Sensitive data. 

How best to protect it!

Government regulations and non-government standards invariably ask four basic questions regarding access to sensitive information: • Do you have safeguards in place to control access to sensitive data? • Are you able to continuously monitor who is accessing sensitive data? • Are you alerted in real time when information is being accessed without

authorization? • Can you produce an audit trail showing who has accessed data and when they

accessed it? Whilst considering your response to these questions it is important to remember that “access” within the context of these questions means physical access as well as network access, and that specific requirements for controlling physical access exist in all rules and regulations concerning the protection of private or sensitive information.

Following are examples that span multiple industries:  • PCI DSS Requirements 9 and 9.1: “Any physical access to data or systems that house

cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted. Use appropriate facility entry controls to limit and monitor physical access to systems that store, process, or transmit cardholder data.”

  • HIPAA Title II, Physical Safeguards: “Access to equipment containing health information

should be carefully controlled and monitored. Access to hardware and software must be limited to properly authorized individuals.”

  • FISMA (FIPS 200 Section 3): “Organizations must limit physical access to information

systems, equipment, and the respective operating environments to authorized individuals.”

Data centres are usually physically secured with a mixture of unconnected platforms that may include palm readers, proximity card readers, combination locks and keyed locks.But what about the cabinet?

• Palm readers are too bulky.• Proximity cards can be misplaced, stolen or lent and with certain types cloned.• Combinations can be shared or seen by another party.• Keys can be misplaced, stolen or lent.

None of the above can produce an indisputable audit trail to adhere to government standards.

But a biometric finger print reader incorporated into a swing handle can.It’s not bulky.

• You don’t have to carry a card.• You don’t have to remember a combination.• You don’t have to carry a key.

All you need are your fingers.

BIOMETRICAL ACCESS CONTROL SOLUTIONS

Access control must not end at the entrance door to the data centre. Biometrical access control, combined with tested and proven electromechanical swing handles, result in significantly increased security with regards to access control for racks in data centres. Using a standard electromechanical swing handle with an integrated 125kHz card reading system and pass codes can be effective in certain environments but has draw backs.

• Passwords can be revealed.• Access cards can get into other hands. An audit trail can be created with passwords and access cards assigned to designated people, but can you be sure they are the ones using them.

If a swing handle with an integrated fingerprint reader is used at every cabinet door the person requesting access is unambiguously identified. 

This prevents unauthorised access to sensitive data and hardware within the cabinet. 

The audit trail that is produced for cabinet access in this instance then becomes indisputable.

This Biometrical access control system uses secure fingerprint technology, has few hardware components and is unique in providing personal identification and traceability with an intuitive operating software guarantee.

• Unambiguous identification by using swing handles with integrated fingerprint sensor.• Authentication directly at cabinet level.• Simple retrofitting in existing installations with mechanical handle systems. A database supported software makes the simple administration of all cabinets and housings in the entire data centre straight forward. Via the integrated SNMP interface a simple integration in existing facility managements can be realised. The system is compliant with all current security standards, the system provides a hundred per cent authentication and tamper proof event log.

Whether single server rack or complete data centre, simple, double or triple authentication or the four eyes principle –this system stands for ultimate security to protect assets and data.

Bus system for data centre applications.

The bus system consists of a central communications module, handle modules, swing handles and door contacts. An end of line unit can also be incorporated.

The communication module transmits the control signals and the power supply for up to a maximum of 32 handle modules, 64 swing handles and 128 door contacts. Each communication module requires its own IP address.

The communication module is linked to a designated server which houses the management software control cockpit.

Cat cables are used to link the handle modules.

The first handle module is linked by a cat cable from the CAN out port on the communications module, to its CAN in port. Next is the cable from the CAN out port into the CAN in port on the second handle module. This process is repeated up to the last module in the system, where a cable is then linked from the CAN out port into the CAN in port on the communications module.

By creating a full circuit power is guaranteed if the system is interrupted, for example if a handle module is disconnected part way through the system.

A typical cabinet layout could consist of:1 handle module.2 swing handles. (front and rear).4 door contacts. (front and rear as well as sides or roof). A typical system layout could consist of:1 communications module.32 handle modules.64 swing handles.128 door contacts.

Assuming that you are fitting 1 swing handle front and 1 swing handle rear a maximum of 32 cabinets can be achieved.

Several thousand systems can be connected back to the designated server hosting the management software control cockpit.

Providing that the designated server can be accessed via a secure network then the systems consisting of up to 32 cabinets can be located anywhere throughout the globe. Cabinet access can be from either the management software or via the swing handle. In the event that swipe card technology is requested on the swing handles, either as an entire system or in conjunction with biometric finger print swing handles then the swing handles are available in both the 125 kHz or the iclass 13.56 mHz format.

If swipe card technology is employed on any swing handle then the cabinets that these are used on will not be able to be classed as having an indisputable audit trail, only cabinets using swing handles with biometric finger print technology can achieve this.

Management software control cockpit.The software requires the installation of MS SQL server 2008 and is used to administer all biometrical access control systems under a convenient and intuitive user interface. 

Features. User management.

Due to the central entry using the control cockpit software it is simple to add users, their specific characteristics as well as the assignment of individual or group authorisations. Every user can register up to 10 fingers, of which 2 can be defined as alarm or distress fingers.‘Alarm fingers’ will allow entry but will trigger an alarm in the system indicating that an authentication was coerced. Each system can administer up to 9500 different users.

System management.

The control cockpit administers all biometrical devices, from the automatic recognition to the configuration, the programming of the fingers and the registration of cards up to monitoring and creation of event reports. With the control cockpit it is stipulated what functions in which device are activated or deactivated. Finger prints are logged to the system via a reader with a USB connector. The print is created and stored as a algorithmic pattern and then is scrambled. This means that reverse engineering and recreation of the print is not possible and that the print is no longer the same as was initially taken. Only live fingers can be used for authentication. Real time monitoring.

The control cockpit provides comprehensive control and monitoring functions. The status window displays the opening processes of all connected doors / handles in real time. The software monitors whether doors are open, closed, left ajar or have been opened by force.

Real time alarm.

The control cockpit displays alarm events at the central control station in real time. The user can see a list of potential alarm events which can in turn be set to send e-mails to designated addressed if so required. Alarms can be set so that they can only be cleared by tagging a note to them. This action is registered in the event log with the alarm, clearance note and user identification. Logging and analysis.

The control cockpit offers detailed event reports with the unambiguous identification of the user. The report function is very flexible and offers both standardised and configurable reports according to customer requirements. The secure alarm administration and the support of the SYSLOG standard make sure that the control cockpit software is a security system in itself. Each system can log up to 60,000 events. The system is set to archive log events at set intervals for later retrieval so that the maximum event level is never exceeded and no part of the audit trail is lost.

Scalability.

The control cockpit can be used to administer several thousand handle modules and the associated swing handles. The database remains on a designated central server making a convenient administration of the complete system possible. Providing that personnel have access to the designated server hosting the control cockpit software then access rights can be assigned for whatever functions it is deemed that the person should have. For example security could be assigned access to the log file or files that are created for the system or systems they are concerned with to enable them to clear faults as well as having the ability to create new users and provide appropriate access rights for pre-determined handles and the duration that is required. They can have a finger print reader connected to their security terminal to set up biometrical access. Providing that security have the required access rights then they can set up the new user to have access to handles not just on the systems on the site that they are overseeing but any other sites that they have access to.

Integration with third party systems.The control cockpit software has an SNMP interface and can be integrated into superordinated systems in this way.

A system using swing handles with biometric finger print readers will provide the upmost security along with an

indisputable audit trail ensuring compliance with government standards.

This system can be deployed just as well in company specific data centres as well as co-location data centres, from 1 to

thousands of cabinets and provided the appropriate network connections are available controlled from anywhere in the

world.