Institut Tadbiran Awam Negara (INTAN)

Jabatan Perkhidmatan Awam (JPA)

National Institute of Public Administration

Public Service Department of Malaysia

Data Centre Security

& Control

Ashara Banu Mohamed

Perunding Latihan Kanan
Seksyen Perkhidmatan Operasi ICT
Kluster Inovasi Teknologi Pengurusan (i-IMATEC)
Objective

Introducing ICT security importance in

the Public Sector

ICT policies and standard in Data

Centre

Understand and implement different

types of control

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 2

Learning Outcome

Understanding the importance of ICT security in the

public sector

Understanding the role and responsibilities of civil

servants in aspects of ICT security

Identify the type of ICT security techniques and

methods of maintaining a secure data centre

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 3

Agenda

1 ICT Security

2 Data Centre

3 Data Centre Security : Procedures and Standards

4 Data Centre Security : Security Layer and Controls

5 Data Centre Security : Basic Principle For Data Centre

6 Data Centre Security : Physical Security in Data Centre

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 4

Security?

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 5

Definition: Security

• a state of being free from danger, threats

and risks
• a continuous process
• a periodical activity which has to be
schedule

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 6

ICT SECURITY CRITERIA

Confidentiality

Integrity

Availability

Authenticity

Accountability

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 7

YOUR ROLE

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 8

LAYERED SECURITY APPROACH

Hak Milik INTAN 9

Security is like an onions – it makes you cry

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 10

WHAT IS DATA CENTRE ?

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 11

DATA CENTRE IS

• A data centre (or datacentre) is a facility composed of

networked computers and storage that businesses or other
organizations use to organize, process, store and
disseminate large amounts of data.

• A business typically relies heavily upon the applications,

services and data contained within a data centre, making it a
focal point and critical asset for everyday operations.

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 12

WHAT IS DATA CENTRE SECURITY ?

• Data centre security is the set of policies,

precautions and practices adopted

• It is to avoid unauthorized access and manipulation

of a data centre's resources.

• The data centre houses the enterprise applications

and data, hence why providing a proper security
system is critical.

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 13

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 14
DATA CENTRE SECURITY

A. Procedures and Standards

 Information Security Risk Assessment Guide
 Security Standards, Policies & Systems
 Common Data Centre Security Risk Signs
 Security Audit Checklist
B. Security Layer and Controls
 Physical (perimeter, building, data centre etc.)
 Logical (network, servers etc.)
 Administrative (people, process etc.)

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 15

A. Procedures and Standards

 Information Security Risk Assessment Guide

Malaysian Public Sector Information Security

Risk-Assessment Guidelines

1. The Malaysian Public Sector Information Security High Level

Risk Assessment (HiLRA Guide)

2. The Malaysian Public Sector Information Security Risk

Assessment Methodology (MyRAM). Fully automated

http://www.mampu.gov.my/mampu/spa

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 16

Impact of the breach vs likelihood of the breach actually happening
Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 17
A. Procedures and Standards

 Security Standards, Policies & Systems

Requirements
 Adopt ISO-27001 (replaces BS 7799 – Part 2)
 Information Security Management System (ISMS)

 Adopt ISO/IEC-27002 (replaces ISO-17799) Controls: Risk

 Controls for Security Management Management and
BCM

BCC, Inc. Report GB-185R

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 18

A. Procedures and Standards

 Security Standards, Policies & Systems

Policy : a course or principle of action adopted or proposed by a government, party, business or individual.
Security Policy
 Aligns with business needs
 security goals; and
 defines how to implement them through processes and technologies.

An effective security policy results from collaboration among

 all stakeholders in the Data centre,
 various management teams,
 executive board, and
 user groups

The policy determines

 security design,
 management processes
 technologies that enable policy to be implementation and
 enforcement.
A security policy is not static; it should be refined and adjusted regularly
Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 19
A. Procedures and Standards

 Common Data Centre Security Risk Signs

 Out-of-date physical wiring diagrams
 Out-of-date logical equipment configuration diagrams and schematics
 Infrequent testing of UPS
 Failure to recharge UPS batteries
 Failure to test generator and fuel levels
 Lack of preventive maintenance on air conditioning equipment
 Fire suppression system not recharged
 Emergency power-off system not tested
 Emergency power-off system not documented
 Infrequent testing of backup generator system
 Equipment not properly anchored
 Evacuation procedures not clearly documented
 Circumvention of physical security procedures
 Lack of effective training for appropriate personnel
Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 20
A. Procedures and Standards

 Security Audit Checklist

• Facilities Security Audit Checklist

• Sample Internal Control Questionnaire

• Data Centre Review Program

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 21

Lesson Contents

A. Procedures and Standards

 Information Security Risk Assessment Guide
 Security Standards, Policies & Systems
 Common Data centre Security Risk Signs
 Security Audit Checklist
B. Security Layer and Controls
 Physical (perimeter, building, data centre etc.)
 Logical (network, servers etc.)
 Administrative (people, process etc.)

