Skip to main content

Translate

Buat standar keamanan data center Anda



Set data center security standards to harmonize IT, business goals


IT operations teams and security teams often are at battle. Data center security standards can largely affect the people who run the systems. Tighten security too much and administrators can't do their jobs.
Application and systems programmers need authority to operate the system and to detect and fix problems. At the same time, corporations must guard against unauthorized distribution of customer, employee or other confidential information. In the interest of availability, enterprises restrict the chances of anyone making arbitrary, unscheduled or malicious changes. So, how do shops reconcile protecting data and availability while maintaining suitable access for technical support? 
Data centers have several choices in identity management, including group logon IDs, firecall IDs and alternate IDs. Let's take a look at each security measure and any associated issues.
Group logon IDs. Some shops consolidate powerful access into one logon ID that members of a functional team share. You can control access to the group ID by requiring a technician to enter an approved change number before gaining access.
This scheme has several advantages. First, every action performed by these IDs can be easily logged and audited. It also takes the power away from individuals and, depending on the controls put around the group ID, means that any changes to the system must be deliberate, scheduled and reviewed.  
Firecall IDs. Similar to group IDs, firecall IDs have a limited scope and lifetime. In general, a programmer who requires exceptional access must either check out or create a firecall ID. Additional controls may include a one-time generated password and an expiration time that limits its lifespan.
Like group IDs, firecalls can be heavily audited, and IT security can put all sorts of controls around the process for getting one. In addition, firecall access can be more granular than a group ID. For instance, while one group ID may be able to update system datasets and reorganize databases; security may set up two different firecall IDs for each distinct function.
Alternate IDs. With alternate IDs, power still rests with the individual. But instead of having full access all of the time, security teams strip the more powerful abilities from the normal ID and move them to alternate IDs. This allows technical support personnel to monitor the system with their regular ID without being able to change anything. Instead, any modifications require logging onto his or her alternate ID.
Alternate ID's provide more flexibility than firecall IDs or group IDs. They also grant faster access to update authority; however, they are harder to control.

Contending with firecall ID and group ID

Both firecall and group IDs share some problems. First, while both IDs can be heavily audited, they also make some change more anonymous. For instance, IBM's Interactive System Productivity Facility (ISPF) stores the ID of the last person to update a partition dataset (PDS) member in the library's directory. In this case, ISPF records stores the firecall or group ID, but the person using it is unknown.
Firecall IDs have an additional disadvantage with the checkout process, because sometimes a shop needs them in an emergency. If the method for getting a firecall ID takes too long or requires too much documentation or levels of approval, a short outage could easily become a long one.
Group IDs have a similar defect. Imagine having an outage in the middle of the day and the only ID powerful enough to fix it is locked up by someone who left for the day.
Here are a few best practices for maintaining secure and available data centers:
  • Allow application and systems programmers to monitor production. Despite all the recent developments in automation and "autonomic" systems, computers still need active monitoring to reach extreme availability levels. Done correctly, read access should not pose any danger to availability.
  • When comparing the three options, alternate IDs could be the best option. Alternate IDs can be logged -- just like group and firecall logons -- and they preserve some audit trails that are built into the system. Alternate IDs also allow support personnel to act quickly, when needed.
  • If a shop wants to use firecall or group IDs, they should build a process that hits the sweet spot between effective controls and speedy access. In addition, the software that controls firecall IDs should have the highest availability goals in the enterprise.
  • A department may want to designate a few dependable people with full powers in production to serve as the cavalry when things go badly. While this effectively short-circuits all the other attempts at control, it does provide for quicker problem resolution if something should happen.
Trust the technical support personnel. They dislike outages as much as management and are dedicated to the success of the enterprise.
About the author:
Robert Crawford spent 29 years as a systems programmer, covering CICS technical support, Virtual Storage Access Method, IBM DB2, IBM IMS and other mainframe products. He programmed in Assembler, Rexx, C, C++, PL/1 and COBOL. Crawford is currently an operations architect based in south Texas, establishing mainframe strategy for a large insurance company.captainwhacks@yahoo.com

