White Paper Aaci Data Center Physical Security Mc Donald

of 16 /16
April 21, 2011 Auburn Regional Office 489 Washington Street Auburn, MA 01501 Phone: (508) 453-2720 www.AmericanAlarm.com Data Center Best Practices for Integrated Physical Security Technology Solutions and SAS 70 and Homeland Security Presidential Directive 7 (HSPD-7) Compliance By James McDonald Integrated Systems Consultant An AACI White Paper

description

Data Center Best Practices for Integrated Physical Security Technology Solutions and SAS 70 and Homeland Security Presidential Directive 7 (HSPD-7) Compliance

Transcript of White Paper Aaci Data Center Physical Security Mc Donald

Page 1: White Paper Aaci  Data Center Physical Security  Mc Donald

April 21, 2011

Auburn Regional Office

489 Washington Street

Auburn, MA 01501

Phone: (508) 453-2720

www.AmericanAlarm.com

Data Center Best Practices for Integrated Physical Security

Technology Solutions and SAS 70 and Homeland Security

Presidential Directive 7 (HSPD-7) Compliance

By James McDonald

Integrated Systems Consultant

An AACI White Paper

Page 2: White Paper Aaci  Data Center Physical Security  Mc Donald

April 21, 2011 2

Contents

Introduction 2

Problem Statement 3

Design Solution Check List 3

Critical Infrastructure Monitoring 6

Implementation 7

Key External Technology Measures 7

Key Internal Technology Measures 7

Policy Basics 9

Non-Compliance 9

Identification Procedures 10

Summary 10

Physical Security Information

Management (PISM) 11

About American Alarm and

Communications, Inc. 12

Appendix A: Understanding Physical

Access Control Solutions 13

Contact Information 16

Introduction

In today's ever-growing regulatory

compliance landscape, organization can

greatly benefit from implementing viable

and proven data center physical security

best practices for their organization.

There are plenty of complicated documents

that can guide companies through the

process of designing a secure data center

from the gold-standard specs used by the

federal government to build sensitive

facilities like embassies, to infrastructure

standards published by industry groups like

the Telecommunications Industry

Association, to safety requirements from

the likes of the National Fire Protection

Association.

Recent federal legislation, ranging from the

Gramm-Leach Bliley Act (GLBA), the Health

Insurance Portability and Accountability Act

(HIPAA) and The Sarbanes Oxley Act of 2002

(SOX) Homeland Security Presidential

Directive 7 (HSPD-7) are putting intense

pressure on data centers, co-locations, and

managed services entities to comply with a

myriad amount of security and privacy

issues. What’s more, companies seeking to

use services from data centers are actively

looking for assurances that a strong control

environment is in place, complete with data

center security best practices.

Homeland Security Presidential Directive 7

(HSPD-7) identified 17 critical infrastructure

and key resources (CIKR) sectors and

designated Federal Government Sector-

Specific Agencies (SSAs) for each of the

sectors. Each sector is responsible for

developing and implementing a Sector-

Specific Plan (SSP) and providing sector-

level performance feedback to the

Any opinions, findings, conclusions,

or recommendations expressed in

this publication do not necessarily

reflect the views of American Alarm

& Communications, Inc., (AACI).

Additionally, neither AACI nor any of

its employees makes any warrantee,

expressed or implied, or assumes

any legal liability or responsibility for

the accuracy, completeness, or

usefulness of any information,

product, or process included in this

publication. Users of information

from this publication assume all

liability arising from such use.

Page 3: White Paper Aaci  Data Center Physical Security  Mc Donald

April 21, 2011 3

Department of Homeland Security

(DHS) to enable gap assessments of

national cross-sector CIKR

protection programs. SSAs are

responsible for collaborating with

public and private sector security

partners and encouraging the

development of appropriate

information-sharing and analysis

mechanisms within the sector.

These best practices, which many

times are tested by an independent

CPA firm for SAS 70 Type I or Type II

audit compliance, should be

implemented throughout all areas of

a data center, rather than being

segmented to cover only specific

areas. The SAS 70 auditing standard,

in place since 1992, has been and

will continue to be one of the most

effective and well-recognized

compliance audits for testing and

reporting on controls in place at

data centers.

Problem Statement

The IT Sector is a key enabler for

U.S. and global economies, and its

products and services are relied on

by all critical infrastructure sectors.

