Jul 17, 2015

What is the gold standard for data center physical security?

When evaluating the physical security measures at data centers, what compliance standard(s) should they be expected to implement and meet (ISO, SAE, etc.)?

"The following checklist* summarizes best practices for data center security.

Include security and compliance objectives as part of the data center design and ensure the security team is involved from day one. Security controls should be developed for each modular component of the data center—servers, storage, data and network—united by a common policy environment.
Ensure that approach taken will not limit availability and scalability of resources, as these are prime reasons for investing in a next-generation data center.
Develop and enforce policies that are context, identity and application-aware for least complexity, and the most flexibility and scalability. Ensure that they can be applied consistently across physical, virtual and cloud environments. This, along with replacing physical trust zones with secure trust zones, will provide for seamless, secure user access to applications at all times, from whatever device is used to connect to resources in the data center.
Choose security technologies that are virtualization-aware or enabled, with security working at the network level rather than the server. Network security should be integrated at the hypervisor level to discover existing and new virtual machines and to follow those devices as they are moved or scaled up so that policy can be dynamically applied and enforced.
Monitor everything continuously at the network level for the ability to look at all assets, physical and virtual, that reside on the LAN, even those that are offline, and all inter-connections between them. This monitoring should be done on a continuous basis and should be capable of monitoring dynamic network fabrics. Monitor for missing patches or application or configuration changes that can introduce vulnerabilities that can be exploited.
Look for integrated families of products with centralized management that are integrated with or aware of the network infrastructure, or common monitoring capabilities for unified management of risk, policy controls and network security. This will also provide detailed reports across all controls that provide the audit trail necessary for risk management, governance and compliance objectives. Integrated families of products need not necessarily be procured from just one vendor. Look for those that leverage the needed capabilities of a strong ecosystem of partnerships to provide a consolidated solution across all data center assets.
Consider future as well as current needs and objectives at the design stage, such as whether access is required to public cloud environments.
Define policies and profiles that can be segmented and monitored in multi-tenant environments. Consider security technologies that provide secure gateway connections to public cloud resources."
Answer this