Your legally binding e-signature is required below.
Revision Date: 4/30/2015 1
Math Science Data Center
Shared Data Center Users Guide
Authors: Jack Ewart
Bill Labate Felipe FuentesRevision Date: 4/30/2015 2
Introduction Revision Date: 4/30/2015 3
The information technology environment at UCLA is rapidly changing. In particular, departments are purchasing larger, more powerful servers to meet their business needs. With the increase in the number of these servers in departments, there has developed the need to set up environments to house this equipment that are similar to those of a traditional data center. The servers require specific environmentals, enhanced security access, fire alarms/suppression, Uninterrupted Power Supplies (UPS), Campus Backbone connectivity, and a number of other elements.
These environmental elements that have been standard within a typical data center are now also required by departments that have mission-critical servers. Further, as application availability extends beyond the normal departmental working hours to 24×7, staff to monitor the servers, applications and associated network connectivity are also needed. Supplying these support functions put an additional strain on departmental budgets and result in duplicated efforts.
Housing mission-critical, production application servers within the Math Science (MSA) Data Center is a solution that ensures the best environment for these servers and that is also cost-effective. Servers defined as “mission critical” to the university will be the only servers housed within the MSA Data Center at this time.
This document provides all the information a department will need to house their production application servers the Math Science Data Center.
The MSA Data Center is a very secure environment. The procedures described in this document have been developed to maintain the secure Data Center environment and must be followed by people working in the Data Center. It is important that any department contemplating the installation of their departmental servers at MSA fully understand and agree to these procedures.Revision Date: 4/30/2015 4
Security Revision Date: 4/30/2015 5
Data Center Physical Security Policy & Procedures
Security for the MSA Data Center is the responsibility of all departments that are sharing the data center space. The following are the general requirements, policies, and practices that govern access to this sensitive area, for which a Joint Management Team has responsibility. The Joint management Team is comprised of Jack Ewart, Director, Data Center Services and Bill Labate, manager, Application Technology Services. It is important that all University faculty, staff, and business associates follow these policies and practices. Failure to do so is considered grounds for personnel action up to and including dismissal and/or prosecution. Failure of a vendor, consultant or contractor to follow the guidelines set forth in this document are grounds for termination of agreements and potential legal action.
All access to the MSA Data Center must be authorized by the Joint Management Team.
Access privileges will only be granted to individuals who have a business need to be in the data center.
All departmental staff sharing the Data center will familiarize themselves thoroughly with this document. Any questions regarding policies and procedures should be addressed to the Joint Management Team.
The only exception allowed to the Data Center Security Policies and Practices is temporary suspension of these rules if it becomes necessary to provide access to medical, fire and/or police officials, etc.
Levels of Access to the MSA Data Center
There are three “Levels of Access” to the MSA Data Center – Controlling Access, Escorted Access and Unescorted Access.
Controlling Access is given to people who have free access authority into the Data Center. Controlling Access is granted to the AIS and ATS staff whose job responsibilities require that they have access to the area. These individuals also have the authority to grant temporary access to the Data Center and to enable others to enter and leave the Data Center. People with Controlling Access are responsible for the security of the area, and for any individuals that they allow into the Data Center. Individuals with Controlling Access to the Data Center normally will be granted Revision Date: 4/30/2015 6
access via thumbprint and will be placed on the UCLA Police Department’s Authorized Access List. Any individual receiving Controlling Access must go through a formal background check performed by the UCLA Police Department.
Individuals with Controlling Access to the area may allow properly authorized and logged Supervised Access to and from the Data Center.
Escorted Access is closely monitored access given to people who need infrequent presence in the Data Center. Individuals with Escorted Access will not normally be issued keys or be granted access via TouchNet.
A person given Escorted Access to the area must log in and out under the direct supervision of a person with Controlling Access, must provide positive identification upon demand, and must leave the area when requested to do so. They must also wear their Bruin Identification Card at all times. Non-UCLA visitors will be given a “Visitor” badge after they sign in.
A person with Escorted Access to the area must not allow any other person to enter or leave the area.
Unescorted Access is granted to a person who does not qualify for Controlling Access but has a legitimate business reason for periodic unsupervised access to the Data Center. An example of this would be a faculty member (or his or her student designee) who has a cluster and requires access to work on their system. Individuals with Unescorted Access to the Data Center will be granted access to the area via TouchNet security and will be placed on the UCLA Police Department’s Authorized Access List.
Unescorted Access personnel cannot authorize others to be granted unsupervised access to the Data Center. Faculty and Research personnel may escort a group of people into the Data Center as long as everyone stays within a group. Faculty and researchers are responsible for their group during the entire visit. All individuals with Unescorted Access must wear their Bruin ID Cards.
Students who are given Unescorted Access may NOT escort anyone into the Data Center without approval from personnel with Controlling Access authority. With written permission from the Joint Management Team, a student with Unescorted Access may only bring a maximum of two people at a time into the Data Center. All visitors who are UCLA employees must display their UCLA Bruin ID Cards. Visitors who are not UCLA employees must wear a “Visitors” badge. ALL visitors must sign in when entering and sign out when leaving the MSA Data Center.
MSA Data Center Revision Date: 4/30/2015 7
The “MSA Data Center” is a restricted area requiring a much greater level of control than normal non-public University spaces. Those individuals who are expressly authorized to do so by the Joint Management Team only may enter this area. Furthermore, this area may only be entered to conduct authorized University business.
All doors to the Data Center Secure Area must remain locked at all times and may be temporarily opened for periods not to exceed that minimally necessary in order to:
Allow officially approved and logged entrance and exit of authorized individuals
Permit the transfer of supplies/equipment as directly supervised by a person with Controlling Access to the area
Prop open a door to the MSA Data Center ONLY if it is necessary to increase airflow into the Data Center in the case on an air conditioning failure. In this case, staff personnel with Controlling Access must be present and limit access to the Data Center.
Thumbprint Security System and Keys
A specialized “Thumbprint” access control system provides the normal mechanism for control of access to the Data Center. These mechanisms are employed at the Data Center doors. Under no circumstances may an individual attempt to bypass the Thumbprint system to gain access for them or permit access to another individual.
Violation of any of these rules governing thumbprint security is extremely serious and could lead to disciplinary actions up to and including termination.
Access Control Log
The Access Control Log must be properly maintained at all times. The Log is maintained by Operations staff. All individuals with Controlling Access to the Data Center are responsible for maintaining this log. The following procedures must be followed:
Each time an individual with Escorted Access to the Data Center is admitted to the area, he must properly log in on the Access Control Log at the time of entrance. The person admitting the visitor must countersign and fill out the appropriate section of the form.
Each time an individual with Escorted Access leaves the area, he must properly log out on the Access Control Log at the time he leaves (even if only for a short
Revision Date: 4/30/2015 8
time). The person with Controlling Access to the area who allows the visitor to leave must fill out the “Log Out” section of the Access Control Log.
All infractions of the Data Center Security Rules should be reported to either the Data Center Shift Supervisors or the AIS Operations Manager. If the infraction is serious, the campus police should be notified.
When an unauthorized individual is found in the Data Center it should be reported immediately to a member of the Joint Management Team If this occurs during the evening hours, the AIS Operations Manager should be contacted. He or she will determine if the campus police should be contacted. The unauthorized individual should be escorted from the Data Center and a full written report should be immediately submitted to the Joint Management Team.
Any attempt to forcibly or improperly enter of the Data Center should be immediately reported to campus police who should be summoned to deal with the situation. The senior person present will report the incident in writing to the Joint Management Team.
Individuals with Controlling Access to the area are to monitor the area and remove any individual who appears to be compromising either the security of the area or its activities, or who is disrupting operation. It is particularly important that individuals with Controlling Access to show initiative in monitoring and maintaining the security of the Data Center. Periodic reviews of individuals with Unescorted Access to the Data Center will be performed by the Joint Data Center Management Team. If an individual no longer requires MSA Data Center access, it will be revoked.
Requesting Access to the MSA Data Center
Departments that have computer equipment in the Data Center will be granted access to the area once authorized by the Joint Management Team
For those requiring access to the Data Center, the manager of the department requesting access to the Data Center should forward a request to Felipe Fuentes, AIS Operations Manager either in writing or E-Mail (email: firstname.lastname@example.org).
