The essence of the paper will be to address the best-practices that may be employed in the protection of physical security at data center. In doing so, the paper will address the vitality of physical security at data centers whilst providing some of the best practices that may be employed in the plight to safeguard databases. As such, the paper will address specific elements of the aspects therein such as access control, operational status of the data system,general system, system interconnections/information sharing, related laws/regulations/policies, minimum security controls, management controls, awareness and training (operational controls category), configuration management (operational controls category), technical controls, access controls (technical controls category) and the audit and accountability (technical controls category). Assessments of the critical data are supposed to be strengthened and improved. The root of the problem can be determined by analyzing the intent of the intruders. Data centers in this regard have to be assessed too owing to the fact that they often seek to focus on the nexus of data that is critical to an organization are often found in data centers.
Importance of physical security at data centers
There are numerous stories that delve into the breach of systems in contemporary society, that make news and perhaps it is imperative that assessments of the critical data are strengthened and improved. it is imperative to address the root of the problem by analyzing the intent of the intruders. For instance, it is more important to ask whether the intent of the intruder s is to solely assess data stored by organizations that are in essence critical and that may be imperative to safeguard from the public (Wise, 2018). Data centers in this regard have to be assessed too owing to the fact that they often seek to focus on the nexus of data that is critical to an organization are often found in data centers. The data centers are expected to accommodate physical security even in the event that the infrastructure has shifted to the cloud. Databases have to be safeguarded owing to the fact that they control the physical security. As such, protecting data centers from physical theft are one incentive in this regard.
For instance, video surveillance systems are often regarded as the systems that are supposed to be set and most often than not forgotten until it is necessary. In the event that an incident happens, the only resolve at that juncture is to assess the data of consequence that may have been recorded by the surveillance cameras in such a manner as to assess the truth of the predicament as it had unveiled (Wise, 2018). As such, video surveillance is often implored by many institutions, companies, and organizations as part and parcel of their data center physical security tools but even amid its importance the video cameras are often ignored and neglected. Cameras may become clouded or obstructed and the timings are not accurately set. Additionally, the running of the systems are based on the operating systems that are old and at their end-of-life whilst the systems mandated with thetas of storage are often short and do not retain the videos for the desired length.
Access control to information begins with administrative access control. Administrative access control entails the administrator or owner of information setting policies for access of information. These policies limit access to the information as well as the alteration of the information and hence enhance confidentiality and integrity. Administrative policies include the access control modules applied by organizations (White, Fisch, & Pooch, 2017; Ciampa, 2012). The Biba Integrity Module is one such access control used and contains integrity levels for the different system users. Physical control entails ensuring the physical access barriers are utilized in preventing illicit access to the systems allowing users with credentials to access the systems easily while at the same time ensuring physical security. Therefore, the physical control measures used include but are not limited to ensuring that the throughway to the system is secured by installing locks and use of Id badges and administering paper access logs. Video surveillance is also a physical control measure (White, Fisch, & Pooch, 2017; Ciampa, 2012). In some situations, mantraps are used to secure the systems and the disabling of hardware. On the other hand, technical access controls entail attaching permissions to objects and the system checks these permissions to allow access. Passwords are the common technical control measures utilized.
Physical securities at centers mainly focused on data are made of many components. However, there are a few best practices that may be employed to the physical security in a bid to manage data centers efficaciously. These include and are not limited to;
Taking the incentive to know where the people are. To do so, it is essential to undertake in the management of the physical access of the data centers which are considered as critical infrastructure in the environmentâ€™s physical security. The management of the physical access would ascertain that access and an acknowledgment of the movement are taken into account as an important aspect (Wise, 2018). At this juncture it is imperative to take note of the biometric readers, mantraps, controls systems visible in the physical access systems as well as the anti-tailgating in a bid to ensure that authorization is rendered to the space access and critically monitored thereof.
Additionally, it is needless to say that the focus needs to be shifted to the layers whereby the physical security may be integrated at this point as an example of an in-depth defense. In order to provide physical security threat is comprehensive, many processes and systems have to work collaboratively such as access control, process management, and perimeter security (Wise, 2018). The people need to receive training on the procedures relative to physical security whereby as well as ensure that the people strictly adhere to the procedures therein. In doing so it becomes possible to comprehend the dynamics involved such as the relevance of the responsibilities relative to the data centers physical system focused on security and how important the concepts are in this regard.
