CISSP: Domain 3, Module 6
The course is part of this learning path
This course is the final module of Domain 3 of the CISSP, covering security architecture and engineering
The objectives of this course are to provide you with and understanding of:
- Cyber-physical systems (CPS)
- Industrial control systems (ICS)
- How to apply security principles to site and facility design through security surveys, planning, and vulnerability assessments
- How to design and implement facility security, focusing on data center design and considerations
This course is designed for those looking to take the most in-demand information security professional certification currently available, the CISSP.
Any experience relating to information security would be advantageous, but not essential. All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.
If you have thoughts or suggestions for this course, please contact Cloud Academy at firstname.lastname@example.org.
We're going to go on to section 13, where we're going to talk about the design and implementation of facility security. So we're going to look at wiring closets and server rooms, various forms of restricted work areas and the security for them, data center security, utilities, and air conditioning considerations, water issues, and then fire prevention, detection and suppression.
Securing the area, involves assessing our communications rooms or closets, because these represent critical connect points and assets contained within these spaces, and so we need to maintain a commensurately high level of security over them. Without question access must be controlled into each of these areas, preferably by some key or a cipher lock or centrally controlled cyber locking mechanism. And without question, only authorized personnel should ever be allowed to work in this particular area. And there needs to be an access control list that identifies clearly who these people are and provides them the mechanism for getting in such that there can be an audit trail. So cable plant management, throughout the facility there will be a variety of cables or other forms of conduit to carry power, communications to the various areas.
The design documentation and management of these, typically boils down to the lowest layer of our OSI network model, the physical layer. Now approximately 70% of our network is composed of passive devices such as cables, cross-connect blocks, patch panels and other forms of connecting mechanisms. As such they do not move and therefore require security over the places where they will be installed or pass. The key components of this cable plant are made up of the entrance facility, where we go to the main demarcation room where everything begins.
We have equipment rooms, we have a backbone distribution system, a telecommunications room, where the phone systems enter the building and then horizontal distribution systems. Now one form of restricted work area that requires a special kind of security is that called a SCIF, the secure communications and information facility. This particular room is designed to be suitable for classified information, discussion, briefing and viewing. As such, it has a special standard to which it must be constructed, and an effect must be rendered as a black hole or a dead zone in which it is impossible for anything to either enter as radio frequency interference, or depart the room as radio frequency communications, and so it has to be assured against visual, acoustical, technical and physical access from unauthorized sources or persons.
Our server rooms of course need a higher level of security than our normal work areas. They should be access controlled, it should be a protected room, preferably with no windows, and with only one controlled area of entry into the area, assuming that that complies with the local fire code, because once the servers are compromised, and a physical access method for unauthorized persons, can oftentimes successfully overcome whatever electronic security we may have put in place, but once these are compromised, the entire network is going to be at risk. Even more so the data center, because this is the heart and soul of our computing capability within this facility. A portal, which is the use of an internal mantrap, or portal-type entry, where there is an external and an internal doorway, which people must pass through to get actually into the data center itself. This requires the enforcement of a two-person rule. The person seeking entrance may have credentials, a badge or some such thing that gets them in the first door, but to get through the second door, they may have to go through and should go through a separate and different form of authentication, this is what involves the second man or the second person.
Our utilities and power are both critical to the operation of a data center and indeed the facility itself. In a data center building, take for example of Verizon, or Amazon Web Services data center, they should have battery and generator sources of power in case power from the grid is lost. The batteries should be in-line so that if the power from the grid is lost, the batteries immediately take over with no loss. This should be part of an overall uninterruptible power supply system. It should include battery backup, to maintain a continuous supply of electrical power and be in-line so that again if power from the grid should end the gap will be covered by the batteries, at which point the local uninterruptible power supply generator, will kick in within a period of time and supply continuous power before the batteries are exhausted.
Now, once the UPS has been activated, the batteries covering the gap between loss of power from the grid and the startup of the generator, the generator should be activated automatically in the event of the utility loss. Now, a diesel generator will take some time to spin up to actual capacity, so that it will be able to take the load for which it was sized. This may be anywhere from many seconds to even a few minutes, and so, the capacity and knowing the time that it will take the generator to spin up to full load capability needs to be clearly understood and the battery duration needs to be timed in such a way that it will cover that gap plus have a safety margin on top of it. So that when the generator kicks on and is ready to assume the load, it will be ready and the batteries can then be taken out, allowed to recharge over time, and the generator will continue to run and supply continuous power until such time as refueling or the power from the grid is restored.
Now when it comes to heating, ventilation and air conditioning, this is a critical aspect of managing the temperature and relative humidity inside the data center. Latent cooling is the ability of the air conditioning system to remove moisture. Sensible cooling is the ability of the air conditioning system to remove heat that can be measured by a thermometer. You see, managing humidity and temperature are only part of the equation, another part of the equation is air exchange, ensuring that air is moved through the facility as part of the controlling of humidity and temperature. Here you have the current scale of temperature and humidity settings that the air exchange system should be set for in your data center.
We have low-end temperature of approximately 64.4 degrees Fahrenheit and a high-end temperature of 80.6 degrees Fahrenheit, and managing humidity should be between 40 and 60% relative humidity. Now it is known that data centers are oftentimes being experimented within their design features. Some called run hot, may run as hot as 105 degrees Fahrenheit inside the data halls where servers, storage, and network equipment are kept. Now by their vendors, they are of course engineered to withstand these higher temperatures, but the organizations such as Amazon and Facebook, that put data centers together on this principle, save millions of dollars per month in cooling costs, but as I mentioned, air exchange the becomes even more critical in these kinds of settings, where the movement of air through a facility, will help keep the temperature and the humidity even at these higher levels well controlled.
Now air contamination, like too high or too low humidity or too high or too low temperature is a threat as well. So the air must be filtered, and it must be filtered against dust and other kinds of potentially malicious acts, so that the intakes are covered by screens to protect against any foreign object from being inserted into them, or from any sort of material being thrown in to cause damage to the facility or to the persons who work there. Now water of course, is our friend when it comes to drinks and hygiene, but water is not our friend when it comes to mixing with data equipment or electricity.
In any sort of building that is going to contain a function like a data center, we have to consider water very carefully because the water pipes that are built into the facility might burst, basements might flood, and roofs might leak, and so we need to design in various kinds of structural and other control measures, that will keep water from becoming the threat by mixing with electricity. Fire is also a threat, and so various forms of fire detection and suppression methods must be built in.
Now, again, depending upon the kind of facility we have, and the features that we will have in the rooms, places and spaces that will have within it, are oftentimes going to be regulated by the local fire code as to what mechanisms need to be in place. A smoke detector will of course, be necessary, and a smoke detector needs to work in a way that detects the changing in conditions and then sound an alarm of some kind to give those occupants not just of that room, but of the surrounding one and other places within the building that might be under the same threat to escape to safety.
The types of fire detectors that are present will always require human training to know how they operate properly and what to do in the event that they sound off. We have sensors that detect infrared or temperature or smoke or a combination that reveal the conditions leading up to a fire as well as the actual fire initiation. Smoke detectors include photoelectric or physical process, the difference being that one is optical, and one is ionization. There are fire detectors that will include infrared or ultraviolet spectrum detectors, and then we have heat detection, many times found in a single detection mechanism that combine absolute with an alarming threshold or a rate of rise with its own alarming threshold.
Our fire suppression systems based on water, typically are specified as required by the local fire code, and we have two basic families of these. One is a wet system, meaning that it has a constant supply of water, all the way up to the sprinkler head in a particular room or space within the building. The other kind is a dry pipe system, which do not have water in them up to the sprinkler head. There are two subtypes of this, one called pre-action where water is held back until detectors in the area are activated, and then water is sent to the sprinkler system, and then when a second threshold is breached, the sprinkler head opens and allows water to enter to the facility, giving time to shut it off, and prevent a false alarm release.
The other kind is called a deluge where the sprinkler heads are open all the time, but water is still held back and then when the alarm sets off and releases the water, the water flows to the sprinkler head and flows directly in with no second valve to prevent it's flooding into the area. And then of course, we have our fire suppression systems based on some form of suppressing gas agent. Now the gas suppression systems operate and their typical function is to starve the fire of oxygen.
Here you see a list of commonly used agents, Aero-K based on gaseous compounds based on potassium, and then FM-200, Argon an inert gas, Argonite, a productization of argon, carbon dioxide of course, Inergen and FE-13. Now you see there the graphics showing that Halon with a stop or not sign through it, is present and Halon has been banned. Halon 1211 and 1301 manufacture was restricted by the Montreal Protocol of 1987, a date that may be asked of you on the exam, and it was discontinued entirely in 1994. Halon as you may know is a very aggressive, clorofluorinated hydrocarbon, and as such, it is destructive to the ozone layer, it was, is, very effective in suppressing fires in the way that it starves the fire of oxygen, but because of this other effect, it has subsequently been banned.
So we come to our summary of security engineering domain, domain three. Through the course of this domains discussion, we've talked about system design, network design, facility, and various other kinds of combined engineering practices. The thing that you want to be sure of is that you are clear on the concepts in each one of these areas and have a general familiarity of the overall systems engineering and design process. Well, that concludes our discussion of domain three, security engineering, be sure to join us next time as we continue our discussion in domain four, thank you.
About the Author
Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years. He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant. His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International. A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center. From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.
Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004. During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide. He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004. Mr. leo is an ISC2 Certified Instructor.