Background
I am PCI QSA, part of PCI assessment require assessment of physical security controls for systems, this include but not limited to visit facilities e.g. data centres, computer rooms where CDE is hosted. I have had a good share of visiting these data centres and computer rooms. I have seen the best physical security controls from acoustic wire, bomb shelters, shutter proof windows, mantrap insider the mantraps, to the computer rooms locked with a key which is not under any dual control. While most of the data centre are secure by design, the service offerings from these data centre are also standard, including offering dedicated suites, shared halls, shared cabinet (yes, not open your eyes wide open) and some other companies will basically say or my system and data are in the cloud (where? AWS, yes where? I don’t know, let’s ask our account manager).
Main body
Most organisation e.g. merchants and service providers who have system hosted by third party co-location providers, may or may not understand the offering in detail or the security department may not be involved in the decision making or the client may have no idea from physical security point of view how the data centre security looks like, it worthy visiting it.
Dedicated halls.
- This is where the all the suite is dedicated to an organisation.
- Security controls like CCTV and access controls are pretty tight.
Shared halls
- This is where a shared space, a bunch of racks from different customer are on shared space.
- What to look out for, how the cabinets are secured, some are secured with padlock with keys, other with padlock with combination, other both, and I have even since fingerprints.
- Sometimes CCTV are not installed on the aisle, for the fear of seeing client system? How? I don’t know
My take:
- Organisation should understand the co-location services offered.
- Should visit the data centre if possible
- Security dept. should be involved in making decision in selecting security controls.
- It is best to have controls such as frequently / quarterly auditing including checking the inventory, and have automated security controls to check for system tampering, and whether any physical devices have been plugged to the data centre.