Because of this reliance, IT Sector

public and private security partners

are actively engaged to ensure the

resiliency of the sector and prevent

and protect against incidents that

could have negative economic

consequences or degrade public

confidence.

What should be the high-level goals

for making sure that security for the

new data center is built into the

designs, instead of being an

expensive or ineffectual afterthought?

From the moment an individual arrives on

the grounds and walks through the data

center doors, the following items should be

part of a data center physical security best

practices program for any data facility.

Design Solution Check List

Build on the Right Spot

Be sure the building is some distance from

headquarters (20 miles is typical) and at

least 100 feet from the main road. Bad

neighbors: airports, chemical facilities,

power plants. Bad news: earthquake fault

lines and (as we've seen all too clearly this

year) areas prone to hurricanes and floods.

And scrap the "data center" sign.

Restrict Area Perimeter

Secure and monitor the perimeter of the

facility

Have Redundant Utilities

Data centers need two sources for utilities,

such as electricity, water, voice and data.

Trace electricity sources back to two

separate substations and water back to two

different main lines. Lines should be

underground and should come into

different areas of the building, with water

separate from other utilities. Use the data

Page 4: White Paper Aaci  Data Center Physical Security  Mc Donald

April 21, 2011 4

center's anticipated power usage as

leverage for getting the electric

company to accommodate the

building's special needs.

Deter, Detect, and Delay

Deter, detect, and delay an attack,

creating sufficient time between

detection of an attack and the point

at which the attack becomes

successful.

Pay Attention to Walls

Foot-thick concrete is a cheap and

effective barrier against the

elements and explosive devices. For

extra security, use walls lined with

Kevlar.

Avoid Windows

Think warehouse and not an office

building. If you must have windows,

limit them to the break room or

administrative area, and use bomb-

resistant laminated glass.

Use Landscaping for Protection

Trees, boulders and gulleys can hide

the building from passing cars,

obscure security devices (like

fences), and also help keep vehicles

from getting too close. Oh, and they

look nice too.

Keep a 100-foot Buffer Zone Around

the Site

Where landscaping does not protect

the building from vehicles, use

crash-proof barriers instead. Bollard

planters are less conspicuous and

more attractive than other devices.

Use Retractable Crash Barriers at Vehicle

Entry Points

Control access to the parking lot and

loading dock with a staffed guard station

that operates the retractable bollards. Use

a raised gate and a green light as visual cues

that the bollards are down and the driver

can go forward. In situations when extra

security is needed, have the barriers left up

by default, and lowered only when

someone has permission to pass through.

Plan for Bomb Detection

For data centers that are especially

sensitive or likely targets, have guards use

mirrors to check underneath vehicles for

explosives, or provide portable bomb-

sniffing devices. You can respond to a raised

threat by increasing the number of vehicles

you check, perhaps by checking employee

vehicles as well as visitors and delivery

trucks.

Limit Entry Points

Control access to the building by

establishing one main entrance, plus a back

one for the loading dock. This keeps costs

down too.

Make Fire Doors Exit Only

For exits required by fire codes, install

doors that don't have handles on the

outside. When any of these doors is

opened, a loud alarm should sound and

trigger a response from the security

command center.

Use Plenty of Cameras

Surveillance cameras should be installed

around the perimeter of the building, at all

entrances and exits, and at every access

point throughout the building. A

combination of motion-detection devices,

Page 5: White Paper Aaci  Data Center Physical Security  Mc Donald

April 21, 2011 5

low-light cameras, pan-tilt-zoom

cameras and standard fixed cameras

is ideal. Footage should be digitally

recorded and stored offsite.

Protect the Building's Machinery

Keep the mechanical area of the

building, which houses

environmental systems and

uninterruptible power supplies,

strictly off limits. If generators are

outside, use concrete walls to secure

the area. For both areas, make sure

all contractors and repair crews are

accompanied by an employee at all

times.

Personnel Surety

Perform appropriate background

checks on and ensure appropriate

credentials for facility personnel,

and, as appropriate, for unescorted

visitors with access to restricted

areas or critical assets.

Plan for Secure Air Handling

Make sure the heating, ventilating

and air-conditioning systems can be

set to recirculate air rather than

drawing in air from the outside. This

could help protect people and

equipment if there were some kind

of biological or chemical attack or

heavy smoke spreading from a

nearby fire. For added security, put

devices in place to monitor the air

for chemical, biological or

radiological contaminant.

