The physical security of a data center environment is a zone of trust that relies on the latest technologies to protect sensitive client data across a variety of industries. With personal data being processed at record levels, and the growth of cloud computing to fuel our new normal, it is more important than ever that a cohesive approach to securing access to customer PII is accounted for.
For data center providers, their business relies on protecting their assets and customers both from a business, moral and legal standpoint. As a result, there have been many compliance mandates that put structure around how security should be approached when protecting data center facilities across many industries.
Financial Services
PCI DSS – Governs physical security & access of areas processing sensitive cardholder payment data within areas such as data centers and customer contact centers.
PCI DSS encompasses anywhere customer payment information is stored, handled or processed.
Section 9 – requires strong access control whereby access to cardholder data environment is restricted through the use of multi-factor authentication (combination of something you know (i.e. – password) / have (i.e. access card) / are (i.e. biometrics).
Healthcare
HIPAA – Governs physical security & access to personally identifiable health information.
Section 164.310 – requires unique user identification for anyone accessing sensitive health information for physical or digital environments. This specific section references the need for a coherent physical security plan around preventing access to equipment used for the storage or processing of these records.
energy & utilities
NERC CIP – Governs protecting stations or substations and their primary control centers that if rendered inoperable or damaged, a physical attack could result in widespread instability, uncontrolled separation, or cascading with an interconnection.
NERC-CIP-006-6 – requires a number of physical security management procedures, both access and audit for security perimeters. It also requires two of the following authentication methods – either something you know (i.e. – password) / have (i.e. access card) / are (i.e. biometrics).
general guidelines
SAE 18 SOC2 (formerly SAE 16)– Governs any company that provides outsourced services that affect another company’s financial statements can request an audit. SSAE 18 includes three types of reports that review different aspects of a company’s operations.
The Service and Organization Controls (SOC) 2 report focuses on security and privacy.
Section .05 of SAE 18 – requires preventing unauthorized access to both digital and physical systems.
According to the 2020 Cost of Data Breach Report (IBM), the global average total cost of a data breach is USD $3.86 million, whereas the average cost of a data breach in the United States is significantly higher at USD $8.64 million (IBM), further underscoring the importance of protecting customer data.
Data Center providers are ultimately stewards of their customers, trusted with some of the most important functions of running their day to day operations. It is for this reason that we can’t oversimplify physical security as a check box but as a way to consistently evolve the approach to protecting environments as new threats present themselves.
Does your data center or cage security need an upgrade? Click here to build your custom solution.
Resources:
- https://www.ibm.com/security/data-breach
- https://www.pcisecuritystandards.org/documents/Prioritized-Approach-for-PCI_DSS-v3_2.pdf
- https://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-006-6.pdf
- https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust-services-criteria.pdf
- https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf