Skip to main content

My InfoTech Journal!

My InfoTech Journal: Decoding the Networking Enigma: OSI vs. TCP/IP Reference Models

My InfoTech Journal: Decoding the Networking Enigma: OSI vs. TCP/IP Reference Models The OSI (Open Systems Interconnection) Reference Model and the TCP/IP (Transmission Control Protocol/Internet Protocol) Reference Model: The OSI Reference Model and the TCP/IP Reference Model are both conceptual frameworks used to understand and standardize how different networking protocols and technologies interact. Here are some areas of comparison: 1. Number of Layers: OSI Model : It consists of seven layers: Physical, Data Link, Network, Transport, Session, Presentation, and  TCP/IP Model : It has four layers: Network Interface, Internet, Transport, and Application. 2. L ayer Functionality: OSI Model : Tends to be more comprehensive and abstract, defining each layer's functions independently. TCP/IP Model : Reflects the actual implementation of the Internet and focuses on how protocols are used in practice. 3. Adoption / Use: OSI Model : Less commonly used in practice, but it is still valuab
Post a Comment

Physical Security for Information Protection

My InfoTech Journal:
Physical Security for Information Protection 


Physical Security 

What comes to your mind when we talk about Physical Security?

In most cases people think about padlocks, steel doors, cabinet safe, Security Guards, CCTV cameras, turnstiles, biometrics, and other cool stuff. These are all correct answers and can keep our valuable assets safe from thieves.

Physical Security for Information Protection  

When we shift our focus to Physical Security for Information Protection, the definition shifts to securing information (personal, sensitive, confidential, critical), hardware assets, systems, network and data from physical events and actions with malicious intent. This also includes protection from natural disasters like tornadoes, typhoons, earthquakes, flooding, fire; protection from thieves; protection from hackers and other threats.

So where do we start?

Physical Security for Information Protection covers a wide scope, from perimeter security, access control system, surveillance monitoring, environmental management system, events monitoring, and incident response.

The following areas should be considered when planning for a Data Center location. Focus of this section will be on the  Physical Security considerations based on the risks mentioned.

Environmental Threats

Let us start with Environmental Threats in choosing a location for your Data Center. Your Data Center will be hosting your critical data or information. Therefore, it is important that Environmental Threat Risk Assessment must be put high on the list for considering a location for your Data Center. I will be giving out a few scenarios which I hope will give you are better understanding of what to consider and will give you an idea on what else to look out for in your risk assessment for a suitable location of your Data Center.

The Data Center site should not be prone to Flooding

The are several challenges if your Data Center site is prone to flooding.

  • Challenges in getting into the Data Center. Your Support Team will have difficulty in coming to the office. 
  • You will have a risk of having no Technical Support on-site if the area is not passable to transportation due to flooding.
  • Do take note that flooding is caused be heavy rains, which in most cases affects transportation and the mains power supply as well.
  • The building backup generator location must be considered. This should not be in the basement or ground floor level where flooding could affect your building backup power supply capability. You have to ensure that the building backup power supply is located in the higher level of the building and away from flooding risks.
One good example of the impact of this scenario was when flooding affected parts of Thailand back in 2011. This flooding issue caused a global shortage of hard disk drives (HDDs) that threatened the PC sales. This HDD shortage affected millions of sales income of around 60% of total revenue lost for those companies that are dependent on HDDs supply coming from Thailand. Some of these big HDD companies affected were Western Digital (WD), Seagate, and Hitachi.

Another example is from my personal experience. Back in the days, I was with EDS (Electronic Data Systems). Yes EDS, the company founded by Ross Perot. I was in an outsourcing project for one of the first Business Process Outsourcing (BPO) that put up a regional office in the Philippines. Part of the building risk assessment was to verify the building infrastructure including flooding risk, power redundancy, and other risk considerations. The building passed all the risk assessment checklist and we picked this building out of several building options for our requirement. Some risks were accepted and controls were put in place to have a concrete Business Continuity Plan (BCP) to support identified disaster scenarios. 

We were leasing several office floors including our Data Center in this building since 1998, with no flooding issues. Then in 2002 there was a typhoon which caused massive flooding and power interruption for a prolonged period all over Metro Manila. The building was equipped with generator sets to provide continuous power supply and pumps to pump out water from the basement levels which should have covered the risks for this particular disaster scenario. To cut the story short, the basement level got flooded, and the pumps were not able to cope with the high volume of water. This affected the building power supply as well as the telecommunication cables. 

