Meeting the Increasingly Complex Challenge of Data Center Security Paul Vaccaro / Intel IT Data Center Technologist and Strategy Forrest Gist, P.E. / IDC

Meeting the Increasingly Complex Challenge of Data Center SecurityPaul Vaccaro / Intel IT Data Center Technologist and Strategy

Forrest Gist, P.E. / IDC ArchitectsGlobal Technology Lead Integrated Security and Emergency Preparedness

Copyright © 2013, Intel Corporation. All rights reserved.2

Legal Notices

This presentation is for informational purposes only. INTEL MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors. Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products.

For more complete information about performance and benchmark results, visit www.intel.com/benchmarks

Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries. Copyright © 2013, Intel Corporation. All rights reserved.

http://www.intel.com/benchmarks


Introduction

Paul Vaccaro

IT Data Center Strategy and Technology

Forrest Gist, P.E.

Global Technology LeadIntegrated Security and Emergency Preparedness

Copyright © 2013, Intel Corporation. All rights reserved.


Intel Global Strategy

Grow PC and Datacenter business with new users and uses

Extend Intel Solutions to win in adjacent market segments

Create a continuum of secure, personal computing experiences

Care for our people, the planet, and inspire the next generation

Use our unmatched employee talents, manufacturing, technology, and brand strength

to:



Intel Security Structure

Legal & Corporate Affairs – Reports to CEO

Corporate Services – Technology and Manufacturing Group

Information Technology – Reports to CFO

Chief Security and Privacy Officer CSPO

Groups with responsibility for Corporate Security Policy and Enforcement


Intel IT Vital Statistics


Copyright 2013 CH2M HILL

Our World is Changing


Data Center Security

Past Focus: Protect data center facility and

structure

Outsider threats

Present and Future Focus: Layered security

‘Agile’ security system

Respond to both known and unknown threat vectors


Security: A Balancing Act

(Source: Intel Corporation, 2012)

reasonably protected

OPEN ACCESS

LOCKEDDOWN

Balancing Interests

Assets should be fully protected

Controls increase cost and constrain use of

data and systems

û û


SECURITY

PROGRAM

ELEMENTS

Threats

Policies and

Procedures

Layers of Security

Value of Assets

Security Culture

Setting the Stage: Security Considerations

These apply for both physical and cyber security.


Threats

Different security systems required for various threats

The more dangerous the threat, the more critical the required security system

Helps set direction for security program


Threat Activity and Probability

Is the adversary present?

Does the adversary

have resources to achieve undesired

event?

Does adversary

have intention

or history?

Has the adversary selected

the facility?

Existence Capability

Intention or

History

Selection


Regulation Drives Security


All aspects of security have considerations based on regulatory requirements.

Healthcare Utilities

FinanceCritical

Infrastructure


Components of a Successful Security Program

Security Program Elements

Operational

Policies and Procedures

Communication

Layered Security

Security Staffing


Security Culture: Executive Sponsorship is Critical!

EXECUTIVE(sponsor)

MANAGEMENT(implement)

STAFF(buy-in)

– Executive commitment

– Organizational commitment

– Personal responsibility


How Much Security is Enough?

Begin with a comprehensive Risk Assessment

Assess security resources

Evaluate threats, consequences

Develop short list of security priorities (top 5)

Suggested frequency - every 18-36 months


Delay

Physical Security System


(Source: CH2M HILL Security Protection Course)

ResponseDetection

Physical Protection SystemLevel of Protection (Pe)

• Intrusion sensing•Alarm communication

•Alarm assessment

•Entry control

•Barriers•Dispensable barriers

• Interruption• Communication to response force

• Deployment of response force

•Mitigation


Detection

Performance measures Probability of sensor alarm (Ps) Time for communication and assessment (Tc) Frequency of nuisance alarms (NAR) Alarm without assessment is not detection (PA)

Probability of detection (PD) = F (Ps, Tc, NAR, PA)


Sensor Activated

Alarm Signal

Initiated

Alarm Reported

Alarm Assessed


Delay

Performance measure Time to defeat obstacles

Protective Force (Guards)Physical Barriers

Provide Obstacles to IncreaseAdversary Task Time

Delay


Response

Performance measures Probability of communication to response process Time to communicate Probability of deployment to adversary location Time to deploy Response process effectiveness


Communicateto Response

Process

DeployResponseProcess

MitigateAttempt


Adversary Task Time vs. PPS Time Requirements

Adversary Task Time

CT

Begin Action Task Complete

Time

Respond

Ad

ve

rsa

ry I

nte

rru

pte

d

PPS Time Required

TI

Detect

Ala

rm A

ss

es

se

d

AT

First Alarm

0T

Delay

PPS Time required

Respond

Ad

vers

ary

Su

ccess

xDelay

(Source: CH2M HILL Security Protection Course)


Characteristics of an Effective Physical Protection System

Minimum consequence of component failure

Balanced protection

Protection-in-depth


Mitigate Adversary

Success For Threats:

Protection in Depth

Level 1 = Property Line

Level 2 = Lobby & Service Yard

Level 3 = Facility Inner Spaces From inside

From Perimeter to Building

Originating at Perimeter

SecurityProtection

Layers:


Layers of Security

Value of

Assets

Trusted zones

Selective zones

Untrusted zones

Depth and Range of Controls

Allowed Devices, Applications and Locations

Value of assets drives security protection.Policy Enforcement Point (PEP) (Source: Intel Corporation, 2012)


