The security of a network can sometimes be related to a physical location. In this video, you’ll learn about air gaps, vaults, safe, and hot and cold aisles.
<< Previous Video: Physical Security Controls Next: Secure Data Destruction >>
In the world of IT security, we’re often concerned about making sure that no one is able to access through the network to our important internal assets. But it’s just as important that we create a physical barrier from the outside to all of our internal systems as well.
This is something that should be part of security policy. It should be built in to the normal operations of your organization. And the goal would be to prevent anyone from the outside from gaining physical access to your systems. Although we have firewalls that would prevent someone from digitally gaining access to these devices, we have to have physical security controls to prevent physical access to these devices. If someone had physical access to your computer or to a server, they would effectively be able to circumvent all of those security controls.
And just as we have to control access to our live systems, we also have to control access to our backups. Our backup systems have all of the data that’s contained on those servers. So they are just as important to secure as the live running systems.
An air gap is a way to provide a physical separation between devices or between networks. This might be a common way to prevent access between a secure network and an insecure network. Or you may want to have an air gap between different customer’s networks.
In many environments, the entire infrastructure is on one big shared network. So you’re able to move between different systems, different virtualized environments, and move using the existing switches and routers on that network. But in some networks, we need an air gap. We need a physical disconnection so that it would never be possible for someone on one network to gain access to resources that might be on another network.
A good example of this are stock market networks, or power systems, or perhaps it’s the networks that we have in our airplanes, or nuclear power plants. These would be networks where we never want someone to gain access to these networks– even accidentally. So having an air gap network would provide physical isolation and restrict access to those resources.
We talked earlier about controlling access to backups and other resources. And it’s not unusual for large organizations to have an entire secured room where they can store this valuable information. This would be a vault or an entire secure room where you might keep all of those backup tapes. This would also be a great place to keep any other type of protected resources or resources you might need if there was some type of outage or natural disaster.
These vaults are commonly onsite in a facility that you’re able to access while you’re in the building. If your facility isn’t large enough to support a vault, then perhaps all you need is a safe. It has the same type of safety and locking mechanisms as a vault.
But it’s something that’s a lot smaller. It’s also a lot less expensive to implement. You can usually install one onto an existing area of the room. This does have limited space, however– does not have as much room as a vault might. But it would allow you to install this at many other locations rather than having one centralized vault in one building.
Another important secure area in a data center are the hot and the cold aisles that are used in that facility. In a data center, we have a lot of equipment. It’s usually stored in racks inside of that data center. And all of that equipment is constantly generating heat.
To be able to offset all of this heat, we usually have extensive cooling systems in these data centers. That cooling system is able to cool all of the equipment in this rack and keep them all at an optimal temperature. One of the environmental challenges the data center administrators have is they need to keep this equipment cool.
But this is a very large room. And, relatively speaking, the equipment in the room is taking up a relatively small amount of space. It would be much better if we could only cool the sections of the room where the cooling is required and not have to worry about the environment elsewhere in the room.
To be able to do that, we separate the room into cold aisles and hot aisles. The equipment that’s in these racks– it’s designed to blow air in a single direction. Cool air is provided to the equipment on the cold side, or cold aisle. That is sent through the equipment and heated up into the hot aisle. On the hot aisle, we have ventilation equipment that captures the hot air and sends it back into the cooling system to simply recycle that back into the cold aisle.
Here’s a data center using a hot aisle containment system where all of the hot air is trapped inside of this area. We have cold air that’s coming up through the bottom of these racks. All of that cold air is pushed through those systems and into the hot aisle. And that hot air is going to be captured up high and sent back into the cooling system, where it’s recycled back through the cold aisle.