Do you know what happen to your systems in the data centre?

Background

I am PCI QSA, part of PCI assessment require assessment of physical security controls for systems, this include but not limited to visit facilities e.g. data centres, computer rooms where CDE is hosted. I have had a good share of visiting these data centres and computer rooms. I have seen the best physical security controls from acoustic wire, bomb shelters, shutter proof windows, mantrap insider the mantraps, to the computer rooms locked with a key which is not under any dual control. While most of the data centre are secure by design, the service offerings from these data centre are also standard, including offering dedicated suites, shared halls, shared cabinet (yes, not open your eyes wide open) and some other companies will basically say or my system and data are in the cloud (where? AWS, yes where? I don’t know, let’s ask our account manager).

Main body

Most organisation e.g. merchants and service providers who have system hosted by third party co-location providers, may or may not understand the offering in detail or the security department may not be involved in the decision making or the client may have no idea from physical security point of view how the data centre security looks like, it worthy visiting it.

Dedicated halls.

  • This is where the all the suite is dedicated to an organisation.
  • Security controls like CCTV and access controls are pretty tight.

Shared halls

  • This is where a shared space, a bunch of racks from different customer are on shared space.
  • What to look out for, how the cabinets are secured, some are secured with padlock with keys, other with padlock with combination, other both, and I have even since fingerprints.
  • Sometimes CCTV are not installed on the aisle, for the fear of seeing client system? How? I don’t know

My take:

  • Organisation should understand the co-location services offered.
  • Should visit the data centre if possible
  • Security dept. should be involved in making decision in selecting security controls.
  • It is best to have controls such as frequently / quarterly auditing including checking the inventory, and have automated security controls to check for system tampering, and whether any physical devices have been plugged to the data centre.

Author: kinyoka

A certified Information Security professional, with demonstrated experience spanned more than 10 years in financial, banking, consulting, and payment card industries in managing Information Security System Management ISMS. A post graduate degree holder in Information Security Management (M.Sc); Certified Information Security Manager (CISM), Payment Card Industry Qualified Security Assessor (PCI QSA), SABSA Chartered Security Architect (SCF), ISO 27001 Lead Auditor, CREST Registered Technical Security Architect (TSA), CREST Registered Penetration Tester (CRT), and a member of ISACA. Demonstrated to be reliable, trustworthy, and meticulous person; working in a controls-focused environment, multinational, and multicultural organisation over the years and gained a good understanding of what is required of the Information Security professional. . Specialties: ISMS based on ISO/IEC 27001/2 Payment Card Industry (PCI) DSS - QSA led services - PCI Scoping, Gap Analysis and Formal Assessment (RoC) IT Governance, Risk and Compliance (GRC) Management Cyber Security Penetration Testing Enterprise Security Architecture Technical Security Architecture

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s