83-20-10 Secure Data Center Operations

Previous screen

Gilbert Held
Payoff
The data center stores information necessary for the effective and efficient operation of the
entire organization. Loss of this data, conveyance of it to a competitor, or unauthorized
alteration of it can harm or even destroy the organization. Therefore, the data security
manager should employ data center security measures that do more than just protect
equipment. This article outlines such measures.

Problems Addressed
This article examines a core set of methods, procedures, equipment, and techniques to help
secure data center operations. No measures can completely secure these operations.
However, by appropriate planning and the implementation of methods, procedures, and
techniques to increase the level of security and security awareness within an organization,
the data security manager can minimize the number and severity of security breaches.
The data security manager must provide three types of security:

Physical security.

Personnel security.

Communications security.

To provide physical security, the data security manager must have the personnel,
equipment, and procedures necessary to bar unauthorized personnel from the data center.
To provide personnel security, the manager must ensure that the organization hires suitable
applicants and periodically reviews their eligibility for employment. To provide
communications security, the data security manager must enforce procedures and
techniques that control the use of communications equipment or line facilities to access the
organization's information systems. This article focuses on each of the three categories of
data center security and their components, as illustrated in Exhibit 1.

Data Center Security and Major Security Components

Physical Security
In many organizations, the data center is divided into two or more secure areas. One area
houses processing equipment, including processors and disk drives, printers, and other
peripheral devices. A second area houses communications equipment, including modems,
multiplexers, Data Service Unit, channel bank, and the physical line terminals from the
communications carrier or carriers serving the organization. The personnel working in
these two areas perform very different functions, and these areas have disparate security
requirements.

Building Access
In most organizations, building access is controlled. Personnel must pass a guard
station at the main entrance, where they show the guard the badge or other type of

Previous screen

identification to prove they are eligible to enter the building. In small organizations,
building access may be controlled by a badge reader, cipher lock, or simple door key.
Many, if not most, of an organization's visitors never require access to its data center,
nor do many of its employees, and many buildings house more than one firm's processing
or communications equipment. The data security managers of such organizations must
employ methods to limit access to their organizations' data center facilities.

Data Center Access

One of the most common methods of controlling access to a data center is the use of a
cipher key-controlled door. By pressing a valid numeric key combination, usually a fourdigit code, the visitor transmits a signal that activates a door release.
Access to most data centers is restricted to operations and support personnel.
Programmers, system analysts, and other employees usually do not enjoy uninhibited
access to the center. However, these employees, as well as visitors, periodically require
access. The data security manager should therefore formulate a policy and procedure for
providing access to the data center for personnel who do not work in the computer
operations department.
Many data centers use a television monitor connected to a TV camera mounted outside
the main data center door. The monitor is located within the data center in a control area that
also contains a sign-in/out visitor book and badges. A person who does not know the
cipher key code and who needs to enter the data center presses a buzzer to alert data center
personnel. A designated person sees the visitor on the monitor in the control area before
releasing the door lock. Many organizations require that visitors wear an identifying badge
and that they be escorted during their visits to the data center.

Enhancing Physical Security

Data security managers can do several things to enhance the physical security of their
centers. First and foremost, they can develop a policy that specifies which employees can
enter the data center, the manner in which they gain access, and who is responsible for their
supervision. Visitors who are not performing repairs or tests should never be allowed near
data center equipment.
Another important task for enhancing the center's physical security is changing the
cipher lock key combination. When data security managers do not change the combination,
former employees, who can gain access to the building, can also enter the data center.
Cipher key combinations should therefore be changed periodically; the frequency should be
based on organizational turnover. The combination should also be changed whenever an
incident compromises the lock security (e.g., a visitor observes an authorized employee
entering the access code). To prevent unauthorized personnel from observing employees
entering the code, the data security manager should instruct employees to use their bodies
to block the cipher lock from view.
Another item that deserves careful consideration is the control of printouts, tapes,
disks, and cartridges. As the repository of corporate information, the data center generates
critical information that must not be accessed by unauthorized persons. Information leaving
the data center should be routed through an input/output (I/O) control facility, which, in
many organizations, is located in the production control department. (This department
provides the data center with magnetic media from outside sources and delivers system
output and magnetic media from the data center to persons working outside the data center.)
With an appropriate policy and procedure in place, I/O control personnel can ensure the
delivery of data center materials to persons authorized to receive such material, minimizing
the risk of critical information winding up in the hands of unauthorized personnel. The data
security manager should require that all material leave the data center through I/O control.

Previous screen

One often overlooked security mechanism is the physical placement of equipment.

