Datacenter surveillance systems are critical for detecting and preventing unauthorized access to sensitive areas. These systems typically involve security alarms, cameras, and sensors at all entry and exit points. Monitoring these systems and following up on any alerts is key to keeping the datacenter secure.

Where did this come from?

This control comes from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26, which you can download at https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4. The CCM provides a comprehensive set of security controls specifically designed for cloud computing environments. For more background, check out the CSA's overview of the CCM at https://cloudsecurityalliance.org/research/cloud-controls-matrix/.

Who should care?

• Datacenter security managers responsible for physical security
• IT managers overseeing datacenter infrastructure and operations
• Compliance officers ensuring adherence to security standards
• Business leaders concerned about risks to critical IT assets

What is the risk?

Without proper surveillance, unauthorized individuals could gain physical access to servers, storage, networking gear and other sensitive hardware. This could enable them to steal data, install malware, disrupt operations, or cause other damage. Robust monitoring can deter intruders, provide early warning of breach attempts, and help identify/track perpetrators.

The likelihood and impact of unauthorized access depends on factors like the value of assets housed, the datacenter's location and surroundings, and existing security measures. But in general, the potential consequences of a physical breach - data theft, sabotage, reputational harm, etc. - can be severe.

What's the care factor?

For any organization running its own datacenter, surveillance should be a top priority. The risks are simply too high to neglect this control. Even with other physical security measures in place, monitoring is essential for maintaining real-time awareness.

Some businesses may feel their datacenter is low-profile enough to avoid being targeted. But relying on "security through obscurity" is dangerous. It's safer to implement strong surveillance by default.

When is it relevant?

Surveillance systems are advisable for:

• Datacenters housing high-value assets like financial data, IP, etc.
• Facilities in higher-crime areas or isolated locations
• Organizations subject to strict security regulations
• Companies that have experienced prior physical security incidents

They may be less critical for:

• Unstaffed, "lights-out" datacenters with few on-site personnel
• Facilities that only house low-sensitivity data/systems
• Well-secured sites with extensive physical access controls already

However, some degree of surveillance is still usually prudent.

What are the tradeoffs?

Robust datacenter surveillance isn't free or easy. It requires:

• Budget to purchase, deploy and maintain cameras, alarms, sensors, etc.
• Staff time to monitor video feeds and respond to any incidents
• Reinforced infrastructure to mount and power surveillance gear
• Bandwidth and storage to transmit and archive high-res video

Over-surveillance can also feel invasive to employees and visitors. It's important to set clear policies on things like camera placement, access to footage, retention periods, etc. to respect privacy. Consultation with legal is wise.

How to make it happen?

1. Evaluate the datacenter perimeter, access points, and floor plan
2. Identify high-priority areas to monitor (entrances, server rooms, etc.)
3. Select appropriate cameras, alarms and sensors:
   • Cameras: Enough resolution to capture faces, license plates, etc.
   • Alarms: Reliable sensors for doors, windows, motion, glass-break
   • Tamper-proofing so intruders can't disable
4. Procure and install equipment:
   • Place cameras to avoid blind spots; ensure adequate coverage
   • Connect to central monitoring and recording systems
   • Integrate alarms for instant notification if triggered
5. Set up monitoring:
   • Designate a 24/7 security team to watch camera feeds
   • Implement video analytics to highlight anomalies
   • Establish clear procedures for responding to alarms/incidents
6. Test all systems and train personnel
7. Maintain equipment and have spares ready to swap

What are some gotchas?

• Cameras and sensors require continual power, even if datacenter is down
  • Need backup generators, batteries, etc. to avoid outages
• Systems must have enough storage to retain data for required period
  • May need multi-tier (disk/tape) and off-site archival
• Surveillance data contains sensitive personal information
  • Access must be tightly restricted; might need encryption
  • Consult legal on compliance with data privacy regulations
• Running new cabling and placing cameras may be disruptive
  • Budget time for installation; plan to minimize impact on ops

Required permissions:

• Full access to security systems and monitoring tools
• Ability to view camera feeds and recordings
• Authority to dispatch incident responders
  See: https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-100.pdf

Alternatives to consider

• Mobile patrols: Security staff doing randomized rounds to check perimeters
• Advanced access controls: Multi-factor authentication, mantraps, etc.
• Intrusion detection systems analyzing network traffic for threats

However, these usually complement rather than fully replace surveillance.

Explore further

• NIST's guide to datacenter physical security: https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-100.pdf
• Related CIS Controls:
  • CIS Control 14 - Security Awareness and Skills Training
  • CIS Control 15 - Service Provider Management

?