Data Centers Can Use SSAE 16, PCI, Cybertrust Standards to Validate Physical Security
September 23rd, 2013 By: Industry Perspectives
Michelle Ziperstein is the Marketing Communications Specialist at Cervalis LLC, which provides data backup and disaster recovery solutions for mission-critical data.
MICHELLE ZIPERSTEIN, Cervalis
Data centers protect their companies’ or clients’ operations by securing operating perimeters, controlling access to data and equipment, providing protection against environmental threats, and more.
Data centers hold a lot of secure information. So, it is important to know whether they are providing effective and adequate safeguard against data theft and other potential problems. This can be known by an assessment of their physical security.
There are three main certifications for assessing physical security. These are SSAE 16, PCI, and Verizon Cybertrust. Some data centers like, Cervalis’ continually maintain SSAE 16 and PCI compliance as well as Verizon Cybertrust certification.
Data centers can help companies comply with regulations. Let’s take a closer look into the three physical security certifications.
SSAE 16
SSAE 16 is the standard for attesting physical security issued by the American Institute of Certified Public Accountants’ Auditing Standards Board.
There are two types of SSAE reports – Type I and Type II. The Type I report is rather basic – it’s a relatively cursory report on the service provider’s internal controls and processes. For this report, the management submits a written description and the auditor issues an opinion on whether the service provider has adequate controls to provide services and handle emergencies. For a truly wide-ranging attestation, your company should schedule a Type II report, which not only assesses the company’s capacity but also tests it over a period of time. Most publicly traded companies, especially in highly regulated industries such as financial services and cloud computing, are all but required to pass SSAE 16 Type II, since many companies are leery of partnering with businesses that lack certification. These days, many companies are leery of partnering with businesses who are not SSAE 16 compliant.
SSAE 16 has replaced SAS 70, the earlier standard. There are mainly two differences. The management of a company now has to provide the service auditor with a description of its system and a written assertion.
Before a data center can become SSAE 16 compliant, it has to undergo an audit of its infrastructure, environmental safeguards, customer service, communications, user controls, insurance coverage, and management.
While SSAE 16 is a very wide-ranging report that examines companies in many different industries, it has a number of categories that apply specifically to data centers. SSAE 16 will determine if the data center has
-
- Adequate backup power and data redundancy
- Adequate monitoring of environmental conditions, such as temperature
- Is diligent at recording and reviewing alerts
- Has proper monitoring and protection against fire and water
- Has sufficient physical security solutions, such as biometric access controls, CCTV surveillance, guards, man traps.
PCI
Unlike SSAE 16 and its predecessor SAS 70, which were developed by an accounting organization, the PCI Security Standard Council was founded by credit card companies and comes from a place of stressing data security in particular when it comes to payment processing, credit card and other financial information.
The PCI Security Standards Council website shows PCI standards as available to merchants, financial institutions, software and hardware companies, and finally professionals and services. The PCI Security Standards comprise the Data Security Standard, the PIN Transaction Security, and the Payment Application Data Security Standard.
The standards basically serve as various ways to assess and improve the security of data on payment cards. As of now, there are six control objectives. These include:
-
- Building and maintaining a secure data network, and having good security practices in place to prevent vulnerabilities and leaks
- Protecting cardholder data by safeguarding data storage and using encryption while transmitting data
- Maintaining a vulnerability management program by using and updating antivirus and anti-hacking programs, and using secure applications and hardware
- Putting in place strong access control, such as allowing a minimum of need-to-know access to data, tracking system users with a unique identifier and putting barriers to physical access of data
- Regular testing and monitoring by tracking all access to data and hardware and testing systems against vulnerabilities
- Maintaining a policy for information security and make sure all personnel are aware of the policy and practicing it.
Verizon Cybertrust Certification
Cybertrust was a digital security company that was bought out by Verizon, and has become the cornerstone of the service provider’s security certification. Verizon offers a number of certifications and seals, for Verizon Cybertrust Security Certified Enterprise, Perimeter, Application, Business and Site.
The perimeter security program from Verizon Cybertrust assesses parameters ranging from system and network vulnerability analysis to physical and policy evaluation. Six types of risks are covered under the program: downtime issues, electronic threats, human factors, malicious code, physical security, and privacy.
In addition to assessing the security status of a business, location or application, Verizon also offers cyber security services, such as access & identity management, threat assessment and security compliance.
Related Articles
Nothing found.