The threats and the intruders in this case as often is the notion is to often seek for loopholes and links that are ink and that they may manipulate. It has been noted similarly, that the weaknesses are often evident where human equations are evident. Besides it is common perception that human are prone to err. Thus, once systems have been effectively set up, it is essential to ascertain that the physical controls are tested whereby the physical security controls are tested internally (Wise, 2018). This is considered a vital element as it pertains to physical security. Access grants ought to be validated, whilst ascertaining that recording through the use f video surveillance is working efficaciously and that the video footage is without mistakes or errors, the anti-tailgate mechanisms have to be verified similarly and the relative personnel undertakes an analysis to ascertain that the systems are working as they are expected to.
Access control secures access to resources. It entails identifying individuals performing certain jobs, looking at their identification and authenticating them to access certain information in protected areas. Access control measures are often taken to protect the unauthorized access to specific information in certain computers, folders or drives. The right and the exact level of permission are issued to individuals to enable them to access the information without altering it. However, as part of a job, individuals may need to access information or files in these protected computers, drives and folders. Without the necessary authorization credentials, the individuals may end up frustrated.
Access control models exist to help ease the process of rightfully issuing permission levels to different individuals. Different access control models exist to secure access to resources namely; the Mandatory Access Control (MAC) model, the Role Based Access Control (RBAC) model, the Discretionary Access Control (DAC) model and the Rule Based Access Control (RBAC) model. The Role Based Access Control (RBAC) model gives access depending on an individualâ€™s position as well as the role in an organization. Permissions instead of being assigned to individuals are assigned to the different positions in an organization (Sandhu, 2015; Ferraiolo, Cugini & Kuhn, 1995). The individuals in those positions are therefore given the profiles to the different roles to access information or assets permitted in their different roles. Despite the fact that this access model is very easy to install and use, challenges exist. Primarily, individuals in different positions cannot access other important information to their jobs in other positions and would, therefore, need some other authorization.
The primary goal of access control is to secure assets or resources. This is done through several tactics encompassed in access control such as limiting access to the resources, giving permission to the particular individual to access the resources and assigning different roles to different users of the systems. To achieve the set goal through the set objectives and tactics, several practices should be followed. First, a disaster recovery plan should be developed and implemented and the access control measures should be tested frequently (Holt et al, 2015; Mullins, 2002). Secondly, duties among the users should be separated accordingly and secure sensitive assets. Thirdly, monitoring the activities within the access control is essential and enhancing strong credentials with the access control.
Information System Operational Status
The system has to be fully operational. The Operations Center is considered as the companyâ€™s main access in which case, the companyâ€™s data and operational offices are located therein. The following are operations that occur at the main office: accounting & finance, customer relations, human resources, information technology services, marketing, and corporate management. The Operations Center is run and managed by the Chief Operating Officer (COO) of the company. Information System Type: Information security system is tailored towards helping the company in the following essential processes: identification of risks, assessment of the potential impact of each risk, determination of appropriate risk treatments (mitigation, acceptance, transfer), and implementation of the risk management strategy which is based upon the selected risk treatments.
One of the functions of the security information system is risk management and reporting. The systems are designed in such a way that it is able to identify the following risks: cyber-attacks which are likely to affect the business, all disruptions being experienced within the computer system that are likely to affect normal functioning of the system; and the ability to enable the company address external issues in the event that the third party equipment fails to achieve the intended purpose.
It security management is another important function of the security system. This function is accomplished by the Chief Information Security Officer (CISO), who is mandated to streamline leadership concerning the security status of the information system of the company.
The information system of the company is designed in such a way that it enhances security when it comes to access, disclosure, use, modification, disruption or modification of the security aspects of the company. There are various controls that have been put in place such as the specific roles of relevant stakeholders of the company; relating to information security management. Generally, current information security systems are designed in a manner that it is able to address numerous business needs of the company.
There are various technical and environments factors that are interconnected to ensure that the information security system of the company achieves the set objective. The following are hardware devices which are inter-linked in such a way that the system is able to achieve the target objective: computer database servers, email servers, internet servers, and the system is designed in a special way to address numerous needs of the members of the company. The following are commonly used personal technological devices; having a significant impact on maintaining the entire security status of the company: personal smartphones, digital assistants and personal computers among others.
It is of cardinal impact to appreciate that contemporary offices have been designed to enable â€˜smart home; use and the use of internet-based technologies which may be installed in the residential buildings.
System Interconnections/Information Sharing
Some of the important functions that take place across the internet are accounting & finance, customer relations, human resources, information technology services, marketing, and corporate management. Support personnel is encouraged to work from home; by use of advanced technology such as cellular or WiFi connections to access the Internet. Many field office employees, including â€œReality Media Servicesâ€ staff, are also authorized to work from home or an alternate work location (â€œtelework siteâ€).
