TÜV Informationstechnik GmbH

9ICCC

IT security starts here:At the building structure and its mission critical infrastructure

Joachim Faulhaber & Wolfgang Peter

© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 1

Agenda

ScopeRisc potentialsPhysical security requirementsApplication of the criteria catalogue

© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 2

Class ALC: Life-cycle support

© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 3

ALC_DVS: Development security

Objectives

Development security is concerned with physical, procedural, personnel, and other security measures that may be used in the development environment to protect the TOE and its parts. It includes the physical security of thedevelopment location and…

© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 4

Data Center

9ICCC

© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 5

Diversity of security

procedural security

IT security

physical security

© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 6

Physical security standards

Depth of coverage between standards about 80%Differences in the methodologySlightly different focuses

© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 7

Security Objectives

Confidentiality

Integrity

Availability

© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 8

Risk potentials

Forcemajeure

Operatingmalfunctions

Crime

© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 9

Crime

BurglarySabotageVandalismAttack

© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 10

Force majeure

FireWater Corrosive gasesExplosionRubble loadsLightning strikesEarthquakes

© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 11

Operating malfunctions

Lack of electrical supply byBreakdownSwitching operationsOverloading

Air conditioning breakdownCommunication breakdownSafety equipment breakdownMagnetic stray fieldsRadio frequencies

© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 12

Comprehensive security for all physical aspects of data centers

© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 13

TSI requirements

Security technologyBurglar alarm systemAccess control systemVideo systemSecurity service

Building

Zoning designFire-SealsArrangementDoors/windowsFire protectionLightning protection

Environment

Traffic routesWaterIndustryWarehouseTopography

Fire protectiontechnology

Fire alarm systemFire extinguishing systemAlarm equipmentField of application

Energy supply

RoutesDistributorsOvervoltage protectionUninterruptible power supplyStandby generator

Air conditioning

Supply engineeringReliability

Circ. air cooler / heat exchangerRoom monitoring

Outside air supply

Organisation

ProceduresFunction tests

MaintenanceAllocation

Qualification

Documentation

Security conceptEmergency concept

Fire protection conceptMaintenance concept

Building plansCircuit diagram

Air-conditioning and vent. diagram

Data networks

Redundant feedsRoutes

Overvoltage protectionred. central components

© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 14

Cornerstones of infrastructure measures

Precaution

Detection

ReactionAlarm relayingFire extinguishing systemsStarting standby generator unitetc.

Overvoltage protectionIntrusion detectionUPSetc.

But alsoplanning certification

Fire alarmTemperature sensorsAccess controletc.

© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 15

Evaluation result

Level1: medium protection requirements (according to the BSI infrastructure requirements of the baseline protection manual)Level2: extended protection requirements (extended requirements to all above mentioned aspects)Level3: high protection requirements (complete redundancy of essential components, no single point of failures, climate limits according to EN 1047-2)Level4: very high protection requirements (advanced access control, no adjacent hazard potentials, with minimal intervention time)

© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 16

Creating trust

Processing industry

Customers and markets

Courts of LawBank

InsuranceBoard

Liability questions

Suppliers

Market positioning

Basel II

Conditions

Persuasion

IT-operator

© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 17

Excerpt of TSI certified datacenters

© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 18

Summary

The matter of physical securityMethodology & structural approachApplication of parts of the criteria to CC site visits

© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 19

TÜV Informationstechnik GmbHMember of TÜV NORD Group

Joachim FaulhaberDeputy Division ManagerTÜViT, Certification

Wolfgang PeterDirector Evaluation Body for IT SecurityTÜViT, Information Security

Langemarckstr. 2045141 Essen, Germany

Phone: +49 201 8999 – 584Fax: +49 201 8999 – 555E-Mail: j.faulhaber@tuvit.deURL: www.tuvit.net