Security Metric of the Week #77: Computer suite power consumption versus its air conditioning capacity
Monitoring the total electrical power consumed by the computer suite (building, room, cupboard, whatever) is a basic control measure that is useful for managing the power supply, for example ensuring that it remains within the safety limits and engineering constraints of the cabling and switch-gear. If (when! Hopefully before!) the power consumption approaches some limit, decisions have to be made about leveling off the trend (e.g. by replacing older IT equipment with more energy-efficient green stuff) and upgrading the supply, preferably through a coherent, planned, professional program of engineering work. Computer suite power consumption is itself a highly PRAGMATIC metric.
In addition to energy from the environment and sunshine, a significant proportion of the electrical energy pumped in to the computer suite through the power system turns into heat that also has to be removed by the air conditioning system. Therefore, the power consumption is closely associated with the air conditioning load, which in turn has implications on the capacity and reliability of the aircon, which obviously affects the computer equipment and ICT services supplied.
Measuring the heat load in the computer suite is trickier thank one might suppose. It is feasible to maintain an inventory of the installed equipment, with details about the power consumption of every item, but it takes some effort to keep it sufficiently complete and accurate. Periodic audits are probably going to be needed if you go down this route. The inventory is therefore a fairly costly control, but the expense may be justified if the inventory is sufficiently valuable. In addition to the power consumption and heat load aspect, an inventory is also useful for capacity planning, systems and network management, equipment configuration and maintenance, software licensing, business continuity management, and financial management.
In contrast, measuring the actual power consumption is an easy option: even a simple clamp-on ammeter will tell the electrical engineers roughly how much power is being consumed on each circuit at an instant, while computerised full-time power logging and alerting is no big deal. [The data may even be precise enough to enable someone to cross-check the inventory if there are sudden changes in power consumption, for instance when someone installs a new system but forgets to update the records!]
Comparing the power consumption - energy input - against the air-conditioning installed and operating capacity - energy output - is one way to confirm that the air-conditioners are not being pushed too hard, supplementing other measures such as the most obvious one, room temperature.
Tracking and comparing both parameters over time will indicate whether the tendency to install more and more powerful IT equipment is being matched by corresponding changes to the power and cooling systems. It will inform important decisions about maintenance and upgrades.
ACME managers rated the metric thus:
P
|
R
|
A
|
G
|
M
|
A
|
T
|
I
|
C
|
Score
|
81
|
69
|
89
|
92
|
80
|
99
|
98
|
90
|
98
|
88%
|
The excellent ratings for Accuracy, Timeliness and Cost-effectiveness push this metric high on ACME's metrics wish-list.
Measures of this nature are valuable for most organizations, and are more-or-less essential for organizations that depend heavily on the availability of critical IT systems. The metric is, in fact, an example from an entire category of physical/engineering-type information security metrics that is often neglected, particularly when the physical facilities are managed by a corporate or in/outsourced function independently of IT. Think about it: do you have the information to know whether the UPS and generators supporting your mission-critical computer facilities are operating comfortably within their limits, or are they running on a knife edge, ready to fall in a heap if not burst into flames the next time someone plugs in yet another ultra high capacity blade server into a bulging rack? Is your computer equipment about to fall through the false floor, literally, or choke itself up on dust? Are the fire alarms and extinguisher systems being professionally maintained, adapted and tested to reflect changes in the layout and use of the racks? There are substantial information security risks associated with the physical environment and supplies for the computer suite: are your metrics up to scratch?
Furthermore, this metric is shining example of the value of analyzing suitable combinations of raw data or information from independent measures, gaining additional insight over and above considering each one in isolation. While ISO/IEC 27004:2009 blabbers on about 'base measures', 'derived measures' and 'indicators' in its inimitable style, this is a practical illustration of the concept. The same principle of aggregating, comparing and contrasting measures applies at even higher levels too, so in theory it would be possible to end up with the ultimate measure-of-measures, an overall "information security score" for the enterprise. As to whether that is possible or sensible in reality is left as a little metrics exercise for you, dear reader.