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 22

B. Security Layer and Controls

 Physical (perimeter, building, data centre etc.)

building security layers Data centre security layers

* Environment * Perimeter Security

Design

*Access Control * Facility Controls

* Intrusion * White Space

Detection Access

* Personnel * Cabinet
Identification

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 23

B. Security Layer and Controls

 Physical (perimeter, building, data centre etc.)

Threats to physical security include:

 Interruption of services
 Theft
 Physical damage
 Unauthorized disclosure
 Loss of system integrity

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 24

B. Security Layer and Controls

 Physical (perimeter, building, data centre etc.)

Potential for damage or loss can be categorized into 7

categories of threats to objects, persons and intellectual
property:-

Temperature sunlight, freezing, fire & excessive heat

commercial vapors, humidity, dry air,

Gases suspended particles, smoke, cleaning fluid

Liquids water & chemicals

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 25

B. Security Layer and Controls

 Physical (perimeter, building, data centre etc.)

7 categories of threats to objects, persons and intellectual

property:-
contamination from virus, bacteria,
Organisms people, animals

Projectiles falling objects, wind, explosions

Movement collapse, shearing, shaking, vibration,

Energy electric surges/failure, magnetism, static

anomalies electricity, radiation, sound, light
Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 26
B. Security Layer and Controls

 Physical (perimeter, building, data centre etc.)

(i) Prevention
To prevent unauthorized personnel from entering
computing facilities.
(i.e., locations housing computing resources,
supporting utilities, computer hard copy, and
input data media)

To help protect against natural disasters.

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 27

B. Security Layer and Controls

 Physical (perimeter, building, data centre etc.)

(i) Prevention

Examples:
• Backup files and documentation.
• Fences.
• Security guards.
• Badge systems.
• Double door systems.
• Locks and keys.
• Backup power.
• Biometric access controls.
• Site selection.
• Fire extinguishers.
Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 28
B. Security Layer and Controls

 Physical (perimeter, building, data centre etc.)

(ii) Detection
 Warn protective services personnel that physical security
measures are being violated.

Examples: Motion detectors

• Motion detectors.
• Smoke and fire detectors. VESDA

• Closed-circuit television monitors.

• Sensors and alarms.

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 29

CAMERA NVR
DIGITAL DISK RECORDER

SECURITY MONITORING SCREEN

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 30

DDR/NVR

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 31

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 32
B. Security Layer and Controls

 Physical (perimeter, building, Data Centre etc.)

Data Centre PHYSICAL SECURITY CHECKLIST

1. Data centre Physical Security Checklist

(SANS Institute)

2. SAS 70 Compliance Data centre Physical

Security Checklist – Best Practice

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 33

B. Security Layer and Controls

 Physical (perimeter, building, Data Centre etc.)

What other things that we need to identify before setting

up a DC (

1. Site Location 2. Site Perimeter

a) Natural Disaster Risk a) Perimeter
b) Man made Disaster b) Surveillance
Risk c) Outside Windows &
c) Infrastructure Computer Room Placement
d) Sole purpose d) Access Points

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 34

B. Security Layer and Controls

 Physical (perimeter, building, Data Centre etc.)

What other things that we need to identify before setting
up a DC (
3. Computer Rooms 4. Facilities
a) Access a) Cooling Towers
b) Infrastructure b) Power
c) Environment c) Trash
d) Fire Prevention d) Network Operation Centre
e) Shared Space (NOC)
5. Disaster Recovery 6. Ousiders
a) Disaster Recovery Plan a) Guards
b) Offsite Backup b) Cleaning Staff
c) Redundant Site c) Service Engineers
Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 35
B. Security Layer and Controls

 Physical (perimeter, building, Data Centre etc.)

