For those who have not worked in a data center environment, data centers can be a little overwhelming. As you enter the data center, you will notice that access is controlled strictly. You may pass through a "man trap" and have been authenticated by either a biometric or a card-key-based authentication system.
Once you pass into the computing environment, you will notice racks of computer systems, usually sitting on a raised floor. Most of the time, miles of power and network cables are run beneath a raised floor, although some data centers run cables through open conduits that hang from the ceiling. You also will notice that there are normally generators, large power conditioners, and UPS devices or rooms filled with batteries to ensure that clean, uninterrupted power is available at all times. Most data centers also have industrial-strength heating, ventilation, and air conditioning systems to maintain optimal temperature and humidity levels within the data center.
The brain of the data center facility is the data center control center. It usually consists of a series of consoles and computer monitors that are used to monitor temperature, humidity levels, power consumption, alarm, and critical system status. Most of the time, this is the only area consistently manned by data center personnel.
For the purpose data center audit, we will explore facility-based controls, as described earlier; system and site resiliency controls; as well as policies, plans, and procedures used in governing data center operations.
Data centers incorporate several types of facility-based controls, including access control systems, alarm systems, and fire suppression systems. These systems are designed to prevent unauthorized intrusion, detect problem conditions before they cause damage, and prevent the spread of fire.
Access control systems are used to provide physical protection of the information systems that reside within the data center. These systems include biometric devices that read fingerprints, hand geometry, and even retina characteristics to authenticate individuals who need to enter the facility. They also may include card-key systems or proximity badge systems.
Access control systems also include man traps. Man traps consist of two doors that are separated by a corridor. People entering the facility must authenticate to enter the corridor. The door closes behind them, and then they authenticate again to enter the data center facility. If someone is able to circumvent security to gain access to the corridor, they are effectively trapped when the access control system blocks their access to the data center itself.
Because fire, water, extreme heat and humidity levels, power fluctuations, and physical intrusion threaten data center operations, you will notice several different types of alarm systems. Specifically, you will want to look for the following types of alarms:
Burglar alarms (with magnetic door, window, or cabinet sensors; motion sensors; and sometimes audio sensors)
Fire alarms (usually smoke-activated sensors broken into zones that cover different parts of the facility)
Water alarms (usually with sensors beneath the raised floor, near bathrooms, or in water pipe ducts)
Humidity alarms (normally with sensors disbursed throughout the facility)
Power fluctuation alarms (with sensors near the logical point of entry)
Chemical or gas alarms (sometimes in battery rooms and near air intakes)
These alarms systems normally will feed into the data center operations center. During an alarm condition, the operator usually can drill down to specific sensors and reference a surveillance camera to isolate the cause of a problem.
Because of the large amount of electrical equipment, fire is a major threat to data centers. Therefore, data centers normally are equipped with sophisticated fire-suppression systems and should have a sufficient number of fire extinguishers. Generally speaking, fire extinguishers come in two varieties: water-based systems and gas-based systems.
Since the computer systems that reside in a data center generally are leveraged to automate business functions, they must be available any time the business operates. Therefore, data centers incorporate various types of controls to ensure that systems remain available to perform critical business operations. These controls are designed to protect power, the computing environment, and wide area networks (WANs).
Clean power is absolutely critical to maintain computer operations. Power fluctuations such as spikes, surges, sags, brown-outs, and black-outs can damage computer components or cause outages. In order to mitigate this risk, data centers provide power redundancy in several layers, including the following:
Redundant power feeds (connecting the data center to more than one power grid)
Ground to earth (to carry power away from critical components during fault conditions)
Power conditioning (to flatten out harmful spikes and sags in current)
Battery backup systems or UPSs (to provide uninterrupted power in the event of a power fluctuation, brown-outs, or black-outs)
Generators (to provide electrical power during prolonged power outages)
The auditor's responsibility is to verify that the power-related control method, capacity, and operating condition are adequate. We will explore power-related controls later in this chapter.
Extreme temperature and humidity conditions can cause damage to computer systems. Since computers require specific environmental conditions to operate reliably, heating, ventilation, and air conditioning systems are required controls. Data centers typically provide sophisticated redundant systems to maintain constant temperature and humidity. Data centers often provide double the required capacity. The auditor's task is to evaluate capacity and the operational condition of these units.
Whether from internal networks or the Internet, users access information systems residing within data center facilities through network connections. Therefore, network connectivity is absolutely critical. More often than not, data center facilities have redundant Internet and WAN connections using multiple carriers. If one carrier experiences a network outage, service to the facilities can be provided by another carrier.
Although data centers are designed to be automated, they do require a staff to operate. As a result, data center operations should be governed by policies, plans, and procedures. The auditor should expect to find the following area covered by policies, plans, and procedures:
Physical access control
System and facility monitoring
Facility and equipment maintenance
Responding to outages, emergencies, and alarm conditions
We will explore data center operations in more detail later in this chapter.