Within a data center are terminals and consoles that continuously monitor production jobs
or that control job scheduling, the dispatching of jobs, and related processes. Those
terminals and consoles control computers and communications facilities within the data
center, and some of these devices can be used to initiate computer shutdown. These
terminals and consoles usually operate throughout the day, and a group taking a tour of the
data center or employees with time on their hands could inadvertently cause havoc by
experimenting with them.
To minimize this possibility, the data center operations manager should consider
relocating monitor and control terminals within the operations area of the data center and
away from corridors where they can be easily accessed by unauthorized persons. Because
one or more members of the operations staff are usually on duty, the manager should
consider delegating control of access to those terminals and consoles to the operations
branch or department.

Personnel Security
Although the use of some personnel security procedures, such as drug testing and lie
detectors, is determined by corporate policy, the data security manageror other IS
managerscan still implement a basic personnel security policy. To do so, the data
security manager should check job applicant references, possibly asking the corporate legal
department for a release form that applicants can sign to allow the organization to obtain
their transcripts, proof of college degrees, and other verification of attendance at schools.
One of the frequently overlooked aspects of personnel security is controlling contractor
personnel. Data security managers should exercise as much care in reviewing backgrounds
of full- or part-time contractors as they do for permanent employees.

Personnel Review
Once an employee or contractor passes an initial screening or investigation, most
organizations forget an important characteristic of lifethings rarely remain the same! An
employee's personal circumstances can change through marriage, divorce, bankruptcy, or
other factors (e.g., chemical dependence or another form of substance abuse). People who
were hired a few years ago might not be eligible for employment if an updated screening or
investigation were periodically performed. Therefore, a key to avoiding personnel
problems is periodically updating personnel investigations. Doing so alerts managers to the
need to refer employees to a counseling service or to the fact that an employee or contractor
has become a potential threat instead of a valuable resource.

Communications Security
Communications security involves the use of hardware, software, policies, and procedures
to control the use of communications facilities to access the organization's information
systems. Although passwords, which govern this type of access, are generally considered
the primary component of communications security, their use is only a small part of an
effective communications security effort. Other aspects of communications security that the
data security manager should consider include:

Packet filtering.

The use of callback modems and data encryption devices.

The manner in which telephone rotary numbers are ordered and changed.


Previous screen

Policies and procedures that govern the duration of unattended access to online
application programs.

Packet Filtering
The growth in the number of corporate connections to the Internet involves both an
opportunity and a threat. With access to a network of networks containing more than 25
million computers, an organization's employees can send electronic mail messages to users
throughout the world. Employees with Internet access can use theFile Transfer Protocol to
download files from tens of thousands of file transfer protocol (FTP) servers with
programs and data bases on a wide variety of topics. Employees can use Telnet to obtain a
remote connection to other computers on the Internet, and they can use such Internet
applications as Archie and Gopher to perform information searches.
However, Internet access is a two-way street, and Internet organizations that do not
implement packet filtering expose themselves to the good or bad intentions of millions of
Internet users. Exhibit 2 suggests some of the security exposures of a LAN connected to the
Internet. In this example, a bus-based Ethernet LAN links 50 workstation users to a
mainframe and, through a router, to an Internet service provider. Without implementing
packet filtering, the organization's data flow is bidirectional. Any person connected to the
Internet can try to access the organization's computational facilities on the Ethernet LAN,
including its mainframe and LAN workstations.

Typical Nonprotected Internet Connection

For example, a hacker could develop a script program to probe different Internet
addresses until he or she located the organization's. Then, the hacker could create a second
script to attempt to log into one or more of the computers connected to the Ethernet LAN.
Once access was obtained, the hacker could plant a virus, alter files, or otherwise
compromise the well-being of the organization.
Packet filtering, a technique used to control the routing of packets to LANs, can
eliminate this security exposure. Packet filtering is usually implemented in a router.
However, some routers offered by Internet service providers as part of an Internet access
package provide only a limited packet filtering capability. An organization that uses these
routers usually purchases a standalone router that is used only for its packet filtering
capability. When used in this manner, the router is commonly called a firewall, because it
provides a barrier between an organization's network computational resources and the rest
of the world.
Exhibit 3 illustrates the use of a firewall to protect network resources. Data flow in this
network could be restricted in several ways because packet filtering permits either
bidirectional or one-way data flows in either direction. However, with some applications,
such as simple mail transport protocol (SMTP), an organization probably would not wish
to filter in either direction because it would want to support the bidirectional flow of E-mail
carried by Simple Mail Transfer Protocol. With other Internet applications, such as the file
transfer protocol (FTP), which allows users to transfer files, and Telnet, which is used to
obtain a remote computer connection, an organization may prefer to allow only outbound
access. It may not want outside users to download files onto the LAN or to obtain remote
access into the network's computers.

