Meeting the Increasingly Complex
Challenge of Data Center Security
Paul Vaccaro / Intel
IT Data Center Technologist and Strategy
Forrest Gist, P.E. / IDC Architects
Global Technology Lead Integrated Security and Emergency Preparedness
Legal Notices
This presentation is for informational purposes only. INTEL MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors. Performance tests, such as
SYSmark and MobileMark, are measured using specific computer systems, components, software, operations and functions. Any change to any of those factors
may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases,
including the performance of that product when combined with other products.
For more complete information about performance and benchmark results, visit www.intel.com/benchmarks
Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries. Copyright © 2013, Intel Corporation. All rights reserved.
2
Copyright © 2013, Intel Corporation. All rights reserved.
Introduction
Paul Vaccaro
IT Data Center Strategy
and Technology
Forrest Gist, P.E.
Global Technology Lead
Integrated Security and
Emergency Preparedness
3
Copyright © 2013, Intel Corporation. All rights reserved.
Intel Global Strategy
Use our unmatched employee talents, manufacturing,
technology, and brand strength to:
Grow PC and Datacenter business with new users
and uses
Extend Intel Solutions to win in adjacent market
segments
Create a continuum of secure, personal computing
experiences
Care for our people, the planet, and inspire the next
generation
4
Copyright © 2013, Intel Corporation. All rights reserved.
Intel Security Structure
Legal & Corporate Affairs – Reports to CEO
Corporate Services – Technology and
Manufacturing Group
Information Technology – Reports to CFO
Chief Security and Privacy Officer CSPO
Groups with responsibility for Corporate Security Policy and Enforcement
5
Copyright © 2013, Intel Corporation. All rights reserved.
Intel IT Vital Statistics
6
Copyright © 2013, Intel Corporation. All rights reserved.
Our World is Changing
7
Copyright © 2013, Intel Corporation. All rights reserved.
Copyright 2013 CH2M HILL
Data Center Security
Past Focus:
 Protect data center facility and structure
 Outsider threats
Present and Future Focus:
 Layered security
 ‘Agile’ security system
 Respond to both known and unknown
threat vectors
8
Copyright © 2013, Intel Corporation. All rights reserved.
Security: A Balancing Act
Controls increase cost
and constrain use of data
and systems
Assets should be
fully protected
OPEN
ACCESS
LOCKED
DOWN


reasonably protected
Balancing Interests
(Source: Intel Corporation, 2012)
9
Copyright © 2013, Intel Corporation. All rights reserved.
Setting the Stage: Security Considerations
Threats
Security
Culture
SECURITY
PROGRAM
ELEMENTS
Value of
Assets
Policies
and
Procedures
Layers of
Security
These apply for both physical and cyber security.
10
Copyright © 2013, Intel Corporation. All rights reserved.
Threats
Different security systems required for
various threats
The more dangerous the threat, the
more critical the required security
system
Helps set direction for security program
11
Copyright © 2013, Intel Corporation. All rights reserved.
Threat Activity and Probability
Existence
Is the
adversary
present?
Capability
Intention or
History
Selection
Does the
adversary
have
resources to
achieve
undesired
event?
Does
adversary
have
intention or
history?
Has the
adversary
selected the
facility?
12
Copyright © 2013, Intel Corporation. All rights reserved.
Regulation Drives Security
Healthcare
Utilities
Finance
Critical
Infrastructure
All aspects of security have considerations based on regulatory requirements.
13
Copyright © 2013, Intel Corporation. All rights reserved.
Components of a Successful Security Program
Security Program Elements
Operational
Policies and Procedures
Communication
Layered Security
Security Staffing
14
Copyright © 2013, Intel Corporation. All rights reserved.
Security Culture: Executive Sponsorship is Critical!
EXECUTIVE
(sponsor)
MANAGEMENT
(implement)
STAFF
(buy-in)
– Executive commitment
– Organizational commitment
– Personal responsibility
15
Copyright © 2013, Intel Corporation. All rights reserved.
How Much Security is Enough?
Begin with a comprehensive Risk Assessment
 Assess security resources
 Evaluate threats, consequences
 Develop short list of security priorities (top 5)
Suggested frequency - every 18-36 months
16
Copyright © 2013, Intel Corporation. All rights reserved.
