[AusNOG] [SPAM] Re: Is CCTV a Necessity in a Data Centre?

Joshua D'Alton joshua at railgun.com.au
Sun Dec 2 22:57:12 EST 2012


Given I replied to you originally thinking you were replying privately vs
the list, I think it is obvious that the human element is really key, not
things like CCTV ;P

Anyway, I'm sure CCTV is essential for things like PCI, to meet the BS red
tape, but with regards to the OP post generally, so far we've only heard
political/red-tape reasons.

Very interested if you actually have an instance where "It's definitely not
a waste of resources, given the number of people who typically come and go
in a commercial data centre and the requirement for access to be controlled
and monitored", because I've certainly not come across anything public :/

On Sun, Dec 2, 2012 at 10:27 PM, Chris Ricks <chrisr at securepay.com.au>wrote:

>  It's not a stretch at all, and CCTV by itself doesn't prevent anything
> obviously.
>
> It's definitely not a waste of resources, given the number of people who
> typically come and go in a commercial data centre and the requirement for
> access to be controlled and monitored.
>
> In the case of PCI DSS, many people don't understand that the "D" stands
> for Data, not Digital. For example, Iron Mountain are compliant but do not
> store any cardholder data in digital form. In their case, proving physical
> security is a requirement and being able to show that procedures are
> followed over time is very easily done with appropriate CCTV coverage.
>
> As someone who is intimately involved with PCI DSS compliance issues, I
> can confirm that cameras functioning do a lot for myself and my team
> without deterrence being one of the benefits.
>
> Regards,
>
> Chris
>
>
>
> On 2/12/2012 9:49 PM, Joshua D'Alton wrote:
>
> Sure, but the real stretch is them thinking that CCTV should be part of
> the requirements.
>
>  I'm not sure no properly compliant org has suffered a breach, PCI DSS is
> not all encompassing as various cons like DEFCON and Blackhat have shown,
> but what I am sure of is that there'll never be a breach that CCTV will
> prevent. Hence, it is really probably a waste of resources.
>
>  Having fake CCTV will meet any small level of deterrence anyway, whether
> they function or not will not help anyone except bureaucrats..
>
> On Sun, Dec 2, 2012 at 7:33 PM, Chris Ricks <chris.ricks at securepay.com.au>wrote:
>
>> That's a slight stretch, mentioning PCI DSS requirements in the same
>> context as the Romanian ring.
>>
>> The victims involved were not at all compliant. To date, no properly
>> compliant organisation has suffered a breach.
>>
>>
>> Joshua D'Alton <joshua at railgun.com.au> wrote:
>>
>> Its a bit like airport security; you have to have it so it looks like you
>> are secure, but in reality anyone wanting to do something malicious will
>> firstly be able to still do it, and secondly probably get away with it.
>>
>>  Looking at PCI DSS, while the costs for CCTV are fairly insignificant,
>> it is as laughable when compared to the tens of billions lost as it is the
>> number of hijackings prevented.
>>
>>  The $30 million stolen recently in Australia by a Romanian ring who had
>> 0 physical access to Australia let alone a rack in a DC is a fairly
>> poignant example.
>>
>> On Sun, Dec 2, 2012 at 7:15 PM, Chris Ricks <chris.ricks at securepay.com.au
>> > wrote:
>>
>>> CCTV is a requirement for us, given requirement 9 of PCI DSS.
>>>
>>> In one of our locations, we have cameras in our rack and in another we
>>> have cameras in our cage facing inwards.
>>>
>>>
>>> Matt Perkins <matt at spectrum.com.au> wrote:
>>>
>>>
>>> a) Is CCTV (recording) a necessity within a data centre?
>>>
>>>  It's a requirement of our insurance company so yes.
>>>
>>> b) Would you feel it's appropriate if a data center provider didn't have
>>> CCTV as part of their service provision and soly relied on physical access
>>> logs for physical security auditing?
>>>
>>> No there is no due diligence, No there is no backup.  That is a physical
>>> log is one form of security but it has no backup cctv provides a backup.
