1. Executive Summary
2. Introduction
2.1 Why are we publishing this report? 2.1.1 Security is a very high priority for service providers and end users alike 2.1.2 There is room for additional guidance on data centre security 2.2 Scope 2.3 Using this Report
3. Research Methodology and Report Objectives
3.1 Objectives 3.2 Methodology
4. Part 1 - ISO/IEC 27001 and applicability to data centre security
4.1 Confidentiality, Integrity, Availability (CIA) 4.2 Using risk-assessment to improve security 4.3 Why do we need a risk managed approach to improving security? 4.3.1 Further Information Sources and Standards
5. Part 2 - Data Centre Security Controls
5.1 Security Policy 5.1.1 ISO Security Control Categories 5.2 Organising Information Security 5.2.1 ISO Security Control Categories 5.3 Asset Management 5.3.1 ISO Security Control Categories 5.3.2 Responsibility for Assets 5.3.3 Information Classification 5.4 Human Resources Security 5.4.1 ISO Security Control Categories 5.4.2 Prior to employment 5.4.3 During Employment 5.4.4 Termination or change of employment 5.4.5 Further Information Sources and Standards 5.5 Physical & Environmental Security 5.5.1 ISO Security Control Categories 5.5.2 Introduction 5.5.3 Secure Areas 5.5.4 Equipment security 5.6 Communications & Operations Management 5.6.1 ISO Security Control Categories 5.6.2 Operational Procedures and Responsibilities 5.6.3 Third-party Service Delivery Management 5.6.4 System Planning and Acceptance 5.6.5 Protection Against Malicious and Mobile Code 5.6.6 Back-up 5.6.7 Network Security Management 5.6.8 Media Handling 5.6.9 Exchange of information 5.6.10 Electronic commerce services 5.6.11 Monitoring and Testing 5.7 Access Control 5.7.1 ISO Security Control Categories 5.7.2 Introduction 5.7.3 User access management 5.7.4 User responsibilities 5.7.5 Network access control 5.7.6 Operating system access control 5.7.7 Application and information access control 5.7.8 Mobile computing and tele-working 5.8 Information Systems Acquisition, Development & Maintenance 5.8.1 ISO Security Control Categories 5.8.2 Security requirements of information systems 5.8.3 Correct processing in applications 5.8.4 Cryptographic controls 5.8.5 Security of system files 5.8.6 Security in development and support processes 5.8.7 Technical Vulnerability Management 5.9 Information Security Incident Management 5.9.1 ISO Security Control Categories 5.9.2 Reporting information security events and weaknesses 5.9.3 Management of information security incidents and improvements 5.10 Business Continuity Management 5.10.1 ISO Security Control Categories 5.10.2 Information security aspects of business continuity management 5.10.3 Data centre investment planning and disaster recovery 5.11 Compliance 5.11.1 ISO Security Control Categories 5.11.2 Compliance with legal requirements 5.11.3 Compliance with security policies and standards and technical compliance 5.11.4 Information systems audit considerations
6. Part 3 - Emerging Challenges and Solutions
6.1 Emerging Challenges 6.1.1 Impact of virtualisation 6.1.2 Impact of Cloud Computing 6.2 Innovative Solutions 6.2.1 Cisco Unified Computing System 6.2.2 Netezza Mantra 6.2.3 Tata Distributed Denial of Service Solution 6.2.4 F5 Networks
7 Bibliography
Table of Figures
Figure 1. Data centre providers rating of the importance of customer criteria Figure 2. End user organisations ranking of data centre criteria Figure 3. Scope of this report Figure 4. The Plan, Do , Check, Act cycle model for security management Figure 5. IT service delivery and security vs. functional perspectives. Figure 6. New employee screening used by service providers Figure 7. Data centre security challenges as perceived by end-user survey respondents. Figure 8. Physical security triangle Figure 9. Data centre perimeter layers Figure 10. SD-STD-02.01 US Department of State standard for Crash Testing of Perimeter Barriers and Gates Figure 11. Approximate relative break-in and blast resistance of wall construction materials Figure 12. Indicative data centre layout showing buffering of data centre areas from outer walls Figure 13. Emergency exit door security controls implemented by surveyed data centre providers Figure 14. Access control policy and measures at surveyed data centre companies Figure 15. Types (or factors) of identification for access control systems Figure 16. Hand geometry scanners for cage access control (image courtesy Ingersoll-Rand Company) Figure 17. 'Discreet site' security measures implemented by surveyed data centre providers Figure 18. Indicative spread of aircraft incidents at airports. Figure 19. Indicative data centre layout showing buffering of data centre areas from outer walls Figure 20. Change management process Figure 21. Change management measures in place at surveyed data centre providers. Figure 22. Examples of separation of environments Figure 23. Other external certifications achieved by surveyed data centre providers Figure 24. Definition of 'Network' for our purposes Figure 25. Web-based application zone network schematic Figure 26. Network security and related services offered by surveyed data centre providers. Figure 27. Example of a Google black-listed site Figure 28. Botnet visualisation (source: David Vorel of the Czech chapter of Honeynet.org) Figure 29. The 'Plan Do Check Act' cycle of security management (Deming) Figure 30. Monitoring and response schematic Figure 31. Data centre building monitoring provided by surveyed data centre providers Figure 32. Relationships between information security areas Figure 33. Compliance drivers from our survey of organisations operating their own data centres Figure 34. Certifications other than ISO/IEC 27001 held by surveyed data centre providers Figure 35. Scope of service offerings and security responsibility Figure 36. Cisco UCS hardware overview
|