What are meet-me rooms?
A meet-me room (MMR) is the area in a co-located data centre where communications service providers (CSPs) like telecoms companies physically connect one another’s data servers and exchange traffic. This happens each time mobile phone operators transfer calls/messages between different networks, for example.
Data centre operators should strictly limit access to an MMR. You may decide not to allow customers access to view security arrangements. It’s important however that MMR security details and assurances are provided by data centres during tendering under an NDA.
Remember:
This guidance also applies to points of presence (PoP) and internet exchange points.
8 key considerations
Given the higher level of risks that MMRs introduce, here are 8 key considerations to discuss with your data centre customer:
- Access control - Are CSPs, their contractors and data centre operator contractors escorted? Are passes worn and authorised access lists kept and reconciled with permit-to-work logs? How is work conducted within the MMR verified to ensure it matches any work-orders?
- Screening processes - The criteria you use for approving or rejecting MMR access.
- Intrusion detection, including CCTV - Are these monitored live by you or is responsibility that of the tenants themselves?
- Entry and exit searches - Are items such as mobile phones and other personal electronic devices prohibited or subject to a movement management policy? Are staff searched on entry and exit? Is equipment taken into the MMR consistent with the stated purpose of their entry?
- Types of rack - What assurances can providers give you regarding the security of racks they use?
- Rack locking - How do you ensure that racks are always locked? Are the racks regularly inspected? Can you demonstrate effective key control?
- Anonymisation - Are racks sufficiently anonymised to prevent those with hostile intent from being able to identify where data is sent?
- Asset destruction - Is there a secure asset destruction process? Is it regularly audited to complement the searches conducted on exit? Does it help to reduce numerous risks including accidental loss, espionage, insider attack and theft?