[AusNOG] [SPAM] Re: Is CCTV a Necessity in a Data Centre?

Joseph Goldman joe at apcs.com.au
Mon Dec 3 08:00:51 EST 2012


For the most part I will say, YES, CCTV is a requirement of a DC.

Co-location facilities - this is quite obvious. It's easy enough to keep 
a log of who is coming and going at the door, but if there are multiple 
parties in the building you can't account for which one may have gone 
looking into a competitors rack and 'accidentally' broken something. 
CCTV holds them accountable. This is just a camera pointing down the row 
level, it is a rare occurrence I'm sure, but one I'd rather have 
security for.

Private facilities - even though you and your staff are the only ones 
with access, CCTV allows for just peace of mind, you can see what's 
going on down there, allows teams that may be working remotely to get a 
view in, allows for another sense of monitoring, i.e. you glance over at 
the monitors and see some smoke or something else going on?

Having said that my opinion means little, as I am simply mostly a user 
of data centers not so much a designer of big ones.

On 2/12/12 10:57 PM, Joshua D'Alton wrote:
> Given I replied to you originally thinking you were replying privately 
> vs the list, I think it is obvious that the human element is really 
> key, not things like CCTV ;P
>
> Anyway, I'm sure CCTV is essential for things like PCI, to meet the BS 
> red tape, but with regards to the OP post generally, so far we've only 
> heard political/red-tape reasons.
>
> Very interested if you actually have an instance where "It's 
> definitely not a waste of resources, given the number of people who 
> typically come and go in a commercial data centre and the requirement 
> for access to be controlled and monitored", because I've certainly not 
> come across anything public :/
>
> On Sun, Dec 2, 2012 at 10:27 PM, Chris Ricks <chrisr at securepay.com.au 
> <mailto:chrisr at securepay.com.au>> wrote:
>
>     It's not a stretch at all, and CCTV by itself doesn't prevent
>     anything obviously.
>
>     It's definitely not a waste of resources, given the number of
>     people who typically come and go in a commercial data centre and
>     the requirement for access to be controlled and monitored.
>
>     In the case of PCI DSS, many people don't understand that the "D"
>     stands for Data, not Digital. For example, Iron Mountain are
>     compliant but do not store any cardholder data in digital form. In
>     their case, proving physical security is a requirement and being
>     able to show that procedures are followed over time is very easily
>     done with appropriate CCTV coverage.
>
>     As someone who is intimately involved with PCI DSS compliance
>     issues, I can confirm that cameras functioning do a lot for myself
>     and my team without deterrence being one of the benefits.
>
>     Regards,
>
>     Chris
>
>
>
>     On 2/12/2012 9:49 PM, Joshua D'Alton wrote:
>>     Sure, but the real stretch is them thinking that CCTV should be
>>     part of the requirements.
>>
>>     I'm not sure no properly compliant org has suffered a breach, PCI
>>     DSS is not all encompassing as various cons like DEFCON and
>>     Blackhat have shown, but what I am sure of is that there'll never
>>     be a breach that CCTV will prevent. Hence, it is really probably
>>     a waste of resources.
>>
>>     Having fake CCTV will meet any small level of deterrence anyway,
>>     whether they function or not will not help anyone
>>     except bureaucrats..
>>
>>     On Sun, Dec 2, 2012 at 7:33 PM, Chris Ricks
>>     <chris.ricks at securepay.com.au
>>     <mailto:chris.ricks at securepay.com.au>> wrote:
>>
>>         That's a slight stretch, mentioning PCI DSS requirements in
>>         the same context as the Romanian ring.
>>
>>         The victims involved were not at all compliant. To date, no
>>         properly compliant organisation has suffered a breach.
>>
>>
>>         Joshua D'Alton <joshua at railgun.com.au
>>         <mailto:joshua at railgun.com.au>> wrote:
>>
>>         Its a bit like airport security; you have to have it so it
>>         looks like you are secure, but in reality anyone wanting to
>>         do something malicious will firstly be able to still do it,
>>         and secondly probably get away with it.
>>
>>         Looking at PCI DSS, while the costs for CCTV are fairly
>>         insignificant, it is as laughable when compared to the tens
>>         of billions lost as it is the number of hijackings prevented.
>>
>>         The $30 million stolen recently in Australia by a Romanian
>>         ring who had 0 physical access to Australia let alone a rack
>>         in a DC is a fairly poignant example.
>>
>>         On Sun, Dec 2, 2012 at 7:15 PM, Chris Ricks
>>         <chris.ricks at securepay.com.au
>>         <mailto:chris.ricks at securepay.com.au>> wrote:
>>
>>             CCTV is a requirement for us, given requirement 9 of PCI
>>             DSS.
>>
>>             In one of our locations, we have cameras in our rack and
>>             in another we have cameras in our cage facing inwards.
>>
>>
>>             Matt Perkins <matt at spectrum.com.au
>>             <mailto:matt at spectrum.com.au>> wrote:
>>
>>
>>             a) Is CCTV (recording) a necessity within a data centre?
>>
>>              It's a requirement of our insurance company so yes.
>>
>>             b) Would you feel it's appropriate if a data center
>>             provider didn't have CCTV as part of their service
>>             provision and soly relied on physical access logs for
>>             physical security auditing?
>>
>>             No there is no due diligence, No there is no backup. 
>>             That is a physical log is one form of security but it has
>>             no backup cctv provides a backup.
>>
>>             c) Would you state that CCTV is simply implied as a
>>             standard inclusion when it comes to the provision of data
>>             centre services?
>>
>>             Nothing is implied or standard. Most customers worth
>>             their salt will send you the normal security DD
>>             questionnaire.
>>
>>             Matt.
>>
>>
>>
>>             On 2/12/12 12:38 PM, Chris Macko wrote:
>>>             	
>>>
>>>             	
>>>
>>>             HiMatt,
>>>
>>>             Thanks for your feedback, if you have the time, I'd
>>>             really appreciate if you could provide your responses to
>>>             the initial questions. I would like to review the
>>>             industry belief, whilst I have my own experiences and
>>>             beliefs, my own feelings are insufficient to solely use
>>>             in my case study and thus it is necessary for me to
>>>             consider the broad industry responses and beliefs.
>>>
>>>             Rather than just taking the queries to my direct
>>>             colleagues (who may be inclined to think the way I do,
>>>             given that birds of a feather flock together), I'm being
>>>             thorough and taking onboard the comments from the
>>>             complete industry.
>>>
>>>             Regarding logo, this is just an email signature, we
>>>             started off as a design agency so aesthetic design is
>>>             important to us. I've removed our logo for you on this
>>>             response.
>>>
>>>             Kind Regards,
>>>
>>>             *Chris* Macko
>>>             *Managing Director*
>>>             *Interhost Pacific*Pty Ltd t/a Intervolve
>>>
>>>             *Support Phone* 	1300 664 574 / +61 8 8260 4237
>>>             <tel:%2B61%208%208260%204237>
>>>             *Sales Phone* 	1300 664 574
>>>             *Accounts Phone* 	+61 8 8260 4237
>>>             *Office Fax* 	+61 8 8260 4312
>>>             	
>>>             *Sales Email* 	sales at intervolve.com.au
>>>             <mailto:sales at intervolve.com.au>
>>>             *Support Email* 	support at intervolve.com.au
>>>             <mailto:support at intervolve.com.au>
>>>             *Accounts Email* 	accounts at intervolve.com.au
>>>             <mailto:accounts at intervolve.com.au>
>>>             	
>>>             *Website* 	www.*intervolve*.com.au
>>>             <http://www.intervolve.com.au/>
>>>             	
>>>             	
>>>             This email contains information that is confidential to
>>>             the intended recipient. It may also contain information,
>>>             which is subject to legal privilege. If you are not the
>>>             intended recipient, you must not use, pass on or copy
>>>             this message. We also ask that you notify the sender by
>>>             email or telephone and destroy the original message.
>>>             Thank you.
>>>
>>>
>>>
>>>             ------------------------------------------------------------------------
>>>             *From:* ausnog-bounces at lists.ausnog.net
>>>             <mailto:ausnog-bounces at lists.ausnog.net>
>>>             [mailto:ausnog-bounces at lists.ausnog.net] *On Behalf Of
>>>             *Matt Perkins
>>>             *Sent:* Sunday, 2 December 2012 11:51 AM
>>>             *To:* ausnog at lists.ausnog.net
>>>             <mailto:ausnog at lists.ausnog.net>
>>>             *Subject:* Re: [AusNOG] [SPAM] Re: Is CCTV a Necessity
>>>             in a Data Centre?
>>>
>>>             Skeeve,
>>>              I saw a system once that took stills out of the rack
>>>             when a reed on the door was triggered. So simply taking
>>>             a record of people who opened the door so it could be
>>>             perhaps more innocent. Im not sure a camera looking out
>>>             of the rack would be that useful and sure people may be
>>>             upset about there privacy. We have a no camera/photo in
>>>             our center policy for customers and our CCTV monitors
>>>             the general floor and ingress and egress points. It
>>>             would be only scrutinized in the event of some sort of
>>>             security breach any way. To the broader issue of cctv.
>>>             Well it's so cheap who would not put it in. Compared to
>>>             the other facility costs.  UPS/GEN Fire etc etc.
>>>
>>>             It's a strange question Chris could you give us some
>>>             background to why ask? You cant help but notice a big
>>>             logo at the start of your email....
>>>
>>>
>>>
>>>             2/12/12 11:59 AM, Skeeve Stevens wrote:
>>>>             Chris,
>>>>
>>>>             I think CCTV is important... but you have to ask a more
>>>>             Micro questions... where?
>>>>
>>>>             Ingress/Egress, definitely.  Every rack? I don't think
>>>>             so.  As long as you can verify who went in and out, and
>>>>             where they went... i.e. which room, then you are fine.
>>>>
>>>>             No one wants to be constantly watched as they do their
>>>>             job, and let's be honest here... video of an engineer
>>>>             sitting on the floor typing on a laptop, or inside a
>>>>             rack playing with things, isn't exactly going to give
>>>>             you much information about what they are doing, and
>>>>             anything it does, is unlikely to be in context.
>>>>
>>>>             I've seen people even have cameras in their rack
>>>>             looking out... never sure what that was for.  I used to
>>>>             have one in a rack opposite where I used to regularly
>>>>             work in Global Switch, so I just stuck a bit of paper
>>>>             over it.  No idea whose it was, but they didn't have a
>>>>             right to film me doing my work.  It is also illegal
>>>>             since they don't have a sign saying they are doing it,
>>>>             and I am sure they don't have a
>>>>             covert surveillance warrant.
>>>>
>>>>             Reference:
>>>>             http://www.legislation.nsw.gov.au/fullhtml/inforce/act+47+2005+FIRST+0+N
>>>>
>>>>             When it comes to DC's, I am not sure what defines a
>>>>             workplace however... and surveillance when people have
>>>>             cameras inside their racks looking out, may be illegal.
>>>>
>>>>             Essentially, if you can't trust the DC's security, you
>>>>             probably shouldn't be using that DC.
>>>>
>>>>             Who went where, most importantly, when, is all you need.
>>>>
>>>>             ...Skeeve
>>>>             *
>>>>
>>>>             *
>>>>             *Skeeve Stevens, CEO - *eintellego Pty Ltd
>>>>             skeeve at eintellego.net <mailto:skeeve at eintellego.net> ;
>>>>             www.eintellego.net <http://www.eintellego.net/>
>>>>
>>>>             Phone: 1300 753 383; Cell +61 (0)414 753 383
>>>>             <tel:%2B61%20%280%29414%20753%20383> ; skype://skeeve
>>>>
>>>>             facebook.com/eintellego
>>>>             <http://facebook.com/eintellego> ;
>>>>             linkedin.com/in/skeeve <http://linkedin.com/in/skeeve>
>>>>
>>>>             twitter.com/networkceoau
>>>>             <http://twitter.com/networkceoau> ; blog:
>>>>             www.network-ceo.net <http://www.network-ceo.net/>
>>>>
>>>>
>>>>             The Experts Who The Experts Call
>>>>             Juniper - Cisco -- IBM- Brocade - Cloud
>>>>             -----
>>>>             Check out our Juniper promotion website for Oct/Nov!
>>>>             eintellego.mx <http://eintellego.mx/>
>>>>             Free Apple products during this promotion!!!
>>>>
>>>>
>>>>
>>>>             On Sun, Dec 2, 2012 at 11:18 AM, Chris Macko
>>>>             <cmacko at intervolve.com.au
>>>>             <mailto:cmacko at intervolve.com.au>> wrote:
>>>>
>>>>                 	
>>>>
>>>>                 	
>>>>
>>>>                 HiAll,
>>>>
>>>>                 I'm performing a small case study and would really
>>>>                 appreciate if you're able to provide your feedback
>>>>                 in relation to the following questions regarding
>>>>                 CCTV within a data centre;
>>>>
>>>>                 a) Is CCTV (recording) a necessity within a data
>>>>                 centre?
>>>>                 b) Would you feel it's appropriate if a data centre
>>>>                 provider didn't have CCTV as part of their service
>>>>                 provision and soly relied on physical access logs
>>>>                 for physical security auditting?
>>>>                 c) Would you state that CCTV is simply implied as a
>>>>                 standard inclusion when it comes to the provision
>>>>                 of data centre services?
>>>>
>>>>                 My personal experience is that CCTV is necessary
>>>>                 within data centre services in order to investigate
>>>>                 potential physical security breaches in events
>>>>                 where physical access logs don't provide the
>>>>                 necessary information being investigated. I also
>>>>                 feel that a data centre without CCTV would be akin
>>>>                 to a human without oxygen, in that both co-exist
>>>>                 and are co-dependent.
>>>>
>>>>                 I would however really appreciate your thoughts and
>>>>                 feedback. Thank you!
>>>>
>>>>                 Kind Regards,
>>>>
>>>>                 *Chris* Macko
>>>>                 *Managing Director*
>>>>                 *Interhost Pacific*Pty Ltd t/a Intervolve
>>>>
>>>>                 *Support Phone* 	1300 664 574 / +61 8 8260 4237
>>>>                 <tel:%2B61%208%208260%204237>
>>>>                 *Sales Phone* 	1300 664 574
>>>>                 *Accounts Phone* 	+61 8 8260 4237
>>>>                 <tel:%2B61%208%208260%204237>
>>>>                 *Office Fax* 	+61 8 8260 4312
>>>>                 <tel:%2B61%208%208260%204312>
>>>>                 	
>>>>                 *Sales Email* 	sales at intervolve.com.au
>>>>                 <mailto:sales at intervolve.com.au>
>>>>                 *Support Email* 	support at intervolve.com.au
>>>>                 <mailto:support at intervolve.com.au>
>>>>                 *Accounts Email* 	accounts at intervolve.com.au
>>>>                 <mailto:accounts at intervolve.com.au>
>>>>                 	
>>>>                 *Website* 	www.*intervolve*.com.au
>>>>                 <http://www.intervolve.com.au/>
>>>>                 	
>>>>                 	
>>>>                 This email contains information that is
>>>>                 confidential to the intended recipient. It may also
>>>>                 contain information, which is subject to legal
>>>>                 privilege. If you are not the intended recipient,
>>>>                 you must not use, pass on or copy this message. We
>>>>                 also ask that you notify the sender by email or
>>>>                 telephone and destroy the original message. Thank you.
>>>>
>>>>
>>>>
>>>>                 _______________________________________________
>>>>                 AusNOG mailing list
>>>>                 AusNOG at lists.ausnog.net
>>>>                 <mailto:AusNOG at lists.ausnog.net>
>>>>                 http://lists.ausnog.net/mailman/listinfo/ausnog
>>>>
>>>>
>>>>
>>>>
>>>>             _______________________________________________
>>>>             AusNOG mailing list
>>>>             AusNOG at lists.ausnog.net  <mailto:AusNOG at lists.ausnog.net>
>>>>             http://lists.ausnog.net/mailman/listinfo/ausnog
>>>
>>>
>>
>>
>>
>>             _______________________________________________
>>             AusNOG mailing list
>>             AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>>             http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>>
>>     No virus found in this message.
>>     Checked by AVG - www.avg.com <http://www.avg.com>
>>     Version: 2012.0.2221 / Virus Database: 2634/5431 - Release Date:
>>     12/01/12
>>
>
>
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20121203/9cfeab3e/attachment.html>


More information about the AusNOG mailing list