A digitized world needs high IT Security
Our networked world
Enabling Services
Underlying
Infrastructures
Big Data
User centric Mobility
Cloud
End-to-end Attack Points Analysis:
Endpoint – Transfer - Data Center
Access to critical data
Administrators can access sensible data unnoticed
Data is intercepted
Outgoing data can be intercepted, read and manipulated
Hacker attacks
hacker attacks are facilitated by monitoring that is not end-to-end; logs can be falsified
Physical access
to systems through insufficiently secured access processes
Remote access
Transfer and control of the systems by remote access
Screen contents
can be read
Webcam and microphone
(internal/external)
can be activated and controlled (room surveillance possible)
External HDDs, USBs
can install viruses and backdoors unnoticed
Mouse and
keyboard input
can be read
Main memory
saves unencrypted data
Internal data media
(HDD, SSD, DVD)
are readable despite encryption
BIOS, OS, driver,
application
can contain backdoors
Extranet Intranet Internet Cloud
Communication
(Internet/LAN/WAN)
Backdoors in active / passive network components
Why is protection against physical access so important?
If an attacker is able to access the hardware (HDD, RAM, etc.)
directly then it is hardly possible to protect the system
appropriately.
FUJITSU SURIENT MRS protects the components in the rack
against unauthorized access by:
Controlling access rights
Monitoring the doors
Logging all actions
End-to-end Attack Points Analysis:
Endpoint – Transfer - Data Center
Physical access
to systems through insufficiently secured access processes
New rack solution with physically secured access to servers and components
Overview
Investment protection
This Managed Rack Solution can be easily integrated in existing data center infrastructures
Authorization concept
Only authorized persons have physical access to servers and components inside the racks (cages)
Auditability
All accesses and actions will be recorded in an auditable fashion
User guidance
User guidance with easy and intuitive menus
Only authorized persons have physical access to servers and components inside the
racks (cages)
Authentication concept
Central User
Management
Integrated central user
management allows access rights can be altered at any time. This way users can be deleted very quickly
Biometric
Authentication
User will be uniquely authenticated with biometric methods (FUJITSU PalmSecure ID Match)
Granular
Authentication concept
Access rights can be assigned to single rack/cage doors (front/back)
Logging
Unauthorized access attempts will be identified with sensors and logged
Solution components
Standard 19” racks
(1, 2 or 3 cages) with
electromechanical locks,
sensors and a Rack
Management System (RMS)
for monitoring of the rack
Biometric authentication via
PalmSecure ID Match for
access control and lock
activation
Rack Control Server to
control and monitor several
racks
Integrated monitoring and
logging of all actions
Installation and setup service
Training
Functionality and process
1
4
3
2
All users / administrators have to register through an
enrolment with PalmSecure ID Match . The user data
and the templates of the palm vein patterns are
stored on the SmartCard. This is done with a web
application on a client computer at any location.
On the rack control servers the access rights to
racks/cages are configured for authorised users /
administrators.
All actions will be recorded and forwarded to a
monitoring system
The users / administrators can select with the
application in PalmSecure ID Match which
rack/cage they want to lock or unlock. After
successful authentication and rights validation the
suitable action will be performed.
Process lock/unlock of a rack
*1 During enrolment
PalmSecure ID Match
automatically enters the
enrolment dialog. Thereafter
it can be changed back to (1).
Check Authenticity Check Access Rights lock unlock
Rack Control Server
PalmSecure ID Match
OK
Not OK
OK
*2 It is possible administer
several racks simultaneously,
by entering several cage Ids
*2
Advantages and benefits
Biometric authentication
Impossible to “duplicate“ the keys or ID cards
No security risk by loosing keys or ID cards
After an employee leaves the company, access can be blocked by erasing the access rights (no need to collect
keys, ID cards)
Possible to lock and unlock racks remotely from any location (Configurable)
All actions will be stored in a monitoring system
The solution can easily be extended or adjusted to current requirements
Internal data center with higher security
requirements for single areas
Infrastructure for areas with higher security
requirements can be secured with specially secured
racks
By using racks of up to 3 cages (13 U) small units can
be secured as well
Use Cases
Hoster (Examples: Universities, Housing Provider)
Single Institutions or departments (e.g. University) or
single customers (Housing Provider) can be provided with
secured environments in very small rooms which only
specified persons are able to enter.
Hoster or internal IT with data centers spread over a
campus
Central management and monitoring of all racks in several
distributed data centers
Branches (N locations with fewer racks)
Higher security through „Colocation Racks“ with special
security characteristics
Local and central control
Local enrolment possible from a central administration
system
Concept and architecture
A Managed Rack Solution consists of 1-n
blocks
In each block a Rack Control Server
controls and monitors the connected racks/cages (1–16)
It is possible to configure which
PalmSecureID Match controls the access to which block
The enrolment of SmartCards can be
done on an admin client with a web interface anywhere
Optionally a dedicated PalmSecure ID
Match can be used for enrolment
The Rack Control Server provides an
interface for the integration of a monitoring system
Enrolment and Monitoring
Rack Control Server Block 1 PalmSecure ID Match Block 1
…
Rack/Cage 1 Rack Mgmt. System Rack/Cage 2 Rack Mgmt. SystemBlock 1
Customer LAN
Rack Control Server Block n
…
Rack/Cage 1 Rack Mgmt. System Rack/Cage 2 Rack Mgmt. SystemBlock n
…
PalmSecure ID Match Enrolment Rack/Cage n Rack Mgmt. System Rack/Cage n Rack Mgmt. System PalmSecure ID Match Block nCaging in the data center – without fences
Racks are physically
secured by fences
Racks are secured by
Managed Rack Solution
Benefits :
Saves space and money
Reduces security risks
Solution structure – Base package
1 Rack FUJITSU M2 or Emerson-Knürr DCM
Colocation with 1, 2 or 3 cages
Electromechanical locks (MLR1000)
RMSII compact
Door contact sensors
Optional: Penetration sensors
1 Rack Control Server PRIMERGY RX1330
1 PalmSecure ID Match
FUJITSU Managed Rack Solution Software
With extensions
Installation, Configuration and
Handover service complete
the base package
Installation and configuration
of the infrastructure
Initial startup in the customer’s
environment
Handover and briefing of the
customer
The solution will be delivered
completely installed and
preconfigured
The base package contains all components that are necessary for a
block of a Managed Rack Solution:
The base package is optionally
expandable:
Additional racks of different
types
PalmSecure ID Match systems for
local or central control /
enrolment
Additional base packages for
additional blocks
Services
Additional service packages for extension, consulting and training round off the solution
Q3 Q4
Rack Solution
Sealed Rack Solution (SRS)
Protection against physical access with strengthened hardware cages
Protection against electronic attacks with closed ports and end2end encryption
Managed Rack Solution (MRS)
Only authorized persons have physical access to servers and components inside the racks and cages respectively
Accesses and actions will be recorded in an auditable fashion
User guidance occurs with easy and intuitive menus
X
x
x
Q3 Q1 Q1 Q2 Q4 Q2Not decided Roadmap product New vs last month
X
x
x
2015
2016
2017
M
anaged
Sea
led
MRS 1.0 Initial version SRS EFT Early Field Trial only
MRS 1.1
Monitoring with Nagios / Incinga SRS 1.0
Initial version
MRS EFT