Using a Firewall to Protect a Network

Previous screen

Because Internet applications occur on well-defined port numbers that represent logical
connections, an effective firewall filters by source and destination address, as well as by
port number. For example, if a data security manager wanted to permit bidirectional E-mail
by means of SMTP, he or she, because the SMTP application used port 25, would set the
following filter:
Action
allow

Inbound
yes

Outbound
yes

Port
25

A filter should be set to allow both inbound and outbound communications for an
Internet application because, with most firewalls, all that is not expressly permitted is
prohibited. Thus, if the manager does not specify the prior filter, most firewalls will
preclude E-mail in both directions.
If the data security manager wants to permit network users to use file transfer protocol
(FTP) to download files from servers on the Internet but preclude Internet users using file
transfer protocol (FTP) from accessing network facilities, he or she would establish the
following filters:
Action
allow
allow

Inbound
no
yes

Outbound
yes
no

Port
21
20

These filters permit network users making control file transfer protocol (FTP) requests
to access the Internet, but they accept only files transferred due to those requests as
inbound traffic.

Callback Modems
If an organization has a network that supports dial-in calls from terminals and
microcomputers, anyone who can access the switched telephone network can
intentionally or unintentionallydial a number that accesses the organization's computer.
To reduce this threat, the data security manager can install callback modems instead of
conventional modems at dial-in ports, which are connected to the communications
equipment that provides access to the network's information systems facilities.
A callback modem is programmed to contain a table of user names or user code and
corresponding telephone numbers. A dial-in user who calls a callback modem is initially
prompted to enter the user name or user code. The modem then displays a message
instructing the user to hang up and wait for a callback. The modem then disconnects and
dials the telephone number associated with the caller. The callback modem thus restricts
calls to those originating from known telephone numbers.
Unfortunately, a callback modem cannot be effectively used when an organization's
employees travel and must access the organization's central communications facilities from
numerous locations. In additon, the cost of the second telephone call constitutes the greater
part of the cost of billed communications. Charging these costs to the departments of those
employees who originated the long-distance calls is usually difficult.

Encryption Devices
Several communications vendors manufacture encryption devices that are compatible
with the National Institute of Standards and TechnologyData Encryption Standard
algorithm. Although the use of encryptors provides secure communications, the data
security manager must develop a policy to govern both the generation and distribution of
encryption keys. The policy should address the need to change these keys periodically.
However, unless the organization transfers funds or very critical information, the use of

Previous screen

encryptors may not be justified because of the cost of the equipment and the labor required
to change keys.

Telephone Rotary Numbers

When an organization orders a group of telephone lines on a rotary switch to provide
access to communications equipment, the data security manager usually ensures that the
telephone numbers will not be listed. The appearance of these numbers in a telephone
directory can tip off hackers.
If the organization wishes to provide some segment of the public with easy access to its
computer facilities, the data security manager should assess the advantages and
disadvantages of listing the organization's communications access telephone numbers only
in brochures distributed to customers instead of in a public directory.
On occasion, a hacker may stumble across one or more of the organization's telephone
rotary groups. Unfortunately, under current law, it is not illegal for the hacker to
continuously attempt to gain access to an organization's computer and, in doing so, tie up a
portion of its communications resources.
Under the laws of most states, a legal violation occurs only if the hacker actually
penetrates the system. Changing the numbers usually corrects the problem and is generally
a practical remedy to an attempted computer penetration.

Policy and Procedures

One communications security vulnerability that organizations ofter overlook is the
terminal user who, after signing onto an application, leaves to get coffee, go to lunch, or
take a break. Anyone walking by that terminal can access the application currently being
used. To avoid this situation, the data security manager should consider using software that
automatically logs a user off if no activity accurs within a predefined time interval. In
addition to enhancing security, these activity monitors support the effective use of
communications and computer resources because they make those resources available to
other users.

Recommended Course of Action

There are three key components to data center security: physical security, personnel
security, and communications security. By carefully considering the elements associated
with each component; developing plans, policies, and procedures; and obtaining
appropriate hardware and software, the data security manager can minimize potential risks.
Careful consideration of these issues both increases the safety of personnel and
equipment in the data center and minimizes the intentional or unintentional removal of
information from the data center. Therefore, the data security manager should carefully
review the elements of the security program against elements discussed in this article. The
data security manager should then initiate appropriate action to eliminate any deficiencies
that could adversely affect security, working within the constraints of the data center's
budget and available personnel.

Author Biographies
Gilbert Held
Gilbert Held, an internationally known author and lecturer, is the author of more than
25 books and 200technical articles on computer systems and communications. He is the
director of 4-Degree Consulting in Macon GA.