The AIS Operations Manager will set up an appointment with the person requesting access in order to register the person in the security system. At the same time the person will be provided with a copy of the Shared Data Center User’s Guide. The “Request for Access” form must be filled at this time.
When a person who has access to the Data Center terminates his employment or transfers out of the department, that person’s department is required to notify the AIS Operations Manager as soon as possible so that his access to the Data Center can be Revision Date: 4/30/2015 9
deleted as soon as is reasonable. This is extremely important in cases where the employee was terminated for cause Revision Date: 4/30/2015 10
Hardware, Software and Networking Revision Date: 4/30/2015 11
Hardware, Software and Networking
Departments are responsible for configuring and purchasing their servers and associated peripherals such as racks, monitors and tape backup units. The servers and peripherals must be rack-mounted and the department is responsible for providing the racks. AIS must be involved in the purchase decision to ensure that all racks fit MSA Data Center standards.
The departments are responsible for connectivity to the campus backbone and associated networking and firewalls between their backbone connection and their servers.
The departments are responsible for un-boxing and installing their hardware and software. Boxes and trash need to be disposed of properly. Equipment should be unboxed and hung in the racks soon after it arrives in the Data Center, as there is no storage area available.
Cabling runs under the floor must be coordinated with AIS. Cabling systems should be used with ties to maintain a neat and orderly environment.
Departments are responsible for configuring and purchasing their servers and associated peripherals such as racks, monitors and tape back-up units. The servers and peripherals must be rack-mounted; 1U for compute nodes and preferably head nodes unless they function as a file server as well. File server nodes should be limited to 4U. Consultation with ATS prior to ordering is required to ensure equipment meets ATS Hosting Standards that pertain to physical space, environmental requirements and compatibility with existing equipment and services. ATS will provide the racks for hosted systems.
ATS will provide a single external IP address for hosted clusters. Addresses for the remaining cluster nodes should be allocated from non-routable address space, such as the 10.0.0.0 net. If nodes other than the head node need to communicate externally, NAT (IP masquerade) must be used. Additional IP addresses are available upon request.
The departments are responsible for un-boxing and installing their hardware and software unless prior arrangements have been made with ATS via a signed ATS Hosting Agreement. Boxes and trash need to be disposed of properly. Equipment should be unboxed and hung in the racks soon after they arrive in the Data Center, as there is no storage area available. Revision Date: 4/30/2015 12
Equipment Deliveries Revision Date: 4/30/2015 13
Procedures for the pick-up and delivery of equipment at the MSA Data Center
A log has been set up to track the delivery and pick-up of equipment from the Data Center. The log identifies and verifies all equipment that is brought into or removed from the Data Center.
The AIS Operations manager will be responsible for logging all AIS equipment that is scheduled to arrive or be picked up from the Data Center.
Any department that is planning to have equipment delivered or picked up from the Data Center should contact the Data Center at Ext. 5-4212. Please provide the Operator with the following information so that he or she can put it in the equipment log:
For the delivery of equipment:
Expected day of delivery
P.O. number for the equipment (if known)
Vendor name and description of the equipment
Person to be contacted when the equipment arrives
For the pick-up of equipment:
Expected day the equipment will be picked up
Vendor name and the description and location of the equipment to be picked up
Name of person to be notified once equipment is picked up
Operations will be responsible for putting logging entries and for contacting the people who need to know the status of the equipment that has been logged. Revision Date: 4/30/2015 14
AIS Support Revision Date: 4/30/2015 15
AIS, Operations will provide the following support:
o Monitor (24 x 7 x 365) all equipment residing in the MSA Data Center.
o Escalate issues to the support groups for any problems with a department’s server.
o Monitor physical access to the MSA Data Center.
o Verify delivery of all equipment shipped to MSA. Contact the person receiving the item to notify him of its arrival.
o Perform the loading/unloading of daily back-up of the servers. Ship back-up tapes to off-site storage at the expense of the user department.
MAKE SURE TO RETURN TO PRIOR WINDOW TO SUBMIT FORM.