IV. Hardening Steps for Data Centre Management

by JUCC ISTF
SHARE THIS
/* The following article is extracted from the "Information Security Newsletter" published by the JUCC IS Task Force. */   
 
 
To ensure that data centres meet the reliability and performance needs of universities, and achieve the comprehensive protection from various security threats, a number of aspects should be taken into the consideration during the design and implementation of the data centre management solutions.


Environment Control
 
 Temperature and Humidity

The temperature of each computer room within the data centre is recommended to be controlled between 20 and 24 degrees celsius, and a humidity between 40 and 55%.

 Fire Protection

Halon, FM-200 or other total flooding agent solution should be deployed in each computer room within the data centres. Fire extinguishers should be located strategically across the data centres. Wet pipe sprinkler systems must not be used. Emergency power off switches should be available inside each computer room of the data centres.

 Flood Protection

Whenever possible, raised floors should be used in the data centres. Water detectors should be installed beneath the raised floors.


Physical Security

 Location of Data Centre

The locations of data centres should be carefully selected to reduce the risk of accidental or deliberate trespass by the unauthorised parties. The data centres should not have obvious signs. It is best to have concrete walls without windows. If there are windows, universities should use those areas for administrative purposes only.

Data centres are also recommended to be located where the risk of external threats, such as flooding, is low.

 Surveillance

There should be Closed-Circuit Television (CCTV) cameras outside the data centre monitoring the entrance and inside the data centre. Security guards should be hired to monitor the perimeter of data centres and report any incidents to IT management on a timely basis.

 Physical Access Control Device

Lockers or key card access systems should be used to restrict the access to data centres to authorised personnel only. The best practice is to have two-factor authentication systems, such as key card access systems with individual personnel identification number (PIN) for each access card holder. Other systems like biometric (e.g. fingerprint) access control products can also be implemented to achieve this objective.

Assignment of Physical Access Rights

The IT management of universities should ensure that physical access is restricted to personnel on an as-needed basis. Tiered approach can be deployed by granting IT staff with physical access to different segments of the data centres based on their job functions. Only the IT staff members who absolutely need to operate with information system servers or network devices directly should gain physical access to the room hosting the servers.

The IT management should also review the authorised personnel with physical access to the data centres on a regular basis (e.g. quarterly or annually) to detect any discrepancies.


Disaster Recovery

 Disaster Recovery Plan

Universities should develop disaster recovery plans for their data centres and ensure that the plans are regularly tested, reviewed and updated at least on an annual basis. IT management should ensure sufficient backup resources are available to support the disaster recovery plan.

 Offsite Backup

Regular offsite backups of essential data should be performed by the IT department. The IT management should establish a set of operational procedure to define the scope, frequency, media and restoration of offsite backup process.

Remote Data Centre Management

 Logical Security Requirement

A secure remote data centre management solution should support one or more of the following capabilities:

  • Remote authentication dial-in user service;
  • Lightweight directory access protocol;
  • Breach-prevention modes (programmable response to port scans, pings);
  • Internet protocol (IP) and Firewall packet filtering;
  • Dual-factor authentication;
  • IP security tunnelling;
  • Comprehensive data logging and event notification features; and
  • Other features necessary to support your security policy.

Some popular data centre management products with remote access features available on the market are Microsoft System Centre, IBM System Director VMControl and Avocent.

Others
 

 IT Staff Training

 Sufficient training program should be provided to IT staff members so that they are adequately equipped with knowledge and skills to perform the monitoring, configuration, installation and maintain tasks for systems and devices hosted within the data centres.

If data centre management software is used, IT management should ensure that comprehensive instruction manual and training courses are offered by vendors prior to deploying the software in production.

 Operational Procedures

IT management should establish a set of operational procedures related to data centre management functions. For example, routine monitoring of system health, IT asset tracking, visitor logging and capacity planning. These operational procedures should include the detailed steps required for the performance of specific tasks and any necessary information such as prerequisite(s) of each step, expected system return code and explanations on error messages.


V. Summary

To meet the challenges of higher-density information systems, dynamic processing workloads, and the need for more efficient energy consumption, it is necessary for universities to have a management solution that operates data centres at minimum cost and in a secure manner.

A holistic data centre management solution can maximise the universities' capacity to control their data centre spending, to preserve desired IT service level and to utilise IT assets more effectively. Such solution should combine proper data centre planning, committed management involvement, competent IT staff and usage of sophisticated management tools. Various hardening steps should also be implemented at environmental, physical, logical and procedural levels to reinforce the data centre security.

Reference:

http://www.sans.org/reading_room/whitepapers/awareness/data-center-physical-security-checklist_416

[Previous section]