Site & Facility Design Principles & Security Controls- Part 1
One of the most important topics in CISSP course is physical site & facility controls. Some of the principles are provided by Crime Prevention through Environmental Design (CPTED) which are widely adopted all over the world by the security professionals to design public and private offices.
CPTED is comprised of three basic strategies:
- Natural access control: Uses security zones (or defensible space) to restrict movement and differentiate between public, semi-private, and private areas. For example, this natural access control can be accomplished by limiting points of entry into a building and using structures such as sidewalks, lighting to guide visitors to main entrances.
- Natural surveillance: Reduces criminal threats by making intruder activity more observable and easily detected. Natural surveillance can be accomplished by maximizing visibility and activity in strategic areas, for example, by placing windows to overlook streets and parking areas, landscaping to eliminate hidden areas and so on.
- Territorial reinforcement: Strengthen people’s sense of responsibility for where they live, the organization in which they work, and the city in which they live. This can be done by giving people responsibility, trying to beautify the environment, putting amenities, and so on. When a person’s sense of responsibility for the environment increases, he or she notifies the relevant authorities (like the organization’s security officials) immediately after seeing the person or suspicious activity, and does not ignore the issue.
Site & Facility Design Principles
Now is the time to discuss Site & Facility Design Principles. These principles and facilities actually refer to the following:
- Secure Location
- Secure Facilities
- Secure Access
Location is always an important factor to be considered while considering the secure site design. Different aspects are considered such as:
- Local Consideration: A secure location should not be a place of dangerous materials, should not be a Criminal area, should not be in the path of floods, and should not have heavy traffic.
- Climatology and natural disasters: The climate of this place should be suitable and as far as possible free from environmental pollution or industrial pollution.
- Accessibility: consideration such as convenience to airport, proximity to emergency services (police, fire, and medical facilities), seaport, local traffic patterns, and others.
- Utilities: Where is the facility located in the power grid? Is electrical power stable and clean? Is sufficient fiber optic cable already in place to support telecommunications requirements?
- Location type: commercial location? Residential? Or industrial location?
- Effect of a natural disaster: For example, if there has been an atomic explosion in the past (even in the distant past), you should never even think of such a place.
Secure facilities include different physical and technical controls. Many of the physical and technical controls, should be considered during the initial design of a secure facility. This consideration also helps in securing the overall design of the building and improves its effectiveness and helps reduce the costs.
Secure facility design consideration includes:
- Fence: Fencing is referred to as a physical barrier around the secure area. Multiple types of the fence like perimeter fence, chain link fence, the Anti-scale fence is used outside of the building.
- Exterior Walls: these walls should be able to withstand high winds. Exterior windows should be avoided throughout the building, particularly on lower levels. Metal bars over windows may be necessary. No one should be able to open the window. Window must be sufficiently, opaque to conceal inside activities.
- Interior walls: These walls adjacent to secure or restricted areas must extend from the floor to the ceiling. Bulletproof walls should protect the most sensitive areas. Walls must comply with applicable building and fire codes. Walls adjacent to storage areas (like paper, media, or other flammable materials) must meet minimum fire ratings, which are typically higher than for other interior walls.
- Doors: Locks and doors must be sufficiently strong and well-designed to resist forcible entry. They need a fire rating equivalent to adjacent walls. Emergency exits must remain unlocked from the inside and should also be clearly marked, as well as monitored or alarmed. Many doors swing out to facilitate emergency exiting; thus door hinges are located on the outside of the room or building. These hinges must be properly secured to prevent an intruder from easily lifting hinge pins and removing the door. Electronic lock mechanisms and other access control devices should fail open (unlock) in the event of an emergency to permit people to exit the building.
- Floors: Flooring must be capable of bearing loads in accordance with local building codes. Raised flooring must have a nonconductive surface and be properly grounded to reduce personnel safety risks.
- Alarms: The function of an alarm is to alert the operator about any abnormal condition or activity. Tuning an alarm, will provide accurate and useful and desired information.
- Ceilings: Weight-bearing and fire ratings must be considered. Stained drop-ceiling tiles can reveal leaks while temporarily impeding water damage. So, they are a good choice.
