Data center security is a critical concern for any organization that relies on these facilities to house their IT infrastructure. One important aspect of data center security is ensuring that personnel are properly trained to detect and respond to unauthorized access attempts. The Cloud Security Alliance's Cloud Controls Matrix provides guidance on this topic in the form of the DCS-11 control.
Where did this come from?
CSA Cloud Controls Matrix v4.0.10 - 2023-09-26. The Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing. It can be downloaded from https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4. This control was inspired by the need to ensure that data center personnel are prepared to deal with unauthorized access attempts. For more information on data center security best practices, see the AWS whitepaper "Data Center Best Practices" (https://docs.aws.amazon.com/whitepapers/latest/data-center-best-practices/welcome.html).
Who should care?
- Data center managers with responsibility for physical security
- Security operations teams with incident response duties
- Compliance officers with oversight of data center operations
What is the risk?
Unauthorized access to a data center can lead to a variety of adverse events, including:
- Theft of physical assets like servers or storage devices
- Tampering with equipment leading to outages or data loss
- Installation of malicious devices for later remote access
- Surveillance or reconnaissance to plan future attacks
Proper training of data center personnel can help prevent unauthorized access by enabling early detection and response to ingress/egress attempts. It can also mitigate the consequences of successful unauthorized access by ensuring a rapid and effective incident response.
What's the care factor?
Data center managers should place a high priority on this control, as unauthorized physical access to IT infrastructure can have severe and far-reaching impacts on an organization. Even a brief disruption to data center operations can be costly in terms of lost revenue and productivity. More severe incidents can lead to data breaches, reputational damage, and regulatory penalties. Security operations teams and compliance officers should also care deeply about this control, as they may be held accountable for any security failures.
When is it relevant?
Training on unauthorized access response is relevant for any data center that houses sensitive or business-critical IT infrastructure. It is especially important for data centers that:
- Are geographically distant from the organization's main offices
- Have a large number of personnel with access to the facility
- Are located in areas with higher crime rates or geopolitical risks
This control may be less relevant for smaller server rooms or wiring closets that have very limited personnel access and are in close proximity to the organization's offices.
What are the trade-offs?
Implementing this control requires an investment of time and resources to develop and deliver the training. Data center personnel will need to spend time away from their regular duties to complete the training. There may also be costs associated with engaging subject matter experts to create the training content. However, these costs are likely to be negligible compared to the potential financial and reputational damage that could result from an unauthorized access incident.
How to make it happen?
- Develop a comprehensive training curriculum covering:
- Types of unauthorized access attempts (tailgating, badge cloning, social engineering, etc.)
- Signs of suspicious activity to watch for
- Proper procedures for challenging unknown individuals
- Incident response steps (notify security, lock down area, preserve evidence, etc.)
- Engage subject matter experts (physical security specialists, law enforcement, etc.) to assist with content development as needed.
- Determine appropriate training delivery methods (in-person, online, hands-on drills, etc.).
- Establish a training schedule to ensure all existing personnel complete the training within a defined timeframe (e.g. 90 days).
- Incorporate the training into the onboarding process for new data center hires.
- Conduct periodic refresher training to keep skills and knowledge current.
What are some gotchas?
- Training content must be tailored to the specific data center environment and personnel roles. Generic off-the-shelf training may not be adequate.
- Training should include hands-on drills and simulations to ensure personnel can apply their knowledge effectively in a real incident.
- Training records must be carefully maintained to demonstrate compliance with this control during audits.
- Personnel may require additional permissions to perform incident response actions like locking down areas or reviewing camera footage. Ensure these permissions are granted and documented.
What are the alternatives?
While personnel training is important, it should be part of a layered approach to data center security. Other controls that can help prevent or detect unauthorized access include:
- Rigorous access control procedures (multi-factor authentication, least privilege, regular access reviews)
- Intrusion detection systems and alarms on doors, windows, and other entry points
- Security cameras covering all access routes and sensitive areas
- Visitor logging and escorting procedures
See the AWS "Physical and Environmental Security" whitepaper for additional best practices (https://docs.aws.amazon.com/whitepapers/latest/physical-environmental-security/welcome.html).
Explore further
- CSA CCM DCS-08 (Ingress/Egress Logging) - Logging of all ingress and egress attempts can help with detecting unauthorized access attempts.
- CSA CCM DCS-09 (Datacenter Access Policy) - A comprehensive policy on data center access is a prerequisite for an effective training program.
- CIS Control 14 (Security Awareness and Skills Training) - Provides additional guidance on implementing an effective security training program.