Comments

Popular posts from this blog

Timer AC bergantian

Bagaimana sich prinsip kerja AC yang bergantian? Seperti yang terangkai pada ACPDB, yang kita butuhkan adalah 1 buah timer dan 2 buah kontaktor. Pada dasarnya rangkaiannya adalah seperti gambar diatas. Seperti kita ketahui, timer dan kontaktor akan bekerja apabila mendapatkan catuan 220 V. Pada timer catuan bisa dikoneksikan di lubang “L” dan “N”, sedang pada kontaktor dilubang “A1” dan “A2”. Itulah kenapa pada saat mati listrik komponen2 tersebut tidak bekerja. Timer berfungsi sebagai switch dari 2-1 atau 2-3 dan lubang “2” sebagai sumber yang dialiri arus listrik. Sesuai namanya alat ini akan bergantian dari 2-1 atau 2-3 berdasarkan waktu yang sudah kita atur pada sirip biru. Satu sirip merepresentasikan 30 menit. Sedang pada kontaktor untuk tipe Telemecanique, sumbu-sumbu saklarnya adalah 1-2, 3-4, 5-6, NO-NO, NC-NC.  Jika “A1” dan “A2” tidak dicatu maka 1-2 (open), 3-4 (open), 5-6 (open), NO-NO (open), NC-NC (close/terhubung). Dan bila “A1” dan “A2” dicatu  maka 1-2 (close), 3-4 (clo…

Pemilihan jenis modul AMF (Automatic Main Failure)

Pemilihan jenis modul AMF (Automatic Main Failure)

Dari sekian banyak jenis modul yang ada dipasaran, kami menawarkan beberapa alternatif untuk jenis modul AMF yang dapat kami sediakan. antara lain menggunakan modul dari DEEPSEA, smart relay atau timer. tentunya dengan beragam pilihan tersebut ada beberapa keuntungan atau kelebihan dari masing masing modul tersebut. sebagai misal menggunakan modul AMF dari DEEPSEA akan sangat cocok jika modul ini dapat berinterakasi langsung dengan genset. terutama jika mesin genset belum dilengkapi genset controller dan masih mengandalkan panel genset manual. untuk pabrikan genset sekarang ini pada panel genset sudah dilengkapi dengan AMF, sehingga tidak perlu panel AMF - ATS dengan menggunakan modul DEEPSEA atau sejenisnya. sehingga dalam pemilihanya dapat menggunakan timer, smart relay atau produk lain seperti ATS controller C20 dari socomec.


Modul DEEPSEA 4420

AMF Module DSE 4420 Modul ini memiliki banyak fitur antara lain ; Start / stop gensetDigital …

Contoh Panduan Standarisasi Area Data Center

Berikut adalah contoh Panduan Standarisasi Area Data Center

PANDUAN - IK Standarisasi Area Data Center Article Number: 49 | Rating: Unrated | Last Updated: Mon, Nov 25, 2013 at 2:13 PM BAB I KEBIJAKAN
1.1.Area Data Center
Areadata center termasuk aset vital perusahaan dan diperlakukan sesuai dengan persyaratan yang telah ditetapkan dalam Sistem Manajemen Pengamanan Perusahaan.

Seksi Jaringan bertanggungjawab terhadap pengamanan fisik dan logik. sedangkan fungsi Sekuriti terhadap pengamanan fisik.


1.2.Pertimbangan Dalam Hal Penentuan Lokasi Area Data Center
Beberapa pertimbangan yang harus ada dalam menentukan lokasi ruang data center, yaitu :

1.Memungkinkan untuk pengembangan yang memadai, misalnya mempertimbangkan pengembangan untuk jangka waktu 5 (lima) tahun ke depan.
2.Mempertimbangkan ruang yang tidak "terlalu” banyak dilalui untuk operasional lain, namun tetap dapat dijangkau dengan mudah.
3.Memperhatikan aspek keamanan dan keselamatan pekerja.
4.Memenuhi persyaratan sebagaimana yang …