>>>
>>> c) Would you state that CCTV is simply implied as a standard inclusion
>>> when it comes to the provision of data centre services?
>>>
>>> Nothing is implied or standard. Most customers worth their salt will
>>> send you the normal security DD questionnaire.
>>>
>>> Matt.
>>>
>>>
>>>
>>> On 2/12/12 12:38 PM, Chris Macko wrote:
>>>
>>>
>>>
>>>
>>>
>>>
>>> Hi Matt,
>>>
>>> Thanks for your feedback, if you have the time, I'd really appreciate if
>>> you could provide your responses to the initial questions. I would like to
>>> review the industry belief, whilst I have my own experiences and beliefs,
>>> my own feelings are insufficient to solely use in my case study and thus it
>>> is necessary for me to consider the broad industry responses and beliefs.
>>>
>>> Rather than just taking the queries to my direct colleagues (who may be
>>> inclined to think the way I do, given that birds of a feather flock
>>> together), I'm being thorough and taking onboard the comments from the
>>> complete industry.
>>>
>>> Regarding logo, this is just an email signature, we started off as a
>>> design agency so aesthetic design is important to us. I've removed our logo
>>> for you on this response.
>>>
>>> Kind Regards,
>>>
>>> *Chris* Macko
>>> *Managing Director*
>>> *Interhost Pacific* Pty Ltd t/a Intervolve
>>>   *Support Phone* 1300 664 574 / +61 8 8260 4237  *Sales Phone* 1300
>>> 664 574  *Accounts Phone* +61 8 8260 4237  *Office Fax* +61 8 8260 4312
>>>      *Sales Email* sales at intervolve.com.au  *Support Email*
>>> support at intervolve.com.au  *Accounts Email* accounts at intervolve.com.au
>>>      *Website* www.*intervolve*.com.au <http://www.intervolve.com.au/>
>>>           This email contains information that is confidential to the
>>> intended recipient. It may also contain information, which is subject to
>>> legal privilege. If you are not the intended recipient, you must not use,
>>> pass on or copy this message. We also ask that you notify the sender by
>>> email or telephone and destroy the original message. Thank you.
>>>
>>>
>>>
>>>  ------------------------------
>>> *From:* ausnog-bounces at lists.ausnog.net [
>>> mailto:ausnog-bounces at lists.ausnog.net <ausnog-bounces at lists.ausnog.net>]
>>> *On Behalf Of *Matt Perkins
>>> *Sent:* Sunday, 2 December 2012 11:51 AM
>>> *To:* ausnog at lists.ausnog.net
>>> *Subject:* Re: [AusNOG] [SPAM] Re: Is CCTV a Necessity in a Data Centre?
>>>
>>>  Skeeve,
>>>  I saw a system once that took stills out of the rack when a reed on the
>>> door was triggered. So simply taking a record of people who opened the door
>>> so it could be perhaps more innocent. Im not sure a camera looking out of
>>> the rack would be that useful and sure people may be upset about there
>>> privacy. We have a no camera/photo in our center policy for customers and
>>> our CCTV monitors the general floor and ingress and egress points. It would
>>> be only scrutinized in the event of some sort of security breach any way.
>>> To the broader  issue of cctv. Well it's so cheap who would not put it in.
>>> Compared to the other facility costs.  UPS/GEN Fire etc etc.
>>>
>>> It's a strange question Chris could you give us some background to why
>>> ask? You cant help but notice a big logo at the start of your email....
>>>
>>>
>>>
>>> 2/12/12 11:59 AM, Skeeve Stevens wrote:
>>>
>>> Chris,
>>>
>>>  I think CCTV is important... but you have to ask a more Micro
>>> questions... where?
>>>
>>>  Ingress/Egress, definitely.  Every rack? I don't think so.  As long as
>>> you can verify who went in and out, and where they went... i.e. which room,
>>> then you are fine.
>>>
>>>  No one wants to be constantly watched as they do their job, and let's
>>> be honest here... video of an engineer sitting on the floor typing on a
>>> laptop, or inside a rack playing with things, isn't exactly going to give
>>> you much information about what they are doing, and anything it does, is
>>> unlikely to be in context.
>>>
>>>  I've seen people even have cameras in their rack looking out... never
