DAS-SQL v2.3.1.0 64bit released

Digitus Biometrics today released the much anticipated 64bit version of our DAS-SQL Management Application, incorporating a host of new features, performance and design improvements as well as minor bug fixes.

More information can be found on our Support Portal

 

 


Addressing Physical Security Risks in the Data Center with Digitus Biometrics

In many cases, the discussion regarding data breaches immediately shifts into a discussion regarding cybersecurity, and the need for protection against hackers and other forms of illicit electronic access.

However, many breaches – often some of the most damaging ones - are caused by insiders with physical access to critical IT equipment.
With the average cost of a data breach in the millions, it is critical to ensure the physical security of the data center extends beyond encryption, firewalls and standard card access programs with biometric authentication and monitoring.

The predominant physical security scheme employed by almost all data centers today, is a perimeter based, reduced concentric circle, access control scheme that usually stops at the data center door, This outdated scheme leaves the server cabinets, inside the data center, vulnerable. With Digitus’ patent-pending technology, data centers can carry their access control all the inside.

In fact, with every db ServerRack biometric system installed according to our best practices, Digitus extends a written warranty, guaranteeing a full refund or replacement product if a facility fails to meet a physical security audit within the first year. Go ahead, read the fine print. There’s nothing to hide.
 


Data Centers Can Use SSAE 16, PCI, Cybertrust Standards to Validate Physical Security

September 23rd, 2013 By: Industry Perspectives

Michelle Ziperstein is the Marketing Communications Specialist at Cervalis LLC, which provides data backup and disaster recovery solutions for mission-critical data.

Michelle Ziperstein

MICHELLE ZIPERSTEIN, Cervalis

Data centers protect their companies’ or clients’ operations by securing operating perimeters, controlling access to data and equipment, providing protection against environmental threats, and more.

Data centers hold a lot of secure information. So, it is important to know whether they are providing effective and adequate safeguard against data theft and other potential problems. This can be known by an assessment of their physical security.

There are three main certifications for assessing physical security. These are SSAE 16, PCI, and Verizon Cybertrust. Some data centers like, Cervalis’ continually maintain SSAE 16 and PCI compliance as well as Verizon Cybertrust certification.

Data centers can help companies comply with regulations. Let’s take a closer look into the three physical security certifications.

SSAE 16

SSAE 16 is the standard for attesting physical security issued by the American Institute of Certified Public Accountants’ Auditing Standards Board.

There are two types of SSAE reports – Type I and Type II. The Type I report is rather basic – it’s a relatively cursory report on the service provider’s internal controls and processes. For this report, the management submits a written description and the auditor issues an opinion on whether the service provider has adequate controls to provide services and handle emergencies. For a truly wide-ranging attestation, your company should schedule a Type II report, which not only assesses the company’s capacity but also tests it over a period of time. Most publicly traded companies, especially in highly regulated industries such as financial services and cloud computing, are all but required to pass SSAE 16 Type II, since many companies are leery of partnering with businesses that lack certification. These days, many companies are leery of partnering with businesses who are not SSAE 16 compliant.

SSAE 16 has replaced SAS 70, the earlier standard. There are mainly two differences. The management of a company now has to provide the service auditor with a description of its system and a written assertion.

Before a data center can become SSAE 16 compliant, it has to undergo an audit of its infrastructure, environmental safeguards, customer service, communications, user controls, insurance coverage, and management.

While SSAE 16 is a very wide-ranging report that examines companies in many different industries, it has a number of categories that apply specifically to data centers. SSAE 16 will determine if the data center has

    • Adequate backup power and data redundancy
    • Adequate monitoring of environmental conditions, such as temperature
    • Is diligent at recording and reviewing alerts
    • Has proper monitoring and protection against fire and water
    • Has sufficient physical security solutions, such as biometric access controls, CCTV surveillance, guards, man traps.

PCI

Unlike SSAE 16 and its predecessor SAS 70, which were developed by an accounting organization, the PCI Security Standard Council was founded by credit card companies and comes from a place of stressing data security in particular when it comes to payment processing, credit card and other financial information.