Both individuals and field office is enabled to access the internet through a comprehensive Service Level Agreement (SLP). Chief Information Officer of the company is responsible for certification of System interconnections between internal systems and facilities of the company. Virtual Private Network interconnections are essential in protecting the confidentiality and integrity of the information being exchanged over the internet. A Verizon Business service is a company that provides Wide Area Networking (WAN) and other Internet services to the company; with the primary domain name and multiple third level domain names (Verizonenterprise, n.d).
The chief of staff of the company is the overall policy maker. Developed policies are meant to address the individual needs of members of the company. The following are key policy areas that are contained in the employee handbook: human resources, financial management, and information technology. There is a well-designed managerâ€™s handbook containing important policy information on how the company should be managed.
A company may acquire a license to operate in three major areas. The company has the legal mandate of managing the storage and retrieval of information regarding business activities within and outside company premises. There are various factors that are considered during the process of implementing projects such considering special needs of disabled and less fortunate in society. Above all, there is a need to develop a comprehensive professional code of conduct to address ethical issues relating to the use of information systems. The companyâ€™s legal counsel is encouraged to observe compliance with the HIPAA Security Rule for PHI for information; being stored in the information system database of the company.
Minimum Security Controls
NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations; may be relied upon for the purposes of maintaining the physical security in a bid to make comprehensive definitions and Security control implementation guidance for better running of the organizational activities.
Management controls are key security requirements for ensuring that the information security system is maintained in a streamlined manner. The logic behind the use of management controls is driven by the fact that there are people with unethical malpractices within the organization who are likely to cause disorderly flows within the company. Management controls ensure availability of all necessary requirements to address such nauseating behavior within the company. They are meant to enhance confidentiality and integrity of being exchanged over the internet.
Adhering to the CA: Security Assessment and Authorization
Management controls are necessary for the plight of managing the information security system efficaciously. Security assessment and authorization measures are meant to ascertain that security is enhanced in the process of using information systems within the organization.
Planning management controls to ensure that the manner in which strategies are implemented within the company complies with special use needs relating to information security system.
As the name suggests, operational controls refer to minimum security requirements that are meant to streamline all operations/tasks of the security information system within the organization.
Awareness and Training (Operational Controls Category)
These are very essential in the sense that they enable organizational stakeholder to be aware of the security issues of the information security system within the organization. First category of operational controls includes;
AT-1 Security Awareness and Training Policy and Procedures AT-1
AT-2 Security Awareness Training AT-2 (2)
AT-3 Role-Based Security Training AT-3
AT-4 Security Training Records AT-4
Configuration Management (Operational Controls Category)
These are designed with the sole purpose of ensuring that the entire process of configuring/setting up the information security system of the organization archives the target goal and objective.
These are security countermeasures which are designed and executed by organizational stakeholders, through mechanisms contained in the hardware, software, or firmware components of the system. All technical hiccups of the information system are addressed technical controls.
Access Controls (Technical Controls Category)
These are countermeasures which enforce referential integrity in the process of accessing stored in the electronic database of the company.
Audit and Accountability (Technical Controls Category)
Audit and Accountability technical controls are minimum security countermeasures which are meant to ensure that the entire process of auditing security information system complies with recommended internal standards.
Ciampa, M. (2012). Security+ guide to network security fundamentals. Cengage Learning.
Ferraiolo, D., Cugini, J., & Kuhn, D. R. (1995, December). Role-based access control (RBAC): Features and motivations. In Proceedings of 11th annual computer security application conference (pp. 241-48).
Holt, V., Ramage, M., Kear, K., & Heap, N. (2015). The usage of best practices and procedures in the database community. Information Systems, 49, 163-181.
Marianne, S., Joan, h., Pauline, B. (2006). Guide for Developing Security Plans for Federal Information Systems. NIST Special Publication 800-18 Revision 1. Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 208 99-8930
Mullins, C. (2002). Database administration: the complete guide to practices and procedures. Addison-Wesley Professional.
Sandhu, R. (2015, April). Attribute-Based Access Control Models and Beyond. In ASIACCS (p. 677).
Verizonenterprise. (n.d). Service Level Agreement (SLA) Internet Dedicated Services | Verizon Enterprise. Retrieved from http://www.verizonenterprise.com/terms/us/products/internet/sla/ )
White, G. B., Fisch, E. A., & Pooch, U. W. (2017). Computer system and network security. CRC press.
Wise, M. (2018). Auditor Insights: Security at Data Centers. Retrieved from https://kirkpatrickprice.com/blog/auditor-insights-security-data-centers/
...(download the rest of the essay above)