Ensure nothing can hide in the walls

and ceilings

In secure areas of the data center,

make sure internal walls run from

the slab ceiling all the way to

subflooring where wiring is typically

housed. Also make sure drop-down ceilings

don't provide hidden access points.

Use two-factor authentication Biometric

identification is becoming standard for

access control to sensitive areas of data

centers, with hand geometry or fingerprint

scanners usually considered less invasive

than retinal scanning. In other areas, you

may be able to get away with less-

expensive access cards.

Harden the Core with Security Layers

Anyone entering the most secure part of

the data center will have been

authenticated at least three times, including

at the outer door. Don't forget you'll need a

way for visitors to buzz the front desk (IP

Intercom works well for this). At the

entrance to the "data" part of the data

center. At the inner door separates visitor

area from general employee area.

Typically, this is the layer that has the

strictest "positive control," meaning no

piggybacking allowed. For implementation,

you have two options:

-A floor-to-ceiling turnstile

If someone tries to sneak in behind an authenticated

user, the door gently revolves in the reverse

direction. (In case of a fire, the walls of the turnstile

flatten to allow quick egress.)

-A "mantrap"

Provides alternate access for equipment and for

persons with disabilities. This consists of two

separate doors with an airlock in between. Only one

door can be opened at a time, and authentication is

needed for both doors.

At the Door to an Individual Computer

Processing Room

This is for the room where actual servers,

mainframes or other critical IT equipment is

located. Provide access only on an as-

needed basis, and segment these rooms as

Page 6: White Paper Aaci  Data Center Physical Security  Mc Donald

April 21, 2011 6

much as possible in order to control

and track access.

Watch the Exits Too

Monitor entrance and exit—not only

for the main facility but for more

sensitive areas of the facility as well.

It'll help you keep track of who was

where, when. It also helps with

building evacuation if there's a fire..

Prohibit Food in the Computer

Rooms Provide a common area

where people can eat without

getting food on computer

equipment.

Install Visitor Rest Rooms

Make sure to include rest rooms for

use by visitors and delivery people

who don't have access to the secure

parts of the building.

Critical Infrastructure Monitoring

"Critical infrastructure" is defined by

federal law as "systems and assets,

whether physical or virtual, so vital

to the United States that the

incapacity or destruction of such

systems and assets would have a

debilitating impact on security,

national economic security, national

public health or safety, or any

combination of those matters.

The Information Technology (IT)

Sector is central to the nation's

security, economy, and public health

and safety. Businesses,

governments, academia, and private

citizens are increasingly dependent

upon IT Sector functions. These

virtual and distributed functions

produce and provide hardware,

software, and IT systems and services,

and—in collaboration with the

Communications Sector —the Internet.

American Alarm & Communications, Inc.

provides technology and services to

monitor many key areas of your operation.

Communication between your business

alarm system and our Monitoring Center is

a critical part of your protective system. Our

Underwriters’ Laboratories (U.L.) Listed

Monitoring Center is the core of American

Alarm’s sophisticated communications

operation. In the event of an alarm, the

CPU in your security system sends an alarm

signal to our monitoring facility through the

phone lines (800 numbers are not used,

given their unreliability). The signal is then

retrieved by our monitoring center, and our

operators quickly notify the appropriate

authorities, as well as the designated

responder, of the emergency.

Monitoring Capabilities

• Fire

• Hold-Up

• Intrusion

• Halon/Ansul

• Panic/Ambush

• Man Down

• Elevator Phones

• Off-Premises Video

• HVAC/Refrigeration

• Sprinkler/Tamper/Flow

• Power Loss/Low Battery

• Gas/Hazardous Chemicals

• Water Flow/Flood Alarms

• Environmental Devices

(CO2/CO/ETC.)

• Radio/Cellular Back-Up

Communications

Page 7: White Paper Aaci  Data Center Physical Security  Mc Donald

April 21, 2011 7

Implementation

At American Alarm and

Communications, Inc., we utilize and

integrate mutable solutions to

create a physical security

compliance and risk management

solution that can automate and

enforce physical security policies,

from restricting area perimeter and

securing site assets to personnel

surety and reporting of significant

security incidents; this helps to

ensure both governance and

compliance utilizing an

organization’s existing physical

security and IT infrastructure.