Apple opens door to increased biometric security adoption
The high-profile biometric security features of Apple's iPhone 5s may have given the entire sector an unintended boost, especially when considering the fact that the Cupertino-based company has a demonstrated record of bringing new technology to the forefront of attention.
According to Mashable, the tech behemoth has recently been awarded a number of patents, one of which related to a fingerprint scanner that could find a home in other Apple-branded products. And while the awarding of said patent seems logical enough, the company could find that they have inadvertently opened the door to mass biometric adoption.
Recent research released by IHS has shown that the market for biometric security-enabled devices will grow significantly in the coming years, with analysts predicting that 525 million smartphones will have embedded fingerprint scanners by 2017. Naturally, not all of those will be produced by Apple, and it is reasonable to assume that competitors such as Samsung will certainly be looking to add its own technology into the mix.
High-profile endorsement
But what does this mean for the biometric sector as a whole? Granted, the endorsement of an industry leader like Apple is gratifying for advocates of the technology, but it is worth remembering that fingerprint sensors in handsets or mobile devices have been around since 2000. According to the authors of the IHS report, the key factor is now to make sure that consumers don't just see biometrics as just another cool application on a popular smartphone.
"Fingerprint scanning for security, authentication and other purposes has always been a conceptually attractive solution in smartphones," said Marwan Boustany, senior analyst, MEMS and Sensors, for IHS, in a press release, adding, "the increasing awareness of security and the high value of data in handsets – combined with the convenience of solutions and the 'me-too' effect among OEMs -will serve to promote the usage of fingerprint sensors in handsets, along with other biometric technologies."
It is the adoption of this so-called "me-too" effect that may be the most significant, especially in terms of access control. Biometrics is quickly gaining acceptance as a secure means of authentication in a variety of industry sectors, and it provides an indisputable audit trail that is expected to replace a long-standing reliance on physical identity cards by organizations that rely heavily on user and data security.
For lovers of Apple, biometrics may just be a convenient way to access their smartphone. However, there is little doubt that a high-profile endorsement can provide the biometric industry with the means to push forward, a win-win scenario that Steve Jobs would have strongly approved of.
Related Articles
Nothing found.
Data security breaches often unreported, notes industry report
More than 50 percent of data breaches are never reported by the companies or enterprises that experience them, according to a recently released report.
Researchers who conducted a survey of security analysts concluded that breaches may be actually more widespread than previously thought, with 57 percent of respondents revealing that they had uncovered vulnerabilities that were either not reported or, more often than not, were deemed not important enough to fix.
According to ZDNet.com, 200 professionals were interviewed by Opinion Matters in October, with the authors of the report noting that 66 percent of analysts working with enterprises with 500 or more employees were more likely to keep data breaches to themselves, with the consensus being that protecting the reputation of the brand was a driving factor. The survey also showed that 67 percent of senior security decision makers see frequency of potential attacks as an ongoing problem, while 58 percent cited an ineffectiveness in current cyber-based solutions as a cause for concern.
Security compliance is one of the major issues facing IT today, with the physical aspect of a potential breach often overlooked by the more high-profile nature of the cyber version. Data has become a valuable commodity in a number of industry sectors, and with the most common form of personal information for access control within an enterprise or organization still being an ID card, there is a demonstrated need for businesses to look at next-generation systems to reduce the risk of data breach.
Mitigating data breach risks
In fact, a reliance on tried-and-tested methods can lead to identity theft, with a recent study showing that 25 percent of people who had either their ID or credit cards stolen become victims of this form of fraud. According to Reuters, retailers remain the prime target for those with malicious intent, although the financial and health care sectors are increasingly being seen as a fertile environment for obtaining data of value.
"Identifying and protecting the sensitive information typically stored by these industries is essential for mitigating the risk of a data breach and, therefore, the risk of financial loss to data custodians, consumers and third-party businesses," said Al Pascual, Senior Analyst of Security, Risk and Fraud at Javelin Strategy & Research, and lead author of the report.
With that in mind, the report recommends that enterprises need to be carrying out ongoing risk assessments of their current data center security mechanisms, with businesses identifying exactly where that information could be at risk. At the same time, IT departments should make sure that non-tech staff are fully aware that handling sensitive information requires an adherence to internal security policies, thereby limiting the potential for breaches.
Related Articles
Nothing found.
UK banks to take part in data security war games
In terms of an industry sector that is constantly conscious of its access control responsibilities, it is probably fair to say that banks and financial institutions are more than aware that they hold a treasure trove of information. With identity theft an increasingly common concern for consumers, data security has become paramount.