The PCI Security Standards Council website shows PCI standards as available to merchants, financial institutions, software and hardware companies, and finally professionals and services. The PCI Security Standards comprise the Data Security Standard, the PIN Transaction Security, and the Payment Application Data Security Standard.

The standards basically serve as various ways to assess and improve the security of data on payment cards. As of now, there are six control objectives. These include:

    • Building and maintaining a secure data network, and having good security practices in place to prevent vulnerabilities and leaks
    • Protecting cardholder data by safeguarding data storage and using encryption while transmitting data
    • Maintaining a vulnerability management program by using and updating antivirus and anti-hacking programs, and using secure applications and hardware
    • Putting in place strong access control, such as allowing a minimum of need-to-know access to data, tracking system users with a unique identifier and putting barriers to physical access of data
    • Regular testing and monitoring by tracking all access to data and hardware and testing systems against vulnerabilities
    • Maintaining a policy for information security and make sure all personnel are aware of the policy and practicing it.

Verizon Cybertrust Certification

Cybertrust was a digital security company that was bought out by Verizon, and has become the cornerstone of the service provider’s security certification. Verizon offers a number of certifications and seals, for Verizon Cybertrust Security Certified Enterprise, Perimeter, Application, Business and Site.

The perimeter security program from Verizon Cybertrust assesses parameters ranging from system and network vulnerability analysis to physical and policy evaluation. Six types of risks are covered under the program: downtime issues, electronic threats, human factors, malicious code, physical security, and privacy.

In addition to assessing the security status of a business, location or application, Verizon also offers cyber security services, such as access & identity management, threat assessment and security compliance.


IT Asset Protection and the Malicious Insider

 

It continues to puzzle me.

Survey after survey, like the Gabriel Survey in the Fall of 2011 or the Intel Survey in September of that same year, has concluded that insiders are responsible of the vast majority of malicious attacks in the data center.  While a great deal of attention has been placed on cyber security, most data centers continue to rely on outdated, ill-conceived methods of physical security.  This leaves the investment in IT infrastructure and the data it manages, as vulnerable as it has ever been.

The IT community seems to be practicing what I call “the ostrich theory of management”. That is, we put our heads in the sand and hope the issue has gone away when we pull it out.  Meanwhile, malicious insiders continue to be responsible for the majority of physical attacks on data centers, resulting in damaged/stolen IT assets and significant downtime.   Once IT infrastructure is damaged and/or stolen by insiders, the actual cost of the hardware pales in comparison to the cost of downtime to brand and reputation.

Most physical security schemes fail to recognize the insider threat.  With insider threats on the rise, this directly correlates to higher vulnerability rates in the data center.  The only way to lower vulnerability rates related to insider activity is to secure the core along with the perimeter.  Any initiative to secure the core begins at the server cabinet level.  All access to server rack cabinets within the data center must be managed and recorded.  An indisputable audit trail of all cabinet level activity dramatically reduces the vulnerability to insider attacks and damage.  This type of audit trail can only be achieved through biometrics.

Biometric access control at the cabinet level can protect IT infrastructure and dramatically reduce the data center’s vulnerability to insider attacks, keeping downtime to a minimum and data secure.


New Partnership Results in Advanced RFID Card Access Solution

For years now, we have been designing and building what we consider to be the world’s best biometrics-based access control systems for organizations worldwide.  Our clients continue to turn to us to provide the ultimate secure environment for their critical technology systems.

 

Recently, it became clear that we could combine the best of our leading edge, access control monitoring and access systems with more traditional RFID card access solutions. This solution would help clients meet their immediate security needs today while providing a path to potential future implementation of a full biometrics-based system.

 

We are happy to announce a new partnership with Southco, a worldwide leader in providing access solutions for a wide variety of markets.  Together we have worked to integrate  the H3-EM Electronic Locking Swinghandle into the Digitus db Bus Cabinet-level access control product.  This new addition to the db Bus product line provides our customers, with legacy card access control systems, to immediately secure server cabinets in the data center with a compatible product from Digitus.  This solution gives those same customers the option to migrate to a more secure biometric solution in the future.

 

The response to this new solution has been overwhelmingly positive.  It allows our customers to quickly implement a superior solution using current systems with a clear upgrade path to a fingerprint-based, access control system for their enterprise.