We can centrally manage all

regulations and associated controls

and automate assessment,

remediation and reporting as per

defined review cycles.

Automatically trigger compliance-

based actions, such as rule-based

generation of actions/penalties,

based on physical access events.

Correlate alarms and identities to

better manage situations and

responses across the security

infrastructure. Incorporate real-

time monitoring and detailed risk

analysis tools to instantly enforce,

maintain and report on compliance

initiatives

Key External Technology Measures

Entry Point

Data centers are generally designed

with a central access point that’s

used to filter employees and visitors

into the data center.

All requests are vetted by a security

guard with an intercom link to

ensure that they have a legitimate reason

for entering the premises.

Automatic Bollards

As an alternative to a guard-controlled gate,

automatic bollards can be used at entry

points. These short vertical posts pop out of

the ground to prevent unauthorized

vehicles from driving onto the site. When a

vehicle’s occupants are verified by a guard,

an access card or other secure process, the

bollards are quickly lowered to allow the

vehicle to enter. When in the lowered

position, the top of each bollard is flush

with the pavement or asphalt and

completely hidden. The bollards move

quickly and are designed to prevent more

than one vehicle from passing through at

any one time.

Closed-Circuit TV

External video cameras, positioned in

strategic locations, including along

perimeter fencing, provide efficient and

continuous visual surveillance. The cameras

can detect and follow the activities of

people in both authorized and “off limits”

locations. In the event someone performs

an unauthorized action or commits a crime,

the digitally stored video can supply

valuable evidence to supervisors, law

enforcement officials and judicial

authorities. For added protection, the video

should be stored off-site on a digital video

recorder (DVR).

Key Internal Technology Measures

Lobby Area

With proper software and surveillance and

communications tools, a staffed reception

desk, with one or more security guards

checking visitors’ credentials, creates an

invaluable first line of access control.

Page 8: White Paper Aaci  Data Center Physical Security  Mc Donald

April 21, 2011 8

Surveillance

Like their external counterparts,

internal cameras provide constant

surveillance and offer documented

proof of any observed wrongdoing.

Biometric Screening

Once the stuff of science fiction and

spy movies, biometric identification

now plays a key role in premises

security. Biometric systems

authorize users on the basis of a

physical characteristic that doesn’t

change during a lifetime, such as a

fingerprint, hand or face geometry,

retina or iris features.

Mantrap

Typically located at the gateway

between the lobby and the rest of

the data center, mantrap technology

consists of two interlocking doors

positioned on either side of an

enclosed space. The first door must

close before the second one opens.

In a typical mantrap, the visitor

needs to first “badge-in” and then

once inside must pass a biometric

screening in the form of an iris scan.

Access Control List

Defined by the data center

customer, an access control list

includes the names of individuals

who are authorized to enter the

data center environment. Anyone

not on the list will not be granted

access to operational areas.

Badges and Cards

Visually distinctive badges and

identification cards, combined with

automated entry points, ensure that

only authorized people can access specific

data center areas. The most common

identification technologies are magnetic

stripe, proximity, barcode, smart cards and

various biometric devices.

Guard Staff

A well-trained staff that monitors site

facilities and security technologies is an

essential element in any access control

plan.

Loading and Receiving

For full premises security, mantraps, card

readers and other access controls located in

public-facing facilities also need to be

duplicated at the data center’s loading

docks and storage areas.

Operational Areas

The final line of physical protection falls in

front of the data center’s IT resources.

Private cages and suites need to be

equipped with dedicated access control

systems while cabinets should have locking

front and rear doors for additional

protection.

Humans are the weakest link in any security

scheme. Security professionals can do their

best to protect systems with layers of anti-

malware, personal and network firewalls,

biometric login authentication, and even

data encryption, but give a good hacker (or

computer forensics expert) enough time

with physical access to the hardware, and

there’s a good chance they’ll break in. Thus,

robust physical access controls and policies

are critical elements of any comprehensive

IT security strategy.

According to a report by the SANS Institute,

“IT security and physical security are no

longer security silos in the IT environment;

Page 9: White Paper Aaci  Data Center Physical Security  Mc Donald

April 21, 2011 9

they are and must be considered

one and the same or, as it should be

called, overall security.”

It is the innermost layer—physical

entry to computer rooms—over

which IT managers typically have

responsibility, and the means to

have effective control over human

access focuses on a set of policies,

procedures, and enforcement

mechanisms.

Policy Basics

Given their importance and

ramifications on employees, access

policies must come from the top

leadership. After setting

expectations and behavioral ground

rules, actual data center access

policies have several common

elements. The most essential are

definitions of various access levels

and procedures for authenticating

individuals in each group and their

associated privileges and

responsibilities when in the data

center.

Step 1

Authorize, identify and authenticate

individuals that require physical

access: • Identify the roles that require both

regular as well as occasional physical

access and identify the individuals that

fill these roles.

• Provide standing authorization and a

permanent authenticator to individuals

that require regular access.

• Require individuals that require

occasional access to submit a request

that must be approved prior to access

being attempted or allowed.

• Authenticate individuals with regular

access requirements through the use of

their assigned permanent authenticator.

• Authenticate individuals with occasional access

requirements through the use of a personal

identification mechanism that includes name,

signature and photograph.

Step 2

Verify that work to be performed has been

pre-approved or meets emergency

response procedures: • Verify against standard Change Control

procedures.

• Verify against standard Maintenance

procedures.

Step 3

Make use of logs to document the coming

and goings of people and equipment:

• Assign the responsibility for the

maintenance of an access log that

records personnel access. Record the

following: • Date and time of entry.

• Name of accessing individual and

authentication mechanism.

• Name and title of authorizing individual.

• Reason for access.

• Date and time of departure.

• Assign the responsibility for the

maintenance of a delivery and removal

log that records equipment that is

delivered to or removed from facilities;

Record the following: • Date and time of delivery/removal.

• Name and type of equipment to be

delivered or removed.

• Name and employer of the individual

performing the delivery/removal and the

authentication mechanism used.

• Name and title of authorizing individual.

• Reason for delivery/removal.

Non-Compliance

Violation of any of the constraints of these

policies or procedures shoulld be

considered a security breach and depending

Page 10: White Paper Aaci  Data Center Physical Security  Mc Donald

April 21, 2011 10

on the nature of the violation,

various sanctions will be taken:

• A minor breach should result

in written reprimand.

• Multiple minor breaches or a

major breach should result in

suspension.

• Multiple major breaches

should result in termination.

Although older data centers typically

just consisted of a large, un-

partitioned raised-floor area, newer

enterprise facilities have taken a

page from ISP designs by dividing

the space into various zones—for

example, a cage for high-availability

servers, another area for Tier 2 or 3

systems, a dedicated network

control room, and even separate

areas for facilities infrastructure

such as PDUs and chillers. Such

partitioned data centers provide

control points for denying access to

personnel with no responsibility for

equipment that’s in them.

Identification Procedures

The next step in a physical security

policy is to set up controls and

identification procedures for

authenticating data center users and

granting them physical access.

Although biometric scanners look

flashy in the movies and certainly

provide an added measure of

security, a magnetic stripe badge

reader is still the most common

entry technology, as it’s simple,

cheap, and effective and allows

automated logging, which is a

necessary audit trail.

One problem with magnetic readers,

according is their susceptibility to tailgating,

or allowing unauthorized personnel to trail

a colleague through an entryway. That’s

why we advise supplementing doors and

locks with recorded video surveillance.

I also like to add a form of two-factor

authentication to entry points by coupling a

card reader (“something you have”) with a

PIN pad (“something you know”), which

reduces the risks of lost cards. I also

recommend using time-stamped video

surveillance in conjunction with electronic

access logs and a sign-in sheet to provide a

paper trail.

Access levels and controls, with

identification, monitoring, and logging, form

the foundation of an access policy, but two

other major policy elements are standards

of conduct and behaviors inside the data

center such as: prohibitions on food and

beverages or tampering with unauthorized

equipment, limitations and controls on the

admission of personal electronics such as

USB thumb drives, laptops, smartphones, or

cameras are critical.

Policies should also incorporate processes

for granting access or elevating restriction

levels, an exception process for unusual

situations, sanctions for policy violations,

and standards for reviewing and auditing

policy compliance. Stahl cautions that

penalties for noncompliance will vary from

company to company because they must

reflect each enterprise’s specific risk

tolerance, corporate culture, local

employment laws, and union contracts.

Summary

It’s time to get physical—as in physically

protecting a data center and all of its assets.

The need for ironclad virtual security

Page 11: White Paper Aaci  Data Center Physical Security  Mc Donald

April 21, 2011 11

measures, such as managed

firewalls, is well known. Yet physical

security is often placed on the back

burner, largely forgotten about until

an unauthorized party manages to

break into or sneak onto a site and

steals or vandalizes systems.

Today’s security systems include:

• Intrusion and Monitoring

Systems

• Access Control Systems

• Visitor Management Systems

• Surveillance Systems

• Emergency Communications

Systems

• PISM Software Platforms

The newest of these is the PISM or

Physical Security Information

Management system.

Physical Security Information

Management (PISM)

The PSIM Platform enables the

integration and organization of any

number and type of security devices

or systems and provides a common

set of services for analyzing and

managing the incoming information.

It also serves as the common

services platform for video and

situation management applications.

Effectively maintaining security of

critical infrastructure does not

happen by accident, it means giving

your security professionals the best

security/software tools available

today. By unifying your existing

surveillance system and providing

spatial context to your camera

feeds, PISM brings out the best of your

equipment.

To investigate day-to-day incidents, as well

as prepare for emergency situations, the

security department makes use of a vast

network of video cameras, access control

points, intercoms, fire and other safety

systems. PISM unifies all of these disparate

feeds, including systems from diverse

manufacturers, into a single decision-

oriented Common Operating Picture.

Within the PSIM Platform are five key

components:

Integration Services – Multiple strategies

are used for connection, communication

with, and management of installed devices

and systems from multiple vendors. The

PSIM Platform offers complete support for

the industry’s most commonly-used device

types – out of the box. In addition, it

employs customizable “pipeline”

architecture to receive device events. This

architecture exploits commonalities among

similar devices (including format and

protocol) and reduces the need for one-off

adaptations. Network connectivity is

achieved using combinations of multiple

communications protocols.

Geo-Location Engine – The Geo Location

Engine provides spatial recognition for geo-

location of devices and supports situation

mapping functionality. The physical

position of devices is stored in an internal

knowledge base as GIS/GPS positions or

building coordinates. The engine uses the

information to determine relevance,

selects, and relate devices involved in a

given situation. The system uses the

information to overlay graphical

representations of security assets and

Page 12: White Paper Aaci  Data Center Physical Security  Mc Donald

April 21, 2011 12

activities onto Google-type maps or

building layouts.

Routing Engine – The Routing Engine

is an intelligent switch that connects

any security device to PISM

command interfaces or output

device(s) and accommodates any

required transformation of formats

and protocols between connected

devices. In most cases, devices

connect directly to each other and

exchange data streams directly,

avoiding possible bottlenecks that

would arise from routing all traffic

through a single centralized server.

An internal knowledge base of all

connected devices and their

characteristics is maintained by the

Routing Engine, which uses that

information to ensure a viable

communication path, compatibility

of signal format and acceptable

quality of service.

Rules Engine – The PSIM Platform

contains a powerful Rules Engine

that analyzes event and policy

information from multiple sources

to correlate events, make decisions

based upon event variables and

initiate activities. Pre-packaged or

user written rules define the events

or event combinations for

identifying and resolving situations

in real time according to business

policies.

Dispatch Engine – The Dispatch

Engine integrates with

communications infrastructure to

initiate external applications or the

transmission of messages, data and

commands. Dispatch actions are

automatically triggered by the rules engine

as it executes recommendations for

situation resolution. Operators can

manually initiate actions as well.

The system integrates and analyzes

information from disparate traditional

physical security devices including analog

and digital video.

The key benefits of today’s technology is

allowing system users to do more with less

by getting maximum benefits through

integrated technologies with each system

(Both new and old) and with the goals of

company policies and procedures like never

before.

About American Alarm and

Communications, Inc.

American Alarm and Communications, Inc.,

is in a unique position to improve personal

protection of key individuals as a

Massachusetts based Underwriters

Laboratories (UL) Listed, and United States

Federal Government (DOD) recognized 24-

hour Security Command Center and Central

Station. Every day we manage a full range

of security, communication and escalation

procedures specifically designed for our key

customers. Our founders, three engineers

from the Massachusetts Institute of

Technology (MIT), have worked to bring the

benefits of new technology and solutions to

our customers. Though we have grown over

the years, our mission has remained the

same: to provide the best possible security

technology and customer service to protect

homes and businesses across

Massachusetts.

Page 13: White Paper Aaci  Data Center Physical Security  Mc Donald

April 21, 2011 13

Appendix A: Understanding Physical Access Control Solutions

SOLUTION STRENGTHS WEAKNESSES COMMENTS

KEYS •Most traditional form of access control • Easy to use • Don’t require power for operation

• Impossible to track if they are lost or stolen, which leaves facility vulnerable • Potential for unauthorized sharing of keys • Difficult to audit their use during incident investigations • Difficult to manage on large campuses with multiple doors • Re-coring doors when a key is lost or stolen is expensive

• Several solutions are currently available on the market to manage keys and keep key holders accountable.

LOCKS

Maglock

Electric Strike

• Easy installation • Economical • Easy retrofit • Quiet operation • Can be either fail-secure or fail-safe • Does not need constant power • Door knob overrides for safe exit

• Power always on (fail-safe) • Typically requires exit device to break circuit • Requires backup power supply for 24-hour service • Door/lock hardware experience needed

• DC only • Comes in different “pull” strengths • Check extra features, such as built in door sensor • Requires more door hardware experience than Maglock • Specify for life-safety requirements • Can be both AC and DC (DC lasts longer) • Fail-safe must have power backup • Fail-secure most popular

ACCESS

CARDS

Magnetic

Stripe

• Access rights can be denied without the expense of re-coring a door and issuing a new key • Can limit access to a building to certain times of the day • Systems can provide audit trails for incident investigations • Inexpensive to issue or replace • Durable • Convenient • More difficult to compromise

• Prone to piggybacking / tailgating (when more than one individual enters a secure area using one access card or an unauthorized person follows an authorized person into a secure area • Users can share cards with unauthorized persons • Cards can be stolen and used by unauthorized individuals • Systems are more expensive to install than traditional locks • Require power to operate • Not as secure as proximity cards or smart cards • Can be duplicated with relative ease • Subject to wear and tear • Cost more than magstripe cards

• Can incorporate a photo ID component • Can be used for both physical and logical access control • Card readers should have battery backup in the event of power failure • Tailgate detection products, video surveillance, analytics and security officers can address tailgating issues • Can integrate with video surveillance, intercoms and intrusion detection systems for enhanced security • These are the most commonly used access control cards by US campuses and facilities

Page 14: White Paper Aaci  Data Center Physical Security  Mc Donald

April 21, 2011 14

Proximity

Smart Card

than magstripe cards • Less wear and tear issues • Multiple application functionality (access, cashless vending, library cards, events) • Enhanced security through encryption and mutual authentication • Less wear and tear issues

• Easier to compromise than smart cards • Currently the most expensive card access option on the market

• Are widely used for access control (although not as widely as magstripe) • Not as widely adopted as magstripe or proximity cards due to cost • Widely adopted in Europe• Can incorporate biometric and additional data such as Photo and ATM

PIN

NUMBERS

(Pass codes)

• Easy to issue and change • Inexpensive

• Can be forgotten • Difficult to manage when there are many passwords for different systems • Can be given to unauthorized users • Prone to tailgating/ piggybacking

• Should be changed frequently to ensure security • Often used in conjunction with other access control solutions, such as cards or biometrics

DOOR

ALARMS

• Provide door intrusion, door forced and propped door detection • Reduce false alarms caused by unintentional door propping • Encourage staff and students to maintain access control procedure

• Will not reach hearing impaired without modifications • Will not detect tailgaters • Door bounce can cause false alarms

• Appropriate for any monitored door application, such as emergency exits • Used in conjunction with other access control solutions, such as card readers or keys • Can be integrated with video surveillance for enhanced security

TAILGATE/P

IGGYBACK

DETECTORS

• Monitor the entry point into secure areas • Detect tailgate violations (allow only one person to enter) • Detect when a door is propped • Mount on the door frame • Easy to install

• Not intended for large utility cart and equipment passage (which could cause the system to go into false alarm) • Not for outdoor use

• Appropriate for any monitored door application where a higher degree of security is needed, such as data centers, research laboratories, etc • Used in conjunction with other access control solutions, such as card readers • Can be integrated with video surveillance for enhanced security