Security Recommendations

LAYER 1 – PROPERTY LINE

Proper Site

Standoff Distance

Gates

Perimeter Protection

Appropriate Landscaping

Security Patrol Security Officer Presence at Gates


Security Recommendations (continued)

LAYER 2 – LOBBY & SERVICE YARD

Windows – few or none

Cameras

Badge Check -Turnstiles/Portals

Protect Critical Equipment

Limit Entry Points


Security Recommendations (continued)

LAYER 3 – FACILITY INNER SPACES

Protect HVAC and Critical Equipment

Secure Portals; 2-factor authentication

Secure Cages and Carts

Visitor Escorting


Intel – IT Security Master Design Standards

Security Access Control Systems

CCTV Schedule and Camera Matrix

Facility Entry Control Systems

Security Command Center and Standard

Panic Alarm System

Guard Shack and CCTV System

Exterior Security & CCTV System

Security Command Center Building Security Equipment Room

Security Risk Based Mitigations

Security Mitigation Matrix

Security Network System

Physical Security


Key Learnings – Intel

After 9/11 Adopted 100 yards Outer Ring setback policy on all Data Centers

Generator Fuel Storage: 215 gallon separate and secured Day Tank

Mandate Keep all combustibles out of the Data Center (Cardboard), use water as fire control, and VESDA as detection.

Let the room content protect itself on Thermal Protection No Thermal Rise EPO and shunt trip disabled

Amount of Camera coverage is tied to impact to revenue assessments

For highly secure areas we mandate double entry requirements

Innovation as a result of being flexible for cultural norms


Data Center Security

Past Focus: Protect data center facility and

structure

Outsider threats

Present and Future Focus: Layered security

‘Agile’ security system

Respond to both known and unknown threat vectors


Security Technology InnovationsSecurity Monitoring Software

Rack Access Control

Video AnalyticsSecure Portals

Megapixel Cameras


Physical Security Information Management (PSIM) Integrates fire, security, CCTV, building

management, etc.

Benefits; Actionable

Intelligence Staff Efficiencies Improved response


Megapixel Cameras

Higher resolution

Increased frame rates

Johnson criteriaFORMAT PIXELS (H) PIXELS (V) ASPECT SIZE

CIF 352 pixels x 240 pixels ~4:3

VGA 640 pixels x 480 pixels 4:3

4CIF 704 pixels x 480 pixels ~4:3

D1 720 pixels x 480 pixels 3:2 0.4M pixel

SVGA 800 pixels x 600 pixels 4:3 0.5M pixel

HDTV(720) 1280 pixels x 720 pixels 16:9 0.9M pixel

HDTV(1080p) 1920 pixels x 1080 pixels 16:9 2.1M pixel

4K 4096 pixels x 2304 pixels 16:9 9.4M pixel

Beyond! 8192 pixels x 1536 pixels (4) X 4:3 12M pixel

More Pixels

More Storage,

Higher CPU Requirement

s

Increased Cost


Video Analytics

Video analytics are more powerful

Cost is dropping

Self-learning modes

Appropriate use areas; perimeter, data center entries



Secure Portals

Access control within security portal



Rack-Level Access Control

Access control at individual rack units



Summary

• Security is critically important.

• Security Threats are multi-faceted and evolving.

• Conduct a comprehensive risk assessment.

• Incorporate layered security.

• Add new technology as appropriate.


Links to Additional Information• IT@Intel Best Practices:

http://www.intel.com/content/www/us/en/it-management/intel-it/intel-it-best-practices.html

• IT@Intel : Enterprise Security http://www.intel.com/content/www/us/en/it-management/intel-it/intel-it-managing-it.html

• Managing Risk and Information Security: Protect to Enable, by Malcom Harkins, Apress 2012 Link for reference

• 2012-2013 Intel IT Performance Report intel-it-annual-performance-report-2012-13

• Cyber War: The Next Threat to National Security and What to Do About It – Richard A. Clarke

• Security and Emergency Preparedness Site: http://www.ch2m.com/corporate/services/security-emergency-management/default.asp (Link)

• DHS Executive Order 13636 – Improving Critical Infrastructure Cybersecurity: http://www.dhs.gov/sites/default/files/publications/dhs-eo13636-summary-report-cybersecurity-incentives-study_0.pdf



http://www.intel.com/content/www/us/en/it-management/intel-it/intel-it-managing-it.html

http://www.intel.com/content/www/us/en/it-management/intel-it/intel-it-managing-it.html

http://www.amazon.com/s/ref=nb_sb_noss_2?url=search-alias=aps&field-keywords=Managing+Risk+and+Information+Security:+Protect+to+Enable&rh=i:aps,k:Managing+Risk+and+Information+Security:+Protect+to+Enable

http://www.intel.com/content/www/us/en/it-management/intel-it-best-practices/intel-it-annual-performance-report-2012-13-tool.html#home

http://www.ch2m.com/corporate/services/security-emergency-management/default.asp

http://www.ch2m.com/corporate/services/security-emergency-management/default.asp

http://www.dhs.gov/sites/default/files/publications/dhs-eo13636-summary-report-cybersecurity-incentives-study_0.pdf




Forrest Gist, PEGlobal Technology LeadSecurity & Emergency PreparednessIDC Architects / CH2M HILL503.872.4524

Paul VaccaroIT Data Center Technologist and StrategyIntel

Thank You

Intel Confidential — Do Not Forward

Documents

Meeting the Increasingly Complex Challenge of Data Center Security Paul Vaccaro / Intel IT Data Center Technologist and Strategy Forrest Gist, P.E. / IDC