With that in mind, a series of UK-based war games initiated by financial regulators and government officials will take place, with a number of leading institutions taking part in a one-day bombardment of their security systems. According to The Independent, the exercise – dubbed "Waking Shark II" – will force staff members to respond to a number of attacks that are geared towards accessing banking credentials and physical hardware such as ATM machines.
While this is not the first time that the financial sector has engaged in these simulations – Wall Street carried out a similar exercise known as "Quantum Dawn" – they are being seen as an opportunity to test vital aspects of security compliance, with the acquisition of data being the primary focus.
"These kinds of exercises provide a good opportunity to put people and organizations through their paces, much like the army does when practicing maneuvers," said David Emm, a researcher at Kaspersky Lab, according to the news source. "They can never be a substitute for a real-life attack. But they can however force people to think about the situation they are faced with and what they would do in that very moment."
Physical options
The results of these tests are expected to be released in 2014, but some security consultants are concerned that the operation may only be targeted towards online threats. There is always a danger of a coordinated physical attack, according to The Register, with USB sticks and hardware keyloggers reportedly just the tip of the iceberg.
"There's a great concentration on hackers disrupting access to computers but they aren't testing physical security," said professor David Stupples, head of center for cybersecurity sciences at City University, London, in an interview with the news source."DDoS is old hat and never going to cause that much of a problem. By contrast, losing customer details through smart malware has an enormous damage potential."
However, the timing of the UK-based exercise could be perfect. According to Network World, a recent report from Trend Micro has shown that the stealing of banking credentials is at its highest level since 2002, with the United States seeing 23 percent of 200,000 new infections discovered between July and September. Accessing financial information may be one of the oldest forms of hacking, but its popularity among the virtual underworld remains undiminished.
Related Articles
Nothing found.
IT Asset Protection and the Malicious Insider
It continues to puzzle me.
Survey after survey, like the Gabriel Survey in the Fall of 2011 or the Intel Survey in September of that same year, has concluded that insiders are responsible of the vast majority of malicious attacks in the data center. While a great deal of attention has been placed on cyber security, most data centers continue to rely on outdated, ill-conceived methods of physical security. This leaves the investment in IT infrastructure and the data it manages, as vulnerable as it has ever been.
The IT community seems to be practicing what I call “the ostrich theory of management”. That is, we put our heads in the sand and hope the issue has gone away when we pull it out. Meanwhile, malicious insiders continue to be responsible for the majority of physical attacks on data centers, resulting in damaged/stolen IT assets and significant downtime. Once IT infrastructure is damaged and/or stolen by insiders, the actual cost of the hardware pales in comparison to the cost of downtime to brand and reputation.
Most physical security schemes fail to recognize the insider threat. With insider threats on the rise, this directly correlates to higher vulnerability rates in the data center. The only way to lower vulnerability rates related to insider activity is to secure the core along with the perimeter. Any initiative to secure the core begins at the server cabinet level. All access to server rack cabinets within the data center must be managed and recorded. An indisputable audit trail of all cabinet level activity dramatically reduces the vulnerability to insider attacks and damage. This type of audit trail can only be achieved through biometrics.
Biometric access control at the cabinet level can protect IT infrastructure and dramatically reduce the data center’s vulnerability to insider attacks, keeping downtime to a minimum and data secure.
Related Articles
Nothing found.
New Partnership Results in Advanced RFID Card Access Solution
For years now, we have been designing and building what we consider to be the world’s best biometrics-based access control systems for organizations worldwide. Our clients continue to turn to us to provide the ultimate secure environment for their critical technology systems.
Recently, it became clear that we could combine the best of our leading edge, access control monitoring and access systems with more traditional RFID card access solutions. This solution would help clients meet their immediate security needs today while providing a path to potential future implementation of a full biometrics-based system.
We are happy to announce a new partnership with Southco, a worldwide leader in providing access solutions for a wide variety of markets. Together we have worked to integrate the H3-EM Electronic Locking Swinghandle into the Digitus db Bus Cabinet-level access control product. This new addition to the db Bus product line provides our customers, with legacy card access control systems, to immediately secure server cabinets in the data center with a compatible product from Digitus. This solution gives those same customers the option to migrate to a more secure biometric solution in the future.
The response to this new solution has been overwhelmingly positive. It allows our customers to quickly implement a superior solution using current systems with a clear upgrade path to a fingerprint-based, access control system for their enterprise.
Related Articles
Nothing found.