Establishing remote data center assessment standards

COVID-19-Inspired Guidelines and Trial Run Tips

For the foreseeable future, the COVID-19 crisis has changed the very nature of on-site cybersecurity compliance assessments and testing. Leading the way, the Payment Card Industry Security Standards Council (PCI SSC) quickly recognized that its requirements for physical, on-site data center assessments needed rapid modification due to travel restrictions and health concerns. Though assessors may be temporarily prevented from testing on location, data center security is essential and must continue.

With this “new normal,” data center managers and assessors are advised to review PCI SSC’s COVID-19 remote assessments guidance. The Coalfire Payments Assurance team is following the PCI lead, and with recent client engagements, has been developing our own best-practice templates to ensure cybersecurity integrity through these exceptional circumstances. The situation is fluid, and new remote assurance protocols and expectations will certainly arise out of this public emergency.

Though every engagement will have custom requirements, here are some general observations and intel from our team on preparing for and conducting remote data center security reviews. These tips are general enough to apply to enterprise data centers in other segments as well such as retail, healthcare, call centers, and government:

• First, we begin developing a custom template that outlines procedures, artifacts to be assessed, and personnel. We meet with the client online, with screen sharing capabilities, to discuss project management, what video conferencing resources they have, and how to match the technologies between us.
• The client then assembles their equipment and we conduct a trial run. In real time, with client’s boots on the ground and our assessors observing on live streaming video, everyone makes sure they have the capabilities to narrate and listen with voice communications or chat.
• After the trial run, it’s time to execute the live assessment. It’s important to have a dual monitor set-up so the assessor can follow the template and take notes on one screen, with the video on the other, and be able to paste and edit those typed notes into the report later.
• Speaking directly with the client over a cell phone or voice streaming application works best, but is not always possible. Ensuring that all individuals on the call are muted, except for the person speaking, is beneficial. Lots of background noise and echo loops are common in server rooms and elsewhere.
• Noise-cancelling earphones can help with sound control, and allow the client to work hands-free. Data centers aren’t always mobility-friendly, especially when carrying or rolling around with bulky equipment.
• For the video work, it’s important to address stabilization / mobility mechanisms. In my most recent assessment, the client used a laptop on a wheeled utility cart to navigate around the data center, and was able to tilt the webcam as needed (holding up a camera or tablet can be tiring and awkward for extended periods).
• Best-case scenario is for the client to have a secure, employees-only wireless connection in the data center. In any case, be prepared for video streaming lags, and don’t hesitate to ask the client to slow down or repeat something that isn’t clear.
• If audio isn’t practical or permitted, specific evidence requests can be videoed separately, photographed, recorded, and discussed in a phone call. Additional photos or screen captures of data center physical controls, configurations, log ins, access control lists, badges, etc., can be shared as well.
• Separate phone conferences, with shared photos and videos, can be scheduled with additional data center personnel and department heads.

You might spend less time traveling, but be aware that remote assessments will take longer than doing them on-site. First, there’s more time needed for planning and trial runs, and the templates require more detail. Also, I recommend allowing two hours for a remote data center assessment to actually take place versus what may have normally taken well under an hour to walk through on-site.

Due to COVID-19, there may be fewer resources available at the data center, and you may not get to see everything needed. Some video footage could get cut short, and you may not have real-time access to visitor logs, or badge access data. Watch for and ask about physical access control mechanisms (lock and key, badge readers, biometric scanners, etc.) in the facility itself, and relevant spaces such as side rooms, cages, and cabinets. Visitor check-in processes may be different between data centers, as well as where reception and security guards are situated. Look at placement of video surveillance cameras at all ingress / egress points, and any on-site processes to monitor the camera feeds. Ensure the client is aware of any evidence you were not able to see remotely, keep an accurate list along the way, and make the appropriate follow-up requests.

The assumption has always been that data center security assessments are done in person. Thanks to well-planned trial runs, strong templates to follow, and making the effort for good visual, textual and voice communications, our most recent remote assessments have resulted in effective compliance reports, and have worked out well for our Coalfire teams and clients.

Virtual assessments probably never will, nor should, completely replace on-site physical testing. However, given today’s surprises and changing situations, proving out remote assessment best practices makes sense now and in the future.