The Data Center we have on this building was isolated for a while and we can’t do much from an IT infrastructure perspective. The combination of disaster scenarios, though remote from the probability and impact assessment phase, has became a reality. The good thing about this disaster scenario, is that prior to deciding to lease our office space from this building, there was already a well-thought accepted risk with a concrete Business Continuity Plan (BCP) to support such disaster scenario. 

The BCP was activated and identified business critical functions were then sent to Singapore as part of the BCP strategy while the site is being recovered back online.

This experience triggered implementation of new solutions or mitigating controls to ensure the IT Disaster Recovery Plan (DRP) improved on infrastructure redundancy and resiliency. 

The Business Continuity Plan (BCP) has also implemented measures to keep the employees safe during a disaster and improve in the services of deploying resources to a BCP site on short notice.

For every unfortunate experience there must be valuable lessons to take away.


The Data Center should be able to support prolonged Power Outages

To support prolonged power outages, your backup power supply like generator sets should have redundancy and have a backup unit (n+1). 

For example, if the full building load requirement needs one generator set, ideally for this scenario you need two generator sets installed. This will allow you the flexibility of alternating these two units, and allowing one unit to rest when the other is operational. 

You should also consider ensuring you have enough fuel supply and able to easily get refills when needed.

The Data Center should NOT be an area of a known Fault Line

Fault Line areas will be at a higher risk of being impacted by earthquake. 

You have to verify with the local authority and ensure that your Data Center is NOT within known fault lines.

Physical Security

Physical Security for Information Protection will have to start from the outside perimeter considerations. This should cover the building location and everything else within the area must go through stringent Risk Assessment.

Security Controls must be implemented based on the Risk Assessment results. You have to refer to the Risk Assessment matrix which defines the probability or likelihood of the risks identified versus the severity of the consequences that may result out of this risk.

Here are some Security Control ideas that may be applicable for a given scenario. These are just for sharing knowledge purposes and hoping a few of these scenarios can provide you with a starting point on how to design or implement your Physical Security strategy.

Perimeter Security 

If your Data Center is in a building built on a property or lot, the entire property must be secured with perimeter fence or walls. In some scenario, you may need security barriers or gate entrance security barriers to help stop different types of intrusions.

You should also have monitoring cameras or CCTVs aimed at strategic positions. Your CCTV system vendor will know how and provide you guidance on where to position these CCTVs as part of their security design. There should also be alarms to trigger when there is a breach in the perimeter fence or area.

The main objective is to prevent unauthorized access to the facility.

Access Security Controls for Authorized Personnel

The entrance for employee vehicles must have security controls like visible stickers and/or Authorized Access Cards, PINs, with another layer of visual verification from the guards on duty at the gates.

The entrance for employees must have security controls like access badge, biometric access, PIN, turnstile that prevents piggyback access, and again can be combination of these security controls with another layer of Security Guards ensuring visual verification and confirmation.

Access Security Controls for Visitors

All Visitors must be treated as unauthorized persons. Stringent security controls must be put in place to ensure that visitors are vetted prior to allowing access to the facility. Visitors like 3rd Party Partners or Vendors with valid justification for the visit can be allowed, but with proper verification and approval from the Data Center Service Owner or Delegate. These 3rd Party Partners or Vendors can be your Telecoms Provider, Server Support, Software Support, Uninterrupted Power Supply (UPS) Support, Fire Detection and Prevention support, just to name a few. These 3rd Party Partners or Vendors should present valid identification cards, must register in the Visitors Log sheet, and should be visually verified against the ID presented. Access must only be granted within the scope of work and area authorized for these 3rd Party Partners or Vendors. It is also a best practice that all visitors are escorted by authorized personnel during the entire activity. 

Surveillance Systems

Surveillance System provide another layer of security control. The CCTV recordings provide you with live visual projection of what is going on with the areas being monitored. The stored recording is also a very good reference when doing incident reviews. The CCTV System must comply with all regulatory and law requirements. For example, in some countries you are not allowed to take videos or photos of individuals. Some controls being implemented and acceptable in some countries are visual notices about the areas where videos are being recorded. This notice should at least mention that the area is being monitored with video recording device and the person has an option not to proceed if not comfortable with this. This is a sensitive law and you must consult your corporate lawyers for any security controls that need to comply with local regulations and laws. Your video recording should also comply with data privacy regulations, data retention requirements and other global or local compliance requirements.

Access Security Controls

Access Security controls can be a combination of different layers of physical security controls depending on your environment, circumstances and risk appetite. Your Security Personal must have protocols and standard operating procedures (SOPs) in handling different security breach scenarios. There should be regular review of these procedures to capture areas for improvement.

