Feature
Bridging the Technology Gap: The Importance of
Cyber and Physical Security within the Data Center
Aldon Blackwood, Product Manager
E-LINE by DIRAK
In recent months, cyber-attacks have been on the rise, showing no signs of slowing down. Their attacks have spanned continents and industries, targeting companies of all shapes, sizes
and levels of prominence. Highlighting the risk that all businesses
who maintain customer data are currently facing. The breaches at
Target, Home Depot and Sony did not just result in significant data
loss, but also created irreparable damage to their brands, shaking
customers' confidence in the ability of these businesses to secure
their most sensitive information.
In the Target attack alone, 40
million customers had their credit
and debit card numbers stolen
resulting in a 46 percent drop in
profits for the company in their
subsequent quarter compared
with the previous year. Additionally, the credit card companies
and banks of the Target customers
spent $200 million reissuing stolen
cards, while Target spent $100
million upgrading their payment
system to support Chip-and-Pin
enabled cards. To avoid future
breaches and companies are focusing even more of their resources
on protecting their assets by ensuring they have a comprehensive
cybersecurity posture.
While there is no doubt that cybersecurity is an essential aspect
to any organization's security, the tunnel vision created by recent
events can have a dangerous side effect, ignoring physical security.
The two sides of the security spectrum cannot be viewed as mutually exclusive, but rather a partnership where both are working in
tandem to protect the critical assets of organizations. While cybersecurity and credit card technology has advanced and adapted
to the modern threat, the physical security realm still lags far
behind. The Wiegand Protocol, developed in the 80's, is still the
standard communication language used to transmit and process
data between the access card, keypad or biometric reader and
the backend controller. The communication between devices on
this technology is unencrypted and can be easily tampered with
and falsified. These systems have no way of knowing if a reader
has been disconnected or goes offline and will not send any alerts
to the system administrator letting them know it has been corrupted or stolen. An intruder could hack into the system and trick
it into granting access to unauthorized users and lock out those
with authorization, while simultaneously collecting authorization
data for any individual that had access to the building. Using this
authorization data, the intruder could now gain access to other
secured areas.
Once inside the data center, the server racks that house critical
data are still being secured with a mechanical handle that normally utilizes standard keys. Even when using unique locks, keys can
be lost, stolen or duplicated. This exposes companies to the most
common data breach threat: an insider job. By utilizing untraceable mechanical keys, companies remove all possibility
16
Spring 2015 * www.ElectronicsProtectionMagazine.com
for auditability. This makes it easier for employees, contractors or
visitors to gain access to the data center floor and racks. Given
these vulnerabilities, it is critical for physical security to play catch
up, before criminals will begin to adapt and target the primitive
physical IT security measures.
A more modern solution to outdated physical security has been
biometrics, but the widespread adoption for its ability to protect
data centers is misguided. Biometrics by itself is an insufficient
solution to protecting critical assets; each individual has a limited
number of authentication credentials, e.g. 10 fingerprints, which
cannot change. While they may
possess unique properties, they
are always in public visibility and
exposed to potential risks. For example, the Chaos Computer Club
(CCC), Europe's largest hacker association, exhibited their ability to
reconstruct an exact fingerprint of
Ursula von der Leyen, the German
Defense Minister. CCC was able to
do this using a consumer grade
camera and Verifinger, a software
available to the general public. This
demonstration proves that there
are still large vulnerabilities in
biometric technology. Additionally,
it is standard practice for finger
print data to be collected during border crossings, criminal and
civil cases and for government employees; creating databases of
potential users and their authentication credentials.
If biometrics are not adequate, what technical requirements for
building and rack level access control should be implemented?
Mechatronic locks should transmit only encrypted communication
to the controller, while implementing dual factor authentication at
the reader. This type of solution at the IT cabinet's door will prevent unauthorized persons, while software should provide a complete audit trail with the specific identity of each individual who
successfully gained access, showing the time they entered, and
how long they stayed inside. A product that is already bringing this
level of security to the industry is E-LINE by DIRAK's MLR series.
The MLR series of locks are IP addressed server rack handles
capable of one to four factors of authentication. The handles provide a tamper-proof solution that increases security and mitigates
risk by delivering real time monitoring, auditability and AES-256
encrypted communication. By operating and still requiring authentication in both network and power down situations, they eliminate the need for mechanical keys and create a gapless audit trail.
This type of solution will give the system administrator the ability
to monitor, control and report all activity occurring at each rack
any time of the day, while keeping all unauthorized personnel out.
Organizations need to proactively address risks and examine
vulnerabilities on all fronts. This requires an integrated security
plan that successfully bridges the gap between cyber and physical
data security.
For more information visit www.elinebydirak.com.
http://www.elinebydirak.comhttp://www.ElectronicsProtectionMagazine.com
Table of Contents for the Digital Edition of Electronics Protection - Spring 2015