The Physical Security Side of Regulatory Compliance
When we think of compliance with various data privacy rules and regulations – PCI DSS, HIPAA, FISMA etc. – what generally comes to mind is the need to secure data networks against unauthorized access. However, data privacy directives invariably focus on physical security as well as network security, and consider the protection of physical assets to be as important as protecting the data stored or processed in those assets. PCI DSS Requirements 9 and 9.1; HIPAA Title II, Physical Safeguards; and FISMA (FIPS 200 Section 3) all speak explicitly to the requirement to limit physical access to hardware systems that contain cardholder data, health records or classified information, respectively.
With the biometric system providing a single, indisputable audit trail from the front door to every cabinet door, ScaleMatrix and its customers can demonstrate to compliance auditors that physical access to hardware containing sensitive data is completely limited to authorized personnel, and that should a breach occur, the audit trail will show conclusively which individuals accessed any cabinet in question, and at what time. “By delivering a precise audit trail all the way to the rack level, with one package to control it all, we know who’s coming, who’s going, exactly when, at every access point,” Ortenzi says. “The compliance advantage is always recognized immediately by compliance officers and personnel whose jobs make them sensitive to the importance of regulatory issues.”
Because the system is IP-networked, ScaleMatrix is able to extend access and audit trail reporting to customer security personnel, wherever they are located. “Any customer who wants to know who has been in his cabinet can pull up a report immediately on any timeframe,” Ortenzi says. “Most data center operators would prefer not to be in the business of producing access reports, and we’re not – we put it right in the customer’s hands.”
To ScaleMatrix, that’s what security at the co-location and cloud facility is all about. “It’s one thing for a customer to be told that the facility has top-notch security,” Ortenzi says. “Real security comes from knowing firsthand what’s going on — by having meaningful, real-time visibility themselves into a facility that’s separate from their company. That’s security in the old ‘peace of mind’ sense.”