Physical Security System
Physical Protection System
Level of Protection (Pe)
Detection
• Intrusion sensing
• Alarm
communication
• Alarm
assessment
• Entry control
Delay
• Barriers
• Dispensable
barriers
Response
• Interruption
• Communication
to response force
• Deployment of
response force
• Mitigation
(Source: CH2M HILL Security Protection Course)
Copyright © 2013, Intel Corporation. All rights reserved.
17
Detection
Performance measures
 Probability of sensor alarm (Ps)
 Time for communication and assessment (Tc)
 Frequency of nuisance alarms (NAR)
 Alarm without assessment is not detection (PA)
 Probability of detection (PD) = F (Ps, Tc, NAR, PA)
Sensor
Activated
Copyright©©2013,
2013,Intel
IntelCorporation.
Corporation.All
Allrights
rightsreserved.
reserved.
Copyright
Alarm
Signal
Initiated
Alarm
Reported
Alarm
Assessed
18
Delay
Performance measure
 Time to defeat obstacles
Delay
Provide Obstacles to Increase
Adversary Task Time
Physical Barriers
Protective Force (Guards)
19
Copyright © 2013, Intel Corporation. All rights reserved.
Response
Performance measures
 Probability of communication to response process
 Time to communicate
 Probability of deployment to adversary location
 Time to deploy
 Response process effectiveness
Communicate
to Response
Process
Copyright©©2013,
2013,Intel
IntelCorporation.
Corporation.All
Allrights
rightsreserved.
reserved.
Copyright
Deploy
Response
Process
Mitigate
Attempt
20
Adversary Task Time vs. PPS Time Requirements
Begin Action
Task Complete
Adversary Task Time
First
Alarm
T
0
Delay
T
Time
A
x
T
I
Adversary Success
Respond
Respond
Alarm Assessed
Detect
Adversary Interrupted
PPS Time required
PPS Time Required
T
C
(Source: CH2M HILL Security Protection Course)
21
Copyright © 2013, Intel Corporation. All rights reserved.
Characteristics of an Effective
Physical Protection System
Minimum consequence of component failure
Balanced protection
Protection-in-depth
22
Copyright © 2013, Intel Corporation. All rights reserved.
Protection in Depth
Security
Protection
Layers:
Level 1 = Property Line
Mitigate Adversary
Success For
Threats:
Originating at Perimeter
Level 2 = Lobby & Service Yard
From Perimeter to Building
Level 3 = Facility Inner Spaces
From inside
23
Copyright © 2013, Intel Corporation. All rights reserved.
Layers of Security
Depth
and
Range of
Controls
Trusted zones
Selective zones
Value
of
Assets
Untrusted zones
Policy Enforcement Point (PEP)
Allowed
Devices,
Applications
and
Locations
(Source: Intel Corporation, 2012)
Value of assets drives security protection.
24
Copyright © 2013, Intel Corporation. All rights reserved.
Security Recommendations
LAYER 1 – PROPERTY LINE
Proper Site
Standoff Distance
Gates
Perimeter Protection
Appropriate Landscaping
Security Patrol
 Security Officer Presence at Gates
25
Copyright © 2013, Intel Corporation. All rights reserved.
Security Recommendations (continued)
LAYER 2 – LOBBY & SERVICE YARD
Windows – few or none
Cameras
Badge Check -Turnstiles/Portals
Protect Critical Equipment
Limit Entry Points
26
Copyright © 2013, Intel Corporation. All rights reserved.
Security Recommendations (continued)
LAYER 3 – FACILITY INNER SPACES
Protect HVAC and Critical Equipment
Secure Portals; 2-factor authentication
Secure Cages and Carts
Visitor Escorting
Copyright © 2013, Intel Corporation. All rights reserved.
Intel – IT Security Master Design Standards
Security Access Control Systems
Exterior Security & CCTV System
CCTV Schedule and Camera Matrix
Security Command Center Building
Security Equipment Room
Facility Entry Control Systems
Security Command Center and Standard Security Risk Based Mitigations
Security Mitigation Matrix
Panic Alarm System
Guard Shack and CCTV System
Security Network System
Physical Security
28
Copyright © 2013, Intel Corporation. All rights reserved.
Key Learnings – Intel
After 9/11 Adopted 100 yards Outer Ring setback policy on all Data Centers
Generator Fuel Storage: 215 gallon separate and secured Day Tank
Mandate Keep all combustibles out of the Data Center (Cardboard), use water
as fire control, and VESDA as detection.
Let the room content protect itself on Thermal Protection
 No Thermal Rise EPO and shunt trip disabled
Amount of Camera coverage is tied to impact to revenue assessments
For highly secure areas we mandate double entry requirements
Innovation as a result of being flexible for cultural norms
Copyright © 2013, Intel Corporation. All rights reserved.
Data Center Security
Past Focus:
 Protect data center facility and structure
 Outsider threats
Present and Future Focus:
 Layered security
 ‘Agile’ security system
 Respond to both known and unknown
threat vectors
30
Copyright © 2013, Intel Corporation. All rights reserved.
Security Technology Innovations
Security Monitoring Software
Megapixel Cameras
Video Analytics
Secure Portals
Rack
Access
Control
31
Copyright © 2013, Intel Corporation. All rights reserved.
Physical Security Information Management (PSIM)
 Integrates fire, security, CCTV, building
management, etc.
 Benefits;
 Actionable
Intelligence
 Staff Efficiencies
 Improved response
32
Copyright © 2013, Intel Corporation. All rights reserved.
Megapixel Cameras
More Pixels
 Higher resolution
More Storage,
Higher CPU
Requirements
Increased
Cost
 Increased frame rates
 Johnson criteria
FORMAT



PIXELS (H)
PIXELS (V)
ASPECT
SIZE
CIF
352 pixels
x
240 pixels
~4:3
VGA
640 pixels
x
480 pixels
4:3
4CIF
704 pixels
x
480 pixels
~4:3
D1
720 pixels
x
480 pixels
3:2
0.4M pixel
SVGA
800 pixels
x
600 pixels
4:3
0.5M pixel
HDTV(720)
1280 pixels
x
720 pixels
16:9
0.9M pixel
HDTV(1080p)
1920 pixels
x
1080 pixels
16:9
2.1M pixel
4K
4096 pixels
x
2304 pixels
16:9
9.4M pixel
Beyond!
8192 pixels
x
1536 pixels
(4) X 4:3
12M pixel
33
Copyright © 2013, Intel Corporation. All rights reserved.
Video Analytics
Video analytics are more powerful
Cost is dropping
Self-learning modes
Appropriate use areas; perimeter,
data center entries
34
Copyright © 2013, Intel Corporation. All rights reserved.
Secure Portals
Access control within security portal
35
Copyright ©© 2013,
2013, Intel
Intel Corporation.
Corporation. All
All rights
rights reserved.
reserved.
Copyright
Rack-Level Access Control
Access control at individual rack units
36
Copyright
Copyright ©© 2013,
2013, Intel
Intel Corporation.
Corporation. All
All rights
rights reserved.
reserved.
Summary
• Security is critically important.
• Security Threats are multi-faceted and evolving.
• Conduct a comprehensive risk assessment.
• Incorporate layered security.
• Add new technology as appropriate.
37
Copyright © 2013, Intel Corporation. All rights reserved.
Links to Additional Information
• IT@Intel Best Practices: http://www.intel.com/content/www/us/en/it-management/intel-it/intel-itbest-practices.html
• IT@Intel : Enterprise Security http://www.intel.com/content/www/us/en/it-management/intel-it/intelit-managing-it.html
• Managing Risk and Information Security: Protect to Enable, by Malcom Harkins, Apress 2012 Link
for reference
• 2012-2013 Intel IT Performance Report intel-it-annual-performance-report-2012-13
• Cyber War: The Next Threat to National Security and What to Do About It – Richard A. Clarke
• Security and Emergency Preparedness Site: http://www.ch2m.com/corporate/services/securityemergency-management/default.asp (Link)
• DHS Executive Order 13636 – Improving Critical Infrastructure Cybersecurity:
http://www.dhs.gov/sites/default/files/publications/dhs-eo13636-summary-report-cybersecurityincentives-study_0.pdf
38
Copyright © 2013, Intel Corporation. All rights reserved.
Paul Vaccaro
IT Data Center Technologist and Strategy
Intel
Forrest Gist, PE
Global Technology Lead
Security & Emergency Preparedness
IDC Architects / CH2M HILL
503.872.4524
Thank You
Intel Confidential — Do Not Forward