Results 1 to 38 of 38
  1. #1
    Join Date
    Jun 2004
    Location
    Milwaukee
    Posts
    43

    Looking for secured co-location . . .

    I'm looking for recommendations for a co-location environment where the vendor provides all bandwidth management but where I can secure physical access to equipment. Specifically I need to make sure not even the vendor can access the equipment.

    Thanks in advance.

    John

  2. #2
    Join Date
    Apr 2004
    Posts
    173
    Locked cabinet might be your own option but I'm almost certain every DC you go to will also have a set of keys for your cabinet. Perhaps you can bring to light why you can't even trust the provider you colo and get bandwidth from with the key to your cabinet/rack?

  3. #3
    Join Date
    Jun 2004
    Location
    Milwaukee
    Posts
    43
    That's what I'm finding, no co-location provider will allow a secured cabinet where they do not have access.

    Many new policies being proposed within the credit card industry such as IPN 1.2, Cisp 3.4, as well as new proposed GSA standards will soon require:

    Physical access to equipment will require a background, certification & security check of all personel with access to said equipment which store government data or credit card information.

    After some lengthy discussions at a meeting today, I indicated that few co-location facilities would be able to meet these possible new requirements as their employees would have physical access to the equipment and few would be certified to the level being proposed.

    I'm just fishing to see if anyone currently does offer a co-location service where the provider wouldn't have access to equipment.

    I'm trying to win an argument before Friday's meeting.

  4. #4
    Join Date
    Jun 2003
    Location
    San Francisco
    Posts
    623
    I was wondering about that too.

    Then, will "vendor" be considered "authorized"?

  5. #5
    Join Date
    Apr 2004
    Posts
    173
    Interesting concerns. How much space do you need? Perhaps you can bring this requirement to a large facility like Equinix and work something out. Since I've heard that banks and financial institutions are going that route so that should fit your criteria as well.

  6. #6
    Join Date
    Jan 2005
    Location
    Los Angeles
    Posts
    14

    same issues

    We have the same issues in providing offsite, outsourced data protection and DR. HIPPA/SarbOx/NASd compliance Mandate such safeguards.

    The simple answer is to take a Cage space in a carrier-neutral facility (ours is in OneWilshire). The building has keys to your cage, but not the locked cabinets you provide within the cage. Some cabinet manufactures have very secure enclosures (heavy steel-key & code locks) that comply with these requirements.

    Hope this helps.

  7. #7
    My bet is you'll find very few companies that do this for good reason:

    What if your machines catch fire, are they supposed to spray water around your enclosure until it melts? I would think any facility would want to be able to get in there with a fire extinguisher or with whatever extinguishing agent they use for sure emergencies. Although that does bring up an interesting quandry. Your best bet would probably be to host your own facilities on site. I mean if your dealing with financial transactions on a large scale surely you can spare enough money to outfit a small datacenter.
    Matt Mills
    Ceteranet Network Systems - www.ceteranet.com
    [email protected]

  8. #8
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,512
    I'm curious: Outside of the requirement you just mentioned, what else does the datacenter need to provide for you to be compliant?

  9. #9
    Join Date
    Nov 2002
    Posts
    2,780
    Agreed with fortyfive. If you're going to be doing financial stuff, you should have the cash to shell out to run your own DC.

    Are banks really going Equinix nowadays? I would have thought most of them have their own Datacenter and private fiber.

  10. #10
    Join Date
    Apr 2003
    Location
    San Jose, CA.
    Posts
    1,622
    Equinix can provide the nicest secured locking cabinets I've seen.

    Friction powered electronic combination locks. Secure cabinets where you can't just bypass the lock by popping the pins on the doors... and many other security features.

    I've used them (those specific cabinets and Equnix in general) when doing a secure buildout for Akamai in the past. And, they were very quick about changing the existing layout of the cage with relay racks to the secured cabinet design we needed.

  11. #11
    Join Date
    Apr 2004
    Posts
    173
    Seems BOA is in Equinix Secaucus from googling but I can't confirm it myself

  12. #12
    Join Date
    Feb 2005
    Posts
    334
    Generally eqix has access to the kinetic lock cabs they supply. You may be able to work something out with them though. Though its easy to say "if you are doing x you should be running your own datacenter" that may not be feasible. You might want to look around for a private facility that will accomodate you.

  13. #13
    Join Date
    Apr 2002
    Location
    North Kansas City, MO
    Posts
    2,565
    I don't think this is really uncommon. We have customers that supply thier own racks and don't give us the keys. We don't have a problem with it and I don't see why other providers would either. Look for a smaller colo facility. Most should be able to accomodate you.

    Aaron
    Aaron Wendel
    Wholesale Internet, Inc. - http://www.wholesaleinternet.net
    Kansas City Internet eXchange - http://www.kcix.net

  14. #14
    Join Date
    Aug 2004
    Location
    New Jersey
    Posts
    11
    John,

    I didn't see anyewhere in this post how much space, how many cabinets you'd need not the location. If the space requirement is large enough there are several colocation providers who can sell you a cage and allow you to put in your own high security cabinets.
    Scott McDonald
    Colocation Director
    Tyco Telecommunications
    Data Centers in most major cities: NY, CA, Japan, London, Germany, Portugal and others globally.

  15. #15
    I really cannot imagine a DC not having access to the areas inside it's facilities. You *COULD* Put your own cabinet in a cage, and lock it with something strong, we see this here a fair amount. Just make sure the cabinets are meshed. It's a safety thing, not a means of nabbing info. I would suggest that if you need that kind of security, you not look at DC/CoLo.

    JA

  16. #16
    Yes, f0urtyfive is correct. Only there are only few datacenters let you to have own cabinet and with your own lock due to servral issues.

    I know some of the banks hosting at psineteurope.com . I don't have the full details now. I will talk to one our client and you know how they do.

    Thank You
    David.k
    WebHostingChat Where you Discuss & Chat about webhosting.
    DatacenterTalk DataCenterTalk.com (DCT) is a leading resources site for the Data Center community.

  17. #17
    Join Date
    Jan 2004
    Location
    Chicago
    Posts
    984
    These new VISA requirements are harsh, just sat in on a meeting about merchants having to comply with the new terms within a couple months, first instance of non-compliance for the departments I was talking with would mean a $50,000 fine, and it goes up from there... This was for fairly small time processing too.

    I just find it hard to believe a DC couldn't at least give a written guarentee they'd only access the cage in an emergency or with written notification, or something along those lines that could comply with the requirements.

  18. #18
    Join Date
    Jul 2003
    Posts
    468
    Couldn't they just access the fiber / copper they are providing you and take whatever they want to steal? Sounds like a lame requirement, but I can't see why a private cage with your own sealed/locked cabinets wouldn't fit the bill.
    bye

  19. #19
    Originally posted by amps
    Couldn't they just access the fiber / copper they are providing you and take whatever they want to steal? Sounds like a lame requirement, but I can't see why a private cage with your own sealed/locked cabinets wouldn't fit the bill.
    Most vital information concerning finances and other highly sensitive related materials that are transmitted over the Internet are generally encrypted now a days to prevent people from easily deciphering data by snooping on your line. (i.e. You use a SSH connection to admin your linux server)
    Last edited by Snipz; 05-05-2005 at 06:23 AM.

  20. #20
    Join Date
    Apr 2004
    Location
    Los Angeles, CA
    Posts
    166

  21. #21
    Join Date
    Jul 2003
    Posts
    468
    Originally posted by Snipz
    Most vital information concerning finances and other highly sensitive related materials that are transmitted over the Internet are generally encrypted now a days to prevent people from easily deciphering data by snooping on your line. (i.e. You use a SSH connection to admin your linux server)
    Common sense, understood. However the same goes for the information on the server... how is physically touching the server goign to make it easier to decrypt data?
    bye

  22. #22
    Some of the CISP / PCI regs have some room for interpretation I think. I know of several banks in Equinix for example & there's no way Equinix don't have access to their cages.
    Equinix do have an audit trail of every cage access, there would be evidence of an access with no corresponding SmartHands ticket, and physical access to your machines should be useless anyway. I know our would have to be shutdown, booted from CD (to bypass root), and even then CC numbers are encrypted as required my the regs.

    Incidentally the regs still say site to site encryption shall be by hardware device requiring two keys held by different officers of the company in order to manage keys/bypass encryption. - I spent a large chunk of 1998 removing these boxes from a very big name bank and replacing them with 3DES on Cisco routers.

    PCI I know is new, but the auditors have still have to allow reality to mitigate the strict letter of the law. Otherwise operating any of this stuff from colo is impossible.

