Turing's Man Blog
- Last Updated on Tuesday, 12 November 2013 23:43
- Published on Tuesday, 12 November 2013 22:04
- Written by Pawel Wawrzyniak
- Hits: 10537
Physical, operational and environmental security subjects are still ongoing and present on my roadmap. Fortunately, I have a strong support among security experts with whom I cooperate on a daily basis. However, to feel more comfortable during discussions, I seek all possible occasions and materials available on-line to organize my knowledge and understand the whole security domain in more details. All in all this is an important part of data center operations – on one side, we know we should rely on professional expertise, which can be provided externally, but on the other hand, for sure we shouldn't skip the subject and we have to gain at least some fundamental skills. Thus, I would like to share a great video on physical, operational and environmental security – prepared by "Eli the Computer Guy" and available via YouTube. Here it is…
The video – titled: "Physical, Operational and Environmental Security" – presents all three areas of IT security. Moreover, it focuses on the server rooms (including all kinds of MDFs or building IDFs, too) and office spaces, so these are the areas that interest us the most. At a very general level we can say that:
- Physical security – is all about physical (including technical) security countermeasures against possible threats, like: burglary, theft or sabotage, which not only means a financial loss, but also can be a serious threat for IT (hence – business) operations continuity or the main (and the most effective) source of information leakage.
- Operational security – can be simplified to the main thesis: "who is allowed to have access to what resources in which conditions". This is related not only to the access control procedures for server rooms (and other areas), but is important in much wider scope: when we talk about access rules to our IT systems and applications (accounts and privileges management).
- Environmental security – is related to the conditions in which we operate our IT equipment (power quality and availability, suitable temperature and humidity, etc.), as well as to operational safety (which means – in what conditions our personnel can perform its duties, like: having enough space, no messy cabling, proper lighting, etc.). Also, what is forgotten in many places: clean server room is a guarantee of safety (no tools laying on the raised floor here and there, so we can walk safely between our IT equipment) and security (we don't have to be afraid about the dust, which can harm our IT equipment, especially if our gas suppression system will be executed).
I don't want to transcript the whole lecture prepared by "Eli the Computer Guy" – I recommend to reserve about 40 minutes (just like one, short class at school) and listen carefully (with a cup of tea or coffee). One can say that this material is elementary or there are some inconsistencies – like these related to the acceptable ranges of temperature in the server room and – for example – the most current ASHRAE recommendations, but… Come on, too much details can complicate the things and we want to have the general guidelines, yes? So? Well, it is a very basic lecture and yes there are some inconsistences on which we can debate for hours, but this is not the main point of this video. Therefore, I believe that solid understanding of the basic concepts is the most important in the field of security and we don't need too many details everywhere – it is obvious that we should always refer to our own situation, real requirements and check related standards or recommendations to be compliant (first of all – we should always start with in-depth quality risk analysis, then we can implement our own security system).
Physical, operational and environmental security lecture by "Eli the Computer Guy" - as presented on his YouTube channel
In my opinion, this lecture is very well composed, presents essential knowledge and – honestly – even if we feel we know the basics (or even more) it is still valuable and inspirational. The only drawback I can see is total lack of any pictures – this would be even better to have some photos of real-life examples and, for some of us, it could be easier to remember the most significant ideas such way. Although, in my case it wasn't very important issue. Personally, I like this lecture the way it is (serious, but not too acedemic).
Finally, what we mentioned here several times – and we can hear in Eli's video – not hackers, not crackers, not thieves, not computer malware or viruses are the most important threats for our business (security) and sources of the real risks. These are the people who are in the building already – including our own (let's say: "trusted") staff and…
... The simple and obvious, but commonly forgotten things like: dust in non-cleaned server rooms, messy cabling, too high temperature or low power quality.
So? Thanks a lot, Eli.