>>> sure what that was for.  I used to have one in a rack opposite where I used
>>> to regularly work in Global Switch, so I just stuck a bit of paper over it.
>>>  No idea whose it was, but they didn't have a right to film me doing my
>>> work.  It is also illegal since they don't have a sign saying they are
>>> doing it, and I am sure they don't have a covert surveillance warrant.
>>>
>>>  Reference:
>>> http://www.legislation.nsw.gov.au/fullhtml/inforce/act+47+2005+FIRST+0+N
>>>
>>>  When it comes to DC's, I am not sure what defines a workplace
>>> however... and surveillance when people have cameras inside their racks
>>> looking out, may be illegal.
>>>
>>>  Essentially, if you can't trust the DC's security, you probably
>>> shouldn't be using that DC.
>>>
>>>  Who went where, most importantly, when, is all you need.
>>>
>>>  ...Skeeve
>>>  *
>>>
>>> *
>>> *Skeeve Stevens, CEO - *eintellego Pty Ltd
>>>  skeeve at eintellego.net ; www.eintellego.net
>>>
>>> Phone: 1300 753 383; Cell +61 (0)414 753 383<%2B61%20%280%29414%20753%20383>;
>>> skype://skeeve
>>>
>>> facebook.com/eintellego ; linkedin.com/in/skeeve
>>>
>>> twitter.com/networkceoau ; blog: www.network-ceo.net
>>>
>>>  The Experts Who The Experts Call
>>>  Juniper - Cisco – IBM - Brocade - Cloud
>>>  -----
>>> Check out our Juniper promotion website for Oct/Nov!  eintellego.mx
>>> Free Apple products during this promotion!!!
>>>
>>>
>>>
>>> On Sun, Dec 2, 2012 at 11:18 AM, Chris Macko <cmacko at intervolve.com.au>wrote:
>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Hi All,
>>>>
>>>> I'm performing a small case study and would really appreciate if you're
>>>> able to provide your feedback in relation to the following questions
>>>> regarding CCTV within a data centre;
>>>>
>>>> a) Is CCTV (recording) a necessity within a data centre?
>>>> b) Would you feel it's appropriate if a data centre provider didn't
>>>> have CCTV as part of their service provision and soly relied on physical
>>>> access logs for physical security auditting?
>>>> c) Would you state that CCTV is simply implied as a standard inclusion
>>>> when it comes to the provision of data centre services?
>>>>
>>>> My personal experience is that CCTV is necessary within data centre
>>>> services in order to investigate potential physical security breaches in
>>>> events where physical access logs don't provide the necessary information
>>>> being investigated. I also feel that a data centre without CCTV would be
>>>> akin to a human without oxygen, in that both co-exist and are co-dependent.
>>>>
>>>> I would however really appreciate your thoughts and feedback. Thank
>>>> you!
>>>>
>>>> Kind Regards,
>>>>
>>>> *Chris* Macko
>>>> *Managing Director*
>>>> *Interhost Pacific* Pty Ltd t/a Intervolve
>>>>   *Support Phone* 1300 664 574 / +61 8 8260 4237  *Sales Phone* 1300
>>>> 664 574  *Accounts Phone* +61 8 8260 4237  *Office Fax* +61 8 8260 4312
>>>>      *Sales Email* sales at intervolve.com.au  *Support Email*
>>>> support at intervolve.com.au  *Accounts Email* accounts at intervolve.com.au
>>>>      *Website* www.*intervolve*.com.au <http://www.intervolve.com.au/>
>>>>           This email contains information that is confidential to the
>>>> intended recipient. It may also contain information, which is subject to
>>>> legal privilege. If you are not the intended recipient, you must not use,
>>>> pass on or copy this message. We also ask that you notify the sender by
>>>> email or telephone and destroy the original message. Thank you.
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> AusNOG mailing list
>>>> AusNOG at lists.ausnog.net
>>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> AusNOG mailing listAusNOG at lists.ausnog.nethttp://lists.ausnog.net/mailman/listinfo/ausnog
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>
>>>
>>
>  No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 2012.0.2221 / Virus Database: 2634/5431 - Release Date: 12/01/12
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20121202/0561d47b/attachment.html>


More information about the AusNOG mailing list