  23. #23
    Join Date
    Jun 2003
    Location
    San Francisco
    Posts
    623
    I have some questions about the terms:

    "Cardholder data" - If I don't store the complete card number, would name/address information still considered cardholder data? The information is not enough to link a person to a credit card number.

    "Physical access" - What does that mean? Do I have physical access if I can touch the server with my finger? What if the server's front is locked so there is no way to take the storage out unless you take the server from the rack and then use a hammer?

    Also, what does the requirement mean to dedicated server users?

  24. #24
    Originally posted by amps
    Common sense, understood. However the same goes for the information on the server... how is physically touching the server goign to make it easier to decrypt data?
    Ah, I see what you mean but I think physically losing control of your box is a greater loss than having someone snooping the connection lines. By loss I don't mean the value of the server itself but the value of the data on it.

    This is just my humble opinion so please don't take it as I'm right and you're wrong but I think if you lose physical control of you're server you might as well consider it compromised, more so than having data lines snooped. Isn't it more likely a crook is bound to get more information from the hard drives on a server than snooping a data line?

    I think that is the reasoning for some of these new higher security measures.

  25. #25
    Join Date
    Jun 2003
    Posts
    71
    You might have better luck with carrier neutral Carrier Hotels like us. Most of us have web hosting/collocation tenants who could directly provide you with varying degrees of secured cage space and managed bandwidth. Alternatively, most of us have some direct buillding collocation space at or near our Meet Me Rooms where you would be free to get managed or unmanaged bandwidth from any of our tenants. As real estate operators, we are accostomed to tenants with varying security requirements. For example, we have a U.S. Post Office in one of our facilitiies. By federal law and contract, we have no access rights. We would have no problem affording the same treatment to a cage.

    Bob

  26. #26
    Join Date
    Jul 2001
    Location
    Canada
    Posts
    1,284
    Originally posted by riverpast
    "Cardholder data" - If I don't store the complete card number, would name/address information still considered cardholder data? The information is not enough to link a person to a credit card number.

    "Physical access" - What does that mean? Do I have physical access if I can touch the server with my finger? What if the server's front is locked so there is no way to take the storage out unless you take the server from the rack and then use a hammer?

    Also, what does the requirement mean to dedicated server users?
    Cardholder data generally refers to any account information that pertains to the card holder. This includes their card number, any PIN or authorization/authenticathion numbers, name, address, telephone, email and such.

    Yes, physical access means you can reach the machine physically to gain access to it's contents - be that by stealing the hard drives or by accessing it via console.

    Most of those server "door" locks are the simplest things in the world to open. Like filing cabinets and office desks (and car door/trunk/ignition) there are a fixed number of internal tumbler assemblies and they repeat every 10,000 or so.

    The implications for dedicated servers are rather interesting. As the providers will have to meet the same requirements, it would seem logical that the staff in the datacenters would likely be equally certified (if not possibly more so) than many of their customers.

    Then again there is always someplace like ServerVault
    "Obsolesence is just a lack of imagination."

  27. #27
    Join Date
    Jun 2003
    Location
    San Francisco
    Posts
    623
    Cardholder data generally refers to any account information that pertains to the card holder. This includes their card number, any PIN or authorization/authenticathion numbers, name, address, telephone, email and such.
    So, if the information does not contain the full credit card number, the customer information cannot be considered "cardholder data"?

  28. #28
    Join Date
    Jul 2001
    Location
    Canada
    Posts
    1,284
    So, if the information does not contain the full credit card number, the customer information cannot be considered "cardholder data"?
    I didn't say that. I said

    Cardholder data generally refers to any account information that pertains to the card holder. This includes their card number, any PIN or authorization/authentication numbers, name, address, telephone, email and such.
    It's pretty obvious that customer information such as their name, address etc is cardholder data.
    "Obsolesence is just a lack of imagination."

  29. #29
    Join Date
    Jun 2003
    Location
    San Francisco
    Posts
    623
    Hmmm...what if you have customer info (name, address, phone) without charging their credit card?

  30. #30
    Join Date
    Aug 2002
    Location
    Atlanta, GA
    Posts
    1,114
    Interesting, we just signed a long term colocation client that is a very large financial / credit card banking company. We are one of six colocation hosts they are using. We had very in-depth meetings over the last two months and brought up this subject. Their attorneys stated that this "guideline" is not only impractical it is fundamentally unenforceable.