What other things that we need to identify before setting

up a DC (

7. Users 8. Disaster Recovery (people)

a) Education a) Organizational Chart
b) Policy b) Job Function Documentation
c) Cross Training
d) Contact Information
e) Telecommuting
f) Disparate Locations

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 36

B. Security Layer and Controls

 Logical (network, servers etc.)

 Use software and data to monitor and control access to

information and computing systems.

(E.g. passwords, network and host based firewalls, network intrusion

detection systems, access control lists, and data encryption)

 Level of access granted is limited to certain task that need

to be perform by an individual, program and systems.

 Logical Security Best Practices

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 37

B. Security Layer and Controls

 Logical (network, servers etc.)

(i) Prevention
to prevent unauthorized personnel or programs from
gaining remote access to computing resources.

Examples:
• Access control software.
• Antivirus software.
• Passwords.
• Smart cards.
• Encryption.
• Dial-up access control and callback systems.
• Authentication

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 38

B. Security Layer and Controls

 Logical (network, servers etc.)

(ii) Detection
To warn personnel of attempted violations.

Examples:
• Audit trails
• Intrusion Detection Systems (IDS)

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 39

B. Security Layer and Controls

 Administrative (people, process etc.)

 Also called procedural controls

 Consist of approved written policies, procedures,

standards and guidelines.

 Form the framework for running the business and

managing people.

 Inform people on how the business is to be run

and how day to day operations are to be conducted.

 Laws and regulations created by government bodies

is also a type of administrative control

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 40

B. Security Layer and Controls

 Administrative (people, process etc.)

 Form the basis for the selection and implementation

of logical and physical controls.

 Used to control individual behavior towards access

of facility, equipment, resources and information.

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 41

B. Security Layer and Controls

 Administrative (people, process etc.)

 Insider
 Poor Passwords.
 Physical Security.
 Insufficient Backup and Recovery.
 Improper Destruction.
 Social Media.
 Social Engineering.

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 42

B. Security Layer and Controls

 Administrative (people, process etc.)

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 43

B. Security Layer and Controls

 Administrative (people, process etc.)

(i) Prevention

Personnel-oriented techniques for controlling

people’s behavior to ensure the confidentiality,
integrity, and availability of computing data and
programs.

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 44

B. Security Layer and Controls

 Administrative (people, process etc.)

(i) Prevention

Examples:
• Security awareness and technical training.
• Separation of duties.
• Procedures for recruiting and terminating employees.
• Security policies and procedures.
• Supervision.
• Disaster recovery, contingency, and emergency plans.
• User registration for computer access.

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 45

B. Security Layer and Controls

 Administrative (people, process etc.)

(i) Detection
To determine how well security policies and
procedures are complied with, to detect fraud, and
to avoid employing persons that represent an
unacceptable security risk.

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 46

B. Security Layer and Controls

 Administrative (people, process etc.)

(i) Detection

Examples:
• Security reviews and audits.
• Performance evaluations.
• Required vacations.
• Background investigations.
• Rotation of duties.

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 47

BASIC PRINCIPLE FOR DATA CENTRE

• Low-key appearance
• Avoid windows
• Limit entry points
• Anti-passback and man-traps
• Hinges on the inside
• Plenty of cameras
• Make fire door exit only
• Permanent security staff
• Test. Test and test again
• Don’t forget the layers
Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 48
Ways to Build Physical Security into a Data Centre

 Build on the right spot.

 Have redundant utilities
 Pay attention to walls
 Avoid windows
 Use landscaping for protection
 Keep a 100-foot buffer zone around the site
 Use retractable crash barriers at vehicle entry
points
 Plan for bomb detection

Site layout

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 49

Ways to Build Physical Security into a Data Centre (cont’d)

 Limit entry points

 Make fire doors exit only
 Use plenty of cameras
 Protect the building's machinery
 Plan for secure air handling
 Ensure nothing can hide in the walls and ceilings
 Use two-factor authentication
 Harden the core with security layers
 Watch the exits too
 Prohibit food in the computer rooms
 Install visitor rest rooms

Hak Milik INTAN KURSUS PENGURUSAN PUSAT DATA : PENGOPERASIAN 50

NETWORK SECURITY WORST PRACTICE

Source: Gartner, Avoid these

“Dirty Dozen” Network Security
Worst Practices, by Andrew
Lerner, Jeremy D’Hoinne,
January 8, 2015.

Hak Milik INTAN 51

THANK YOU
Hak Milik INTAN 53
Hak Milik INTAN 54
Hak Milik INTAN 55