Environment Management Systems (EMS)

The Environment Management System (EMS) covers the management of the systems that protect your Data Center environment. This include your Uninterrupted Power Supply (UPS), Fire Detection and Suppression System, Water Leak Detection, Air Conditioning Unit, Temperature and Humidity Control, EMS Alert Notification, and other EMS controls.

Uninterrupted Power Supply (UPS)

You must have an Uninterrupted Power Supply (UPS) to ensure that all critical equipment inside your Data Center remains operational during power outages. These critical equipments are your Servers, Network Devices, Telecoms Lines, and other critical devices. Your UPS should be redundant and should consider load balancing capabilities. There are different ways of configuring your UPS, which will depend on how critical are the load (devices) and how long you can tolerate a power outage. Cost will depend on your risk assessment. 

Fire Detection and Suppression System 

The Fire Detection and Suppression System must be installed to ensure that your Data Center cover the risk of Fire damage. Controls will also include ensuring your Data Center Walls and other components are Fire-rated based on your risk assessment results. It is also a best practice to keep portable Fire Extinguishers within designated areas. Your Fire Detection and Suppression System must be tested at least annually or frequency based on local regulatory and local laws requirements. While your Fire Extinguishers must be tested semi-annual or quarterly. In some countries, checking of Fire Extinguishers are done and certified by the Local Fire Department. You need to ensure you comply with all local laws requirements.

Water Leak Detection System 

Water Leak Detection System ensures that any water leak is detected before it becomes a hazard to your critical devices. This is usually installed near areas with risk of water leaking, like that from your Air Conditioning unit. 

Air Conditioning Unit / Temperature & Humidity Control Systems

The Air Conditioner Units (ACU) ensures that your Data Center temperature is kept within the range of allowable operating temperature of the devices installed in your Data Center. This allows your devices to function within the specified working temperature requirement.

The Temperature Control System keeps the temperature within the parameters set within the system. 

While the Humidity Control System checks the humidity level within the Data Center.

Environment Management System (EMS)

The Environment Management System (EMS) is at the heart of your Data Center Physical Security Control System. The EMS handles the processing of alerts from each of the components and sends notifications via interfaces like links to your ServiceDesk system, SMS, Calls, eMails and other compatible interfaces.

You need to ensure that proper procedures are in place to handle actions or workflows for each identified events. This should include recording of events, sending of alerts, and escalation to the application support  group or groups.

This is indeed a nice topic to cover. I believe I have more than enough shared some valuable information, practical tips, useful scenarios, and best practices for each of the areas covered in this article.

Please provide your thoughts, comments, or any other suggestions to improve this topic. I would appreciate this very much!

Disclaimer 

This article is a result of my personal research and is not a substitute for legal advise. 

Please consult your Legal Team, Ethics & Compliance, or Regulatory Team for the interpretation of  specific CyberSecurity requirements.

Support My InfoTech Journal






Labels:

Comments

Post a Comment

POPULAR: My InfoTech Journal

Information Security Tenets (The CIA Triad)

My InfoTech Journal:   Information Security Tenets The CIA Triad The   three tenets or fundamental principles of Information Security are  Confidentiality ,  Integrity , and  Availability .  This is also commonly known as the CIA Triad . The Information Security  programs refers to the controls designed and implemented to protect these three tenets:  Confidentiality ,  Integrity , and  Availability .   What is Confidentiality? Confidentiality ensures that private information remains private and that these private information can only be accessed or viewed by authorized individuals on need to know basis. Information Security controls must therefore be put in place to protect the data from unauthorized disclosure.  Examples of  Information Security controls  to ensure Data Confidentiality : Access Control List (ACL) Username and Password  Encryption  Two-Factor Authentication (Password, Token, PIN, Biometric, etc) What is Integrity? Integrity refers to the accuracy and completeness of t
Post a Comment
MORE of My InfoTech Journal »

Fortifying the Digital Frontier: Unmasking Network Security Risks and Solutions

Fortifying the Digital Frontier:  Unmasking Network Security Risks and Solutions It has been a while since my last post. I have been busy with work and learning Microsoft PowerBI and Power Automate. These are very good tools for dashboard creation and automation. Very easy to learn and use. Kudos to Microsoft for coming up with these great tools! Fast forward, I have recently enrolled in a Master of Information Systems (MIS) program via Distance Education. I am excited to be an online distance education student. It has been a    very long time since I was a student. I know there will be adjustments needed from me… to be diligent, to be disciplined in balancing my work-studies-life, and to persevere to achieve my goal of getting my Master’s Degree. I have decided to share my research in  MyInfoTech Journal  hoping these information will also be able to help those researching for similar topics. Today, I am researching on the  Network Layer  and its Security Implications . The informatio
Post a Comment
MORE of My InfoTech Journal »

MyInfoTechJournal: Never Let a Crisis Go to Waste: The Ultimate Business Continuity Plan (BCP) for Thriving in Any Situation (Part 3 of 3: EXAMPLE)

MyInfoTechJournal: Never Let a Crisis Go to Waste: The Ultimate Business Continuity Plan (BCP) for Thriving in Any Situation  (Part 3 of 3: EXAMPLE)
Post a Comment
MORE of My InfoTech Journal »

Network Security: How to minimize the Risk of your Wireless Network

My InfoTech Journal: What you can do to minimize the risk of your wireless network? Access Points are usually targets for unauthorized access. You have to ensure that your access points are secured to prevent unauthorized access.  There are several ways of securing your wireless access points.  Here is a Security Tip from the US CISA. Change default password. Restrict access. Encrypt the data on your network. Protect your Service Set Identifier (SSID). Install a Firewall. Maintain Anti-Virus software.I Use file sharing with caution. Keep your access point software patched and up to date. Check your internet provider’s router or router manufacturers wireless security options. Connect Using Virtual Private Network (VPN). A more detailed discussion of this tip can be found in this post:   US CISA: Security Tip (ST 005-003) Securing Wireless Networks End Notes  US CISA: Security Tip Disclaimer   This article is a result of my personal research and is not a substitute for legal advise.  Ple
Post a Comment
MORE of My InfoTech Journal »

Are You Safe? The Shocking Truth About Privacy Risks and How to Protect Yourself

My InfoTech Journal: Are You Safe? The Shocking Truth About Privacy Risks and How to Protect Yourself
Post a Comment
MORE of My InfoTech Journal »

Unlock the Secrets of the Top 10 Information Security Solutions and Safeguard Your Digital World!

{color: #000000; } My InfoTech Journal: Unlock the Secrets of the Top 10 Information Security Solutions and Safeguard Your Digital World!
Post a Comment
MORE of My InfoTech Journal »

The Ultimate Guide to Protecting Your Company's Secrets and Personal Information - Don't Get Hacked!

My InfoTech Journal: The Ultimate Guide to Protecting Your Company's Secrets and Personal Information - Don't Get Hacked!
Post a Comment
MORE of My InfoTech Journal »

Playbook for Conducting a Comprehensive IT Infrastructure Audit

Playbook for Conducting a Comprehensive IT Infrastructure Audit
Post a Comment
MORE of My InfoTech Journal »

Network Security: How to Secure Your Network

My InfoTech Journal: Network Security  To set the context of this domain, I have here several definitions from different service providers. Network Security  refers to the practices of protecting computer network from intruders, including both wired and wireless connections. - US CISA Network Security  is any activity designed to protect the usability and integrity of your network and data. It includes both hardware and software technologies. Effective network security manages access to the network. It targets a variety of threats and stops them from entering or spreading on your network. - Cisco Network Security  combines multiple layers of defenses at the edge and in the network. Each network security layer implements policies and controls. Authorized users gain access to network resources, but malicious actors are blocked from carrying out exploits and threats. - Cisco Network Security  are measures taken to protect a communications pathway from unauthorized access to, and accidenta
1 comment
MORE of My InfoTech Journal »

My InfoTech Journal: Decoding the Networking Enigma: OSI vs. TCP/IP Reference Models

My InfoTech Journal: Decoding the Networking Enigma: OSI vs. TCP/IP Reference Models The OSI (Open Systems Interconnection) Reference Model and the TCP/IP (Transmission Control Protocol/Internet Protocol) Reference Model: The OSI Reference Model and the TCP/IP Reference Model are both conceptual frameworks used to understand and standardize how different networking protocols and technologies interact. Here are some areas of comparison: 1. Number of Layers: OSI Model : It consists of seven layers: Physical, Data Link, Network, Transport, Session, Presentation, and  TCP/IP Model : It has four layers: Network Interface, Internet, Transport, and Application. 2. L ayer Functionality: OSI Model : Tends to be more comprehensive and abstract, defining each layer's functions independently. TCP/IP Model : Reflects the actual implementation of the Internet and focuses on how protocols are used in practice. 3. Adoption / Use: OSI Model : Less commonly used in practice, but it is still valuab
Post a Comment
MORE of My InfoTech Journal »