- Lighting: An essential part of physical security is proper lighting. Eexterior lighting for all physical spaces and buildings in the security perimeter (including entrances and parking areas) should be sufficient to provide safety for personnel, as well as to discourage prowlers and casual intruders. Both internal and external lighting is important to keep aware of any unauthorized activities and other security purposes. Areas that are dimly lit or unlit makes it easy for the intruder to perform unauthorized activities without fear of being noticed or observed.
- Proper Wiring: All wiring, conduits, and cable runs must comply with building and fire Codes. Protected Cabling is needed to protect the cable from physical damage and to avoid communication failure. Plenum cabling must be used below raised floors and above drop ceilings.
- Security Guard: They are responsible for protecting assets, building access, secure individual room, office access, and perform facility patrols. A guard station can serve as a central control of security systems such as video surveillance and key control.
- Keypad/cipher locks: A secure type of keypads scramble the number locations on the pad each time it is used, so no one can follow the code that a person is entering while they enter it. A cipher lock is a door unlocking system that uses a door handle, a latch, and a sequence of mechanical push buttons. Only when the buttons are pressed in the correct order, the door unlocks, and the door operates. If the buttons are pressed in any other order, the lock will not open.
- Biometrics: Biometrics access is the best way to build physical security by using a unique physical characteristic of a person (like fingerprints, handprints, voice recognition, retina scans, and so on) and to allow access to a controlled IT resource.
Site & Facility Security Controls
A CISSP candidate must understand the various threats to physical security. The elements of site- and facility-requirements planning and design, the various physical security controls including access controls, technical controls, environmental and life safety controls, and administrative controls.
Physical security controls often found in these locations include:
- Strong access controls: It includes the use of key cards, plus a PIN pad or biometric.
- Visitor log: All visitors, who generally require a continuous escort, often are required to sign a visitor log.
- Asset check-in / check-out log: All personnel are required to log the Introduction and removal of any equipment and media.
- Video surveillance: Cameras fixed at entrances to wiring closets and data center entrances, as well as the interior of those facilities, to observe the goings-on of both authorized personnel and intruders.
- Fire suppression: Inert gas fire suppression is better of water sprinklers, because water can damage computing equipment in case of discharge.
Wiring closets/intermediate distribution facilities
Wiring closets, server rooms, and media and evidence storage facilities contain high-value equipment and/or media that is critical.
An intermediate distribution frame (IDF) serves as a distribution point for cables from the main distribution frame (MDF) to individual cables connected to equipment in areas distant from these frames.
A patch panel is generally a rack or wall-mounted structure that arranges cable connections. It is important to protect both, the integrity of the cables and overheating of the networking devices caused by masses of disruptive cabling. If a cable inside a wall becomes damaged or fails, you can patch around that cable by simply changing the connection on two patch panels.
Server Rooms/Data Centers
Data center and server room security can be implemented by placing CCTV cameras inside the data center (or server room,) and at the entrance along with a security guard.
The sensor should be deployed to monitor the devices. Things like:
- Water Leaks
- Physical Security
Access door should be controlled with biometric and passwords. Rack devices should be secured from the robbery.
There are, several locking systems for rack devices. These locks are typically implemented in the doors on the front of a rack cabinet:
- Swing handle/wing knob locks with common key
- Swing handle/wing knob locks with unique key
- Swing handle with the number and key lock
- Electronic locks
- Radio-frequency identification (RFID) card locks
SAN is a highly critical system, which requires high security, high availability, confidentiality, and integrity. So, an organization must be aware of these fundamental security requirements of every SAN.
SAN Security is focused on the following Security issues:
- Network: It includes Confidentiality, Authentication, Integrity, Availability, non-repudiation.
- Implementation: It includes High Availability, Fault Monitoring, Predictive fabric management, Backup, Recovery, Intelligent routing and rerouting, Dynamic failover protection, Non-disruptive server and storage maintenance, Hardware zoning for creating safe and secure environments, No Single Point of Failure
- Management: The integrity of SAN Management can be compromised either intentionally or accidentally. Following are some of the possible causes: (1) Exposed network administration passwords are allowing unauthorized individuals. (2) Changes to security and access control policies allowing unauthorized servers or switches to gain access to SAN. (3) Changes to zoning information allowing access to storage and read/write to data
Site & Facility Design Principles & Security Controls- Part 2