PUSHBUTTO

N CONTROLS

• Many button options available • Normally-open/Normally closed momentary contacts provide fail-safe manual override • Time delay may be field adjusted for 1-60 seconds

• Anyone can press the release button (unless using a keyed button), so button must be positioned in a secure location (for access control, not for life-safety) • Some can be defeated easily • Can open door to stranger when approaching from inside

• Used to release door and shunt alarm • Used for emergency exits when configured to fail-safe • May be used in conjunction with request to exit (REX) for door alarms and life safety • Still may require mechanical device exit button to meet life-safety code • With REX, careful positioning and selection required

MULTI-ZONE

ANNUNCIAT

• Display the status of doors and/or windows throughout a monitored facility

• 12 VDC only special order 24 VDC option • Door bounce can cause

• Designed to monitor multiple doors from a single location

Page 15: White Paper Aaci  Data Center Physical Security  Mc Donald

April 21, 2011 15

ORS • Alert security when a door intrusion occurs • Many options available: zone shunt, zone relay and zone supervision

false alarms • Requires battery backup in case of power failure

• May be used in conjunction with door alarms, tailgate detection systems and optical turnstiles • No annunciation at the door; only at the monitoring station

FULL

HEIGHT

TURNSTILES

• Provides a physical barrier at the entry location • Easy assembly • Easy maintenance • Available in aluminum and galvanized steel

• Physical design ensures to a reasonable degree that only one authorized person will enter, but it will not detect tailgaters

• Designed for indoor/outdoor applications • Used in parking lots, football fields and along fence lines • Use with a conventional access control device like a card reader

OPTICAL

TURNSTILES

• Appropriate for areas with a lot of pedestrian traffic • Detects tailgating • Aesthetically pleasing and can be integrated into architectural designs • Doesn’t require separate emergency exit • Provides good visual and audible cues to users

• Can be climbed over • Not for outdoor use

• Used in building lobby and elevator corridor applications • Use with a conventional access control device like a card reader • To ensure compliance, deploy security officers and video surveillance

BARRIER

ARM

TURNSTILES

(Glass gate or

metal arms)

• Appropriate for areas with a lot of pedestrian traffic • Provides a visual and psychological barrier while communicating to pedestrians that authorization is required to gain access • Detects tailgating • Reliable

• Units with metal-type arms can be climbed over or under • Not for outdoor use • Most expensive of the turnstile options • Requires battery backup in case of power failure

• Used in building lobby and elevator corridor applications • Use with a conventional access control device like a card reader • To ensure compliance, deploy security officers and video surveillance • Battery backup is recommended

BIOMETRICS • Difficult to replicate identity because they rely on unique physical attributes of a person (fingerprint, hand, face or retina) • Users can’t forget, lose or have stolen their biometric codes • Reduces need for password and card management

• Generally much more expensive than locks or card access solutions • If biometric data is compromised, the issue is very difficult to address

• Except for hand geometry, facial and finger solutions, biometric technology is often appropriate for high-risk areas requiring enhanced security

INTERCOMS • Allow personnel to communicate with and identify visitors before allowing them to enter a facility • Can be used for emergency and non-emergency communications • IP solutions today offer powerful communications and backup systems with integration

• Will not reach hearing impaired without modifications • Not appropriate for entrances requiring throughput of many people in a small amount of time

• Appropriate for visitor management, afterhours visits, loading docks, stairwells, etc. • Use with conventional access control solutions, such as keys or access cards • Video surveillance solutions can provide visual verification of a visitor

Page 16: White Paper Aaci  Data Center Physical Security  Mc Donald

April 21, 2011 16

Contact Information

James E. McDonald

Integrated Systems Consultant

Government Contracts Team-Massachusetts State Contract FAC64 Vendor

American Alarm and Communications, Inc.

Central Massachusetts Regional Office

489 Washington Street

Auburn, Massachusetts 01501

Direct Phone: (508) 453-2731

Direct Fax: (781) 645-7537

Email: [email protected]

American Alarm Website: www.AmericanAlarm.com

JEM_Blog: www.SecurityTalkingPoints.com

JEM_ Twitter: www.Twitter.com/physectech

Bio: http://www.linkedin.com/in/physicalsecuritytechnologist