    Additionally. we just opened new colocation space in Las Vegas. I'd estimate that at least 10% of the clients in the data center are banking or financial services clients. I can assure you that the data center has keys to every cage and rack.

    You would also have to ask how data centers could offer "managed services" without having access to the servers.
    SiteSouth
    Atlanta, GA and Las Vegas, NV. Colocation

  31. #31
    Join Date
    Jun 2003
    Location
    San Francisco
    Posts
    623
    I have found visa's FAQ for CISP (visa's own security standard). It says the account number is necessary for card holder data.

    However, if you don't store account number, CISP (and probably PCI) still applies to the "environment" where the credit card transaction occurs.

  32. #32
    Hi mgphoto,

    Good to hear that you are hosting financial service company. What is the secure solution you have offered for them?.

    Thanks
    David.K
    WebHostingChat Where you Discuss & Chat about webhosting.
    DatacenterTalk DataCenterTalk.com (DCT) is a leading resources site for the Data Center community.

  33. #33
    Join Date
    Aug 2002
    Location
    Atlanta, GA
    Posts
    1,114
    Pretty simple just a small cage for 4 locking racks. They are taking care of their own network security except spam/virus. We are also providing remote hands for them. We do have keys to the cage and the racks.

    In terms of this thread, I've been in most of the major data centers in NY, Atlanta and LA and other than government leased racks I don't know of one data center that would not have a key to the racks. Most of these data centers have a number of banking / finance and credit card business and I can assure you they have rack access. I was at Inflow the other day and saw Inflow techs working in a rack leased by a bank. Since they are offering managed services for the bank how could the not have access to the racks?

    As I said earlier, worrying about this "guideline" is a waste of time.
    SiteSouth
    Atlanta, GA and Las Vegas, NV. Colocation

  34. #34
    Join Date
    May 2005
    Location
    Minnesota
    Posts
    1
    I can give you all the answers to your questions in regards to the security of GLB audits and others.

    I work for US Internet Corp and we have been through many of these audits. You can contact me at [email protected].

    I will let you know how we can meet your needs but if we can not at least you have more information of what can an can not be provided.

    Hope this helps.

  35. #35
    Join Date
    Jun 2003
    Location
    San Francisco
    Posts
    623
    I can give you all the answers to your questions in regards to the security of GLB audits and others.
    Why don't you provide the information here then?

  36. #36
    Join Date
    Jun 2002
    Location
    PA, USA
    Posts
    5,137
    Originally posted by wsuff
    Seems BOA is in Equinix Secaucus from googling but I can't confirm it myself
    Yes, they are ... at least 3000 sq feet cage, not far away from our cage
    Fluid Hosting, LLC - HSphere Shared and Reseller hosting - Now with HIGH AVAILABILITY
    Fluid VPS - Linux and Windows Virtuozzo VPS - Enterprise VPS with up to 2 GB guaranteed memory!
    Get your N+1 High Availability Enterprise Cloud
    Equinix Secaucus NY2 (NYC Metro)

  37. #37
    Join Date
    Feb 2003
    Location
    San Jose, California
    Posts
    410

    Savvis

    Let's not forget that Savvis colos several of the top 100 financial institutions/banks, brokerage houses, wall street, and GSA systems for the government. They are also SAS-70 compliant and have some very stringent security controls in their IDC's. I know for a fact they have locked vaults are "hands off" to everyone- including their own NOC. It's my understanding that if you want Savvis staff working in your secured vault, you must execute waivers and allow such access explicitly..

    If you are too paranoid to trust your equipment to a place this this, there is no hope for you.

  38. #38
    Join Date
    Jun 2004
    Location
    Milwaukee
    Posts
    43
    I want to thank you all for constructive comments on this subject. I also want to personally thank all the private offers of co-location space although this was not the purpose of this thread nor do I need the space. It did cause some loss of credibility for my arguments J.

    I would like to recommend the community review:

    http://64.233.187.104/search?q=cache...1.0+visa&hl=en

    and

    http://thomas.loc.gov/cgi-bin/bdquery/z?d109.00768:

    A good read, especially when the current lobbyists are recommending in S 768 to apply IPN 1.0 requirements. I agree to the need of enhancing online security, however this will dramatically restrict shared & reseller hosting environments for any website collecting name, address or any financial information not just websites processing credit cards.

    Thanks again

    John
    Last edited by jjungling; 05-10-2005 at 12:39 AM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •