The chatter on cloud security continues:
http://gigaom.com/2008/12/11/cloud-security-the-sky-is-falling/
http://4sysops.com/archives/is-cloud-computing-secure-pro-and-contra-cloud-security/
My company, MomentumSI, has been working on a template RFI/RFP for cloud providers. One of the sections is "Cloud Security - Physical". This doesn't cover logical (information, passcode, on-wire, etc.)
I'd love to get any feedback on the following questions:
1. Describe the concentric control boundaries (whole site, building and sensitive areas)
2. Describe use of authentication & access control (keys, badges, facial recognition, voice recognition, hand-prints, iris scans, signature analysis, etc.)
3. Describe exterior walls and windows specification (thickness, Kevlar lining, bomb resistant laminated glass, etc.)
4. Describe buffer-zones and retractable crash barriers
5. Describe internal partition walls and their ability to limit the spread of fire and provide separate access zones
6. Describe capabilities to prevent unauthorized access under raised floors or above false ceilings
7. Describe the securing of cages and racks
8. Describe the security procedures taken on employees and contractors of the facility (background checks, drug checks, etc.)
9. Describe the process for rotating id’s or passwords after certain time periods or events (employee is fired or quits, etc.)
10. Describe the security procedures taken on non-employee visits.
11. Describe the process of physical and virtual key issue and revocation.
12. Describe capabilities related to proactively finding explosive devices.
13. Describe your surveillance capabilities (cameras, motion detectors, micro-switches, pressure pads, alarms, etc.)
14. Describe the security related to your mechanical areas (UPS, external cooling, etc.)
15. Describe the use of security guards, their training and enforcement capabilities.
16. Describe the use of independent security audits including depth, frequency and the availability of the results to clients and prospects.
17. Describe use of transmitters & receivers, including cell phones within the center.
18. Describe how any violations detected will be recorded and reported back to the customer base.
Subscribe to:
Post Comments (Atom)
Check out TIA-942. It defines the different classes of datacenters and their required security precautions. It includes several of the items on your list.
ReplyDeletehttp://www.adc.com/Library/Literature/102264AE.pdf
The RFI could probably target questions based on the level of security the issuer actually needs. It could also condense a lengthy list of questions down to verified compliance with a certain level.
Jeff - in order to answer these questions, you need to get fairly intimate with a companies environment, landing rules, security and overall IT procedures. This could be best handled with a private conversation. Would love to review your template. Give me a call; would love to continue this conversation.
ReplyDeleteCheers,
Jeff Carlson