the information they need to ease data centre related compliance efforts.

Finally the report examines the impact virtualisation and cloud computing are having on data centre security and the way in which vendor solutions are beginning to respond to these changes in data centre security needs.

Valuable report takeaways:
Latest insight from end user and service provider organisations
Key insight for service providers into end user concerns and priorities
Key insight for companies engaged in providing security services and operations and the future outlook
Extensive good practice and suggested controls information within an ISO/IEC 27001 context
Links to more than 150 further information sources
36 Tables and charts
147pp

Table of contents

  • 1. Executive Summary9
  • 2. Introduction10
    • 2.1 Why are we publishing this report?10
      • 2.1.1 Security is a very high priority for service providers and
      • end users alike10
      • 2.1.2 There is room for additional guidance on data centre security12
    • 2.2 Scope14
    • 2.3 Using this Report16
  • 3. Research Methodology and Report Objectives17
    • 3.1 Objectives17
    • 3.2 Methodology17
  • 4. Part 1 - ISO/IEC 27001 and applicability to data centre security18
    • 4.1 Confidentiality, Integrity, Availability (CIA)18
    • 4.2 Using risk-assessment to improve security18
    • 4.3 Why do we need a risk managed approach to improving security?20
      • 4.3.1 Further Information Sources and Standards21
  • 5. Part 2 - Data Centre Security Controls22
    • 5.1 Security Policy22
      • 5.1.1 ISO Security Control Categories22
        • 5.1.1.1 Information Security Policy22
    • 5.2 Organising Information Security22
      • 5.2.1 ISO Security Control Categories22
        • 5.2.1.1 Internal Organisation22
        • 5.2.1.2 External Parties27
    • 5.3 Asset Management29
      • 5.3.1 ISO Security Control Categories29
      • 5.3.2 Responsibility for Assets29
        • 5.3.2.1 Physical Assets29
        • 5.3.2.2 The Inventory of Assets Role in Data Centre Security30
      • 5.3.3 Information Classification30
    • 5.4 Human Resources Security31
      • 5.4.1 ISO Security Control Categories31
      • 5.4.2 Prior to employment31
      • 5.4.3 During Employment33
      • 5.4.4 Termination or change of employment37
      • 5.4.5 Further Information Sources and Standards38
    • 5.5 Physical & Environmental Security39
      • 5.5.1 ISO Security Control Categories39
      • 5.5.2 Introduction39
      • 5.5.3 Secure Areas40
        • 5.5.3.1 Physical security perimeter40
        • 5.5.3.2 Physical entry controls52
        • 5.5.3.3 Securing offices, rooms, and facilities62
        • 5.5.3.4 Protecting against external and environmental threats62
        • 5.5.3.5 Working in secure areas75
        • 5.5.3.6 Public access, delivery, and loading areas75
      • 5.5.4 Equipment security76
        • 5.5.4.1 Equipment siting and protection76
        • 5.5.4.2 Supporting utilities80
        • 5.5.4.3 Cabling security81
        • 5.5.4.4 Equipment maintenance81
        • 5.5.4.5 Security of equipment off-premises82
        • 5.5.4.6 Secure disposal or re-use of equipment82
        • 5.5.4.7 Removal of property83
        • 5.5.4.8 Further Information Sources and Standards83
    • 5.6 Communications & Operations Management83
      • 5.6.1 ISO Security Control Categories83
      • 5.6.2 Operational Procedures and Responsibilities83
        • 5.6.2.1 Documenting operating procedures83
        • 5.6.2.2 Change management84
        • 5.6.2.3 Segregation of duties86
        • 5.6.2.4 Separation of development, test and operational facilities87
      • 5.6.3 Third-party Service Delivery Management88
      • 5.6.4 System Planning and Acceptance90
        • 5.6.4.1 Capacity Planning90
        • 5.6.4.2 System Acceptance90
      • 5.6.5 Protection Against Malicious and Mobile Code91
        • 5.6.5.1 Intelligence91
        • 5.6.5.2 Deciding when to patch92
        • 5.6.5.3 Malware scanning (gateway and host)96
      • 5.6.6 Back-up97
        • 5.6.6.1 Mixing back-up and other network traffic97
        • 5.6.6.2 Backing up to shared backup sets97
        • 5.6.6.3 Transport and storage of backups98
      • 5.6.7 Network Security Management98
        • 5.6.7.1 Data centre LAN99
        • 5.6.7.2 Host security105
        • 5.6.7.3 Host malware scanning106
        • 5.6.7.4 Host intrusion detection and prevention systems
        • (HIDS and HIPS) and auditing106
        • 5.6.7.5 Application security107
        • 5.6.7.6 Data security110
      • 5.6.8 Media Handling111
      • 5.6.9 Exchange of information112
        • 5.6.9.1 Implementing a limited set of secure channels for
        • exchanges of information112
        • 5.6.9.2 Electronic Data Interchange (EDI)/Web Services113
      • 5.6.10 Electronic commerce services113
        • 5.6.10.1 Web-site hi-jack114
        • 5.6.10.2 Denial of Service115
      • 5.6.11 Monitoring and Testing117
    • 5.7 Access Control121
      • 5.7.1 ISO Security Control Categories121
      • 5.7.2 Introduction121
      • 5.7.3 User access management121
      • 5.7.4 User responsibilities122
      • 5.7.5 Network access control122
      • 5.7.6 Operating system access control122
      • 5.7.7 Application and information access control122
      • 5.7.8 Mobile computing and tele-working123
    • 5.8 Information Systems Acquisition, Development & Maintenance123
      • 5.8.1 ISO Security Control Categories123
      • 5.8.2 Security requirements of information systems124
      • 5.8.3 Correct processing in applications124
      • 5.8.4 Cryptographic controls124
      • 5.8.5 Security of system files124
        • 5.8.5.1 Control of operational software124
        • 5.8.5.2 Protection of system test data125
        • 5.8.5.3 Access control to program source code125
      • 5.8.6 Security in development and support processes125
      • 5.8.7 Technical Vulnerability Management125
    • 5.9 Information Security Incident Management125
      • 5.9.1 ISO Security Control Categories125
      • 5.9.2 Reporting information security events and weaknesses125
      • 5.9.3 Management of information security incidents and
      • improvements126
        • 5.9.3.1 Mitigate impact126
        • 5.9.3.2 Allow supplementary action127
        • 5.9.3.3 Resolve the underlying cause127
    • 5.10 Business Continuity Management127
      • 5.10.1 ISO Security Control Categories127
      • 5.10.2 Information security aspects of business continuity
      • management127
      • 5.10.3 Data centre investment planning and disaster recovery128
    • 5.11 Compliance129
      • 5.11.1 ISO Security Control Categories129
      • 5.11.2 Compliance with legal requirements129
        • 5.11.2.1 High profile compliance requirements130
        • 5.11.2.2 Service provider support for compliance efforts
        • requirements131
        • 5.11.2.3 Statement on Auditing Standards Number 70132
        • 5.11.2.4 Payment Card Industry - Data Security Standard132
        • 5.11.2.5 Other industry compliance requirements134
      • 5.11.3 Compliance with security policies and standards and
      • technical compliance135
      • 5.11.4 Information systems audit considerations136
  • 6. Part 3 - Emerging Challenges and Solutions137
    • 6.1 Emerging Challenges137
      • 6.1.1 Impact of virtualisation137
      • 6.1.2 Impact of Cloud Computing139
    • 1436.2 Innovative Solutions
      • 6.2.1 Cisco Unified Computing System143
      • 6.2.2 Netezza Mantra145
      • 6.2.3 Tata Distributed Denial of Service Solution146
      • 6.2.4 F5 Networks147
  • 7. Bibliography149

Table of Figures

Figure 1. Data centre providers rating of the importance of customer criteria
Figure 2. End user organisations ranking of data centre criteria
Figure 3. Scope of this report
Figure 4. The Plan, Do , Check, Act cycle model for security management
Figure 5. IT service delivery and security vs. functional perspectives.
Figure 6. New employee screening used by service providers
Figure 7. Data centre security challenges as perceived by end-user survey respondents.
Figure 8. Physical security triangle
Figure 9. Data centre perimeter layers
Figure 10. SD-STD-02.01 US Department of State standard for Crash Testing of Perimeter Barriers and Gates
Figure 11. Approximate relative break-in and blast resistance of wall construction materials
Figure 12. Indicative data centre layout showing buffering of data centre areas from outer walls
Figure 13. Emergency exit door security controls implemented by surveyed data centre providers
Figure 14. Access control policy and measures at surveyed data centre companies
Figure 15. Types (or factors) of identification for access control systems
Figure 16. Hand geometry scanners for cage access control (image courtesy Ingersoll-Rand Company)
Figure 17. "Discreet site" security measures implemented by surveyed data centre providers
Figure 18. Indicative spread of aircraft incidents at airports.
Figure 19. Indicative data centre layout showing buffering of data centre areas from outer walls
Figure 20. Change management process
Figure 21. Change management measures in place at surveyed data centre providers.
Figure 22. Examples of separation of environments
Figure 23. Other external certifications achieved by surveyed data centre providers
Figure 24. Definition of "Network" for our purposes
Figure 25. Web-based application zone network schematic
Figure 26. Network security and related services offered by surveyed data centre providers.
Figure 27. Example of a Google black-listed site
Figure 28. Botnet visualisation (source: David Vorel of the Czech chapter of Honeynet.org)
Figure 29. The "Plan Do Check Act" cycle of security management (Deming)
Figure 30. Monitoring and response schematic
Figure 31. Data centre building monitoring provided by surveyed data centre providers
Figure 32. Relationships between information security areas
Figure 33. Compliance drivers from our survey of organisations operating their own data centres
Figure 34. Certifications other than ISO/IEC 27001 held by surveyed data centre providers
Figure 35. Scope of service offerings and security responsibility
Figure 36. Cisco UCS hardware overview